Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
Authorization requires the following IAM permission on the specified resource name:
iam.serviceAccounts.getOpenIdToken
Request body
The request body contains data with the following structure:
The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.
The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
audience
string
Required. The audience for the token, such as the API or account that this token grants access to.
includeEmail
boolean
Include the service account email in the token. If set to true, the token will contain email and email_verified claims.
organizationNumberIncluded
boolean
Include the organization number of the service account in the token. If set to true, the token will contain a google.organization_number claim. The value of the claim will be null if the service account isn't associated with an organization.
Response body
If successful, the response body contains data with the following structure:
JSON representation
{"token": string}
Fields
token
string
The OpenId Connect ID token.
The token is a JSON Web Token (JWT) that contains a payload with claims. See the JSON Web Token spec for more information. Here is an example of a decoded JWT payload:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis API generates an OpenID Connect ID token for a specified service account using a \u003ccode\u003ePOST\u003c/code\u003e request to the provided URL.\u003c/p\u003e\n"],["\u003cp\u003eThe request requires the service account's resource name in the \u003ccode\u003ename\u003c/code\u003e parameter within the URL, formatted as \u003ccode\u003eprojects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must include the \u003ccode\u003eaudience\u003c/code\u003e for the token, and it can optionally include a delegation chain via \u003ccode\u003edelegates\u003c/code\u003e and whether to include the email via \u003ccode\u003eincludeEmail\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eA successful response returns a JSON body containing the \u003ccode\u003etoken\u003c/code\u003e, which is the OpenID Connect ID token.\u003c/p\u003e\n"],["\u003cp\u003eAuthorization requires either the \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope.\u003c/p\u003e\n"]]],[],null,[]]
