Choosing an Authentication Method
API Gateway supports multiple authentication methods that are suited to different applications and use cases. API Gateway uses the authentication method that you specify in your service configuration to validate incoming requests before passing them to your API backend. This page provides an overview for each supported authentication method in API Gateway.
API keys
An API key is a simple string that identifies aGoogle Cloud project for quota, billing, and monitoring purposes. Adeveloper generates an API key in a project in the Google Cloud console andembeds that key in every call to your API as a query parameter or in a request header.
Use case
To use API Gateway features such asquotas, you can pass in an APIkey so that API Gateway can identify the Google Cloud projectthat the client application is associated with. For more information, seeUsing API Keys.
Service accounts
To identify a service that sends requests to your API, you use aservice account. The calling serviceuses the service account's private key to sign a secureJSON Web Token (JWT)and sends the signed JWT in the request to your API.
Use case
JWTs and service accounts are well suited for microservices. For moreinformation, seeAuthentication between services.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.