Google Auth Library for PHP

Reference Docs

Description

This is Google's officially supported PHP client library for using OAuth 2.0authorization and authentication with Google APIs.

Installing via Composer

The recommended way to install the google auth library is throughComposer.

# Install Composercurl -sS https://getcomposer.org/installer | php

Next, run the Composer command to install the latest stable version:

composer.phar require google/auth

Application Default Credentials

This library provides an implementation ofApplication Default Credentials (ADC) for PHP.

Application Default Credentials provides a simple way to get authorizationcredentials for use in calling Google APIs, and isthe recommended approach to authorize calls to Cloud APIs.

Important: If you accept a credential configuration (credential JSON/File/Stream) from anexternal source for authentication to Google Cloud Platform, you must validate it before providingit to any Google API or library. Providing an unvalidated credential configuration to Google APIscan compromise the security of your systems and data. For more information, refer toValidate credential configurations from external sources.

Set up ADC

To use ADC, you must set it up by providing credentials.How you set up ADC depends on the environment where your code is running,and whether you are running code in a test or production environment.

For more information, seeSet up Application Default Credentials.

Enable the API you want to use

Before making your API call, you must be sure the API you're calling has beenenabled. Go toAPIs & Auth >APIs in theGoogle Developers Console and enable the APIs you'd like tocall. For the example below, you must enable theDrive API.

Call the APIs

As long as you update the environment variable below to point toyour JSONcredentials file, the following code should output a list of your Drive files.

use Google\Auth\ApplicationDefaultCredentials;use GuzzleHttp\Client;use GuzzleHttp\HandlerStack;// specify the path to your application credentialsputenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');// define the scopes for your API call$scopes = ['https://www.googleapis.com/auth/drive.readonly'];// create middleware$middleware = ApplicationDefaultCredentials::getMiddleware($scopes);$stack = HandlerStack::create();$stack->push($middleware);// create the HTTP client$client = new Client([  'handler' => $stack,  'base_uri' => 'https://www.googleapis.com',  'auth' => 'google_auth'  // authorize all requests]);// make the request$response = $client->get('drive/v2/files');// show the result!print_r((string) $response->getBody());
Guzzle 5 Compatibility

If you are usingGuzzle 5, replace thecreate middleware andcreate the HTTP Client steps with the following:

// create the HTTP client$client = new Client([  'base_url' => 'https://www.googleapis.com',  'auth' => 'google_auth'  // authorize all requests]);// create subscriber$subscriber = ApplicationDefaultCredentials::getSubscriber($scopes);$client->getEmitter()->attach($subscriber);

Call using an ID Token

If your application is running behind Cloud Run, or using Cloud Identity-AwareProxy (IAP), you will need to fetch an ID token to access your application. Forthis, use the static methodgetIdTokenMiddleware onApplicationDefaultCredentials.

use Google\Auth\ApplicationDefaultCredentials;use GuzzleHttp\Client;use GuzzleHttp\HandlerStack;// specify the path to your application credentialsputenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');// Provide the ID token audience. This can be a Client ID associated with an IAP application,// Or the URL associated with a CloudRun App//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';//    $targetAudience = 'https://service-1234-uc.a.run.app';$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';// create middleware$middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience);$stack = HandlerStack::create();$stack->push($middleware);// create the HTTP client$client = new Client([  'handler' => $stack,  'auth' => 'google_auth',  // Cloud Run, IAP, or custom resource URL  'base_uri' => 'https://YOUR_PROTECTED_RESOURCE',]);// make the request$response = $client->get('/');// show the result!print_r((string) $response->getBody());

For invoking Cloud Run services, your service account will need theCloud Run InvokerIAM permission.

For invoking Cloud Identity-Aware Proxy, you will need to pass the Client IDused when you set up your protected resource as the target audience. See how tosecure your IAP app with signed headers.

Call using a specific JSON key

If you want to use a specific JSON key instead of usingGOOGLE_APPLICATION_CREDENTIALS environment variable, you can do this:

use Google\Auth\CredentialsLoader;use Google\Auth\Middleware\AuthTokenMiddleware;use GuzzleHttp\Client;use GuzzleHttp\HandlerStack;// Define the Google Application Credentials array$jsonKey = ['key' => 'value'];// define the scopes for your API call$scopes = ['https://www.googleapis.com/auth/drive.readonly'];// Load credentials from JSON containing service account credentials.$creds = new ServiceAccountCredentials($scopes, $jsonKey),// For other credentials types, create those classes explicitly using the// "type" field in the JSON key, for example:$creds = match ($jsonKey['type']) {    'service_account' => new ServiceAccountCredentials($scope, $jsonKey),    'authorized_user' => new UserRefreshCredentials($scope, $jsonKey),    default => throw new InvalidArgumentException('This application only supports service account and user account credentials'),};// optional caching$creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);// create middleware$middleware = new AuthTokenMiddleware($creds);$stack = HandlerStack::create();$stack->push($middleware);// create the HTTP client$client = new Client([  'handler' => $stack,  'base_uri' => 'https://www.googleapis.com',  'auth' => 'google_auth'  // authorize all requests]);// make the request$response = $client->get('drive/v2/files');// show the result!print_r((string) $response->getBody());

Call using Proxy-Authorization Header

If your application is behind a proxy such asGoogle Cloud IAP,and your application occupies theAuthorization request header,you can include the ID token in aProxy-Authorization: Bearerheader instead. If a valid ID token is found in aProxy-Authorization header,IAP authorizes the request with it. After authorizing the request, IAP passesthe Authorization header to your application without processing the content.For this, use the static methodgetProxyIdTokenMiddleware onApplicationDefaultCredentials.

use Google\Auth\ApplicationDefaultCredentials;use GuzzleHttp\Client;use GuzzleHttp\HandlerStack;// specify the path to your application credentialsputenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');// Provide the ID token audience. This can be a Client ID associated with an IAP application//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';// create middleware$middleware = ApplicationDefaultCredentials::getProxyIdTokenMiddleware($targetAudience);$stack = HandlerStack::create();$stack->push($middleware);// create the HTTP client$client = new Client([  'handler' => $stack,  'auth' => ['username', 'pass'], // auth option handled by your application  'proxy_auth' => 'google_auth',]);// make the request$response = $client->get('/');// show the result!print_r((string) $response->getBody());

External credentials (Workload identity federation)

Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS),Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).

Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloudresources. Using identity federation, you can allow your workload to impersonate a service account. This lets you accessGoogle Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.

Follow the detailed instructions on how toConfigure Workload Identity Federation.

Verifying JWTs

If you areusing Google ID tokens to authenticate users, usetheGoogle\Auth\AccessToken class to verify the ID token:

use Google\Auth\AccessToken;$auth = new AccessToken();$auth->verify($idToken);

If your app is running behindGoogle Identity-Aware Proxy(IAP), you can verify the ID token coming from the IAP server by pointing to theappropriate certificate URL for IAP. This is because IAP signs the IDtokens with a different key than the Google Identity service:

use Google\Auth\AccessToken;$auth = new AccessToken();$auth->verify($idToken, [  'certsLocation' => AccessToken::IAP_CERT_URL]);

Caching

Caching is enabled by passing a PSR-6CacheItemPoolInterfaceinstance to the constructor when instantiating the credentials.

We offer some caching classes out of the box under theGoogle\Auth\Cache namespace.

use Google\Auth\ApplicationDefaultCredentials;use Google\Auth\Cache\MemoryCacheItemPool;// Cache Instance$memoryCache = new MemoryCacheItemPool;// Get the credentials// From here, the credentials will cache the access token$middleware = ApplicationDefaultCredentials::getCredentials($scope, cache: $memoryCache);

FileSystemCacheItemPool Cache

TheFileSystemCacheItemPool class is aPSR-6 compliant cache that stores itsserialized objects on disk, caching data between processes and making it possibleto use data between different requests.

use Google\Auth\Cache\FileSystemCacheItemPool;use Google\Auth\ApplicationDefaultCredentials;// Create a Cache pool instance$cache = new FileSystemCacheItemPool(__DIR__ . '/cache');// Pass your Cache to the Auth Library$credentials = ApplicationDefaultCredentials::getCredentials($scope, cache: $cache);// This token will be cached and be able to be used for the next request$token = $credentials->fetchAuthToken();

Integrating with a third party cache

You can use a third party that follows thePSR-6 interface of your choice.

// run "composer require symfony/cache"use Google\Auth\ApplicationDefaultCredentials;use Symfony\Component\Cache\Adapter\FilesystemAdapter;// Create the cache instance$filesystemCache = new FilesystemAdapter();// Create Get the credentials$credentials = ApplicationDefaultCredentials::getCredentials($targetAudience, cache: $filesystemCache);

License

This library is licensed under Apache 2.0. Full license text isavailable inCOPYING.

Contributing

SeeCONTRIBUTING.

Support

Pleasereport bugs at the project on Github. Don'thesitate toask questionsabout the client or APIs onStackOverflow.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-04 UTC.