The App Identity API lets an application discover its application ID (alsocalled theproject ID). Usingthe ID, an App Engine application can assert its identity to other App EngineApps, Google APIs, and third-party applications and services. Theapplication ID can also be used to generate a URL or email address, or to makea run-time decision.

Getting the project ID

The project ID can be found using theappengine.AppID function.

Getting the application hostname

By default, App Engine apps are served from URLs in the formhttps://PROJECT_ID.REGION_ID.r.appspot.com, where the project ID is part of the hostname.If an app is served from a custom domain, it may be necessary to retrieve theentire hostname component. You can do this using theappengine.DefaultVersionHostname function.

Asserting identity to other App Engine apps

If you want to determine the identity of the App Engine app that is making arequest to your App Engine app, you can use the request headerX-Appengine-Inbound-Appid. This header is added to the request by the URLFetchservice and is not user modifiable, so it safely indicates the requestingapplication's project ID, if present.

Requirements:

• Only calls made to your app'sappspot.com domain will containtheX-Appengine-Inbound-Appid header. Calls to custom domainsdo not contain the header.

In your application handler, you can check the incoming ID by reading theX-Appengine-Inbound-Appid header and comparing it to a list of IDs allowedto make requests.

Asserting identity to Google APIs

Google APIs use the OAuth 2.0 protocol forauthentication andauthorization. TheApp Identity API can create OAuth tokens that can be used to assert that thesource of a request is the application itself. Theappengine.AccessToken function returns anaccess token for a scope, or list of scopes. This token can then be set in theHTTP headers of a call to identify the calling application.

Note: TheGoogle API Client Libraries can also manage much of this for you automatically.

Note that the application's identity is represented by the service account name,which is typicallyapplicationid@appspot.gserviceaccount.com. You can get theexact value by using theappengine.ServiceAccount function. For services which offerACLs, you can grant the application access by granting this account access.

Asserting identity to third-party services

The token generated byappengine.AccessToken function only works against Google services.However you can use the underlying signing technology to assert the identity ofyour application to other services. Theappengine.SignBytes function will sign bytes using aprivate key unique to your application, and theappengine.PublicCertificates function willreturn certificates which can be used to validate the signature.

Note: The certificates may be rotated from time to time, and the method mayreturn multiple certificates. Only certificates that are currently valid arereturned; if you store signed messages you will need additional key managementin order to verify signatures later.

Getting the default Cloud Storage Bucket name

Each application can have one default Cloud Storage bucket, whichincludes5GB of free storage and a free quota for I/O operations.

To get the name of the default bucket, you can use the App Identity API. CallDefaultBucketName.