Using query parameters and headers
This page describes how to use Identity-Aware Proxy (IAP)query parameters and headers to enhance your application UI or providetroubleshooting options.
Query Parameters
Different actions can be performed by setting the parametergcp-iap-mode in the URL query string.These query parameters can be included with any path, not just the root URL.
Passing user identity
Passing the following parameter value returns a JSON dictionary with the user's identity:
YOUR_APP_URL?gcp-iap-mode=IDENTITY
This is available from any signed-in Google account, even if the accountdoesn't have access to the app. You can navigate to the URL directly or you canreference it to make requests to the URL. Following is an example value returnedby the URL:
{"email":"accounts.google.com:USER_EMAIL","sub":"accounts.google.com:118133858486581853996"}
You might find this value useful to personalize your app, such as by displayingthe user's name, to pass identity to another page, or capture usage data inlogs.
Clearing user login
The following parameter value clears the IAP login cookie:
YOUR_APP_URL?gcp-iap-mode=CLEAR_LOGIN_COOKIE
Passing this parameter clears all the IAP-issued cookiesfor your app and navigates the browser toYOUR_APP_URL. If your browser has avalid session with the identity provider (IdP) of your app, a silent sign-inmight happen when there is only one account in use with the IdP. If there aremultiple accounts in use, an account selection page opens to allow profile switching.
Testing JWT verification
IAP helps you test your JWT verification logic by passinginvalid JWTs to testing webpages.
For example, IAP passes a JWT with an invalid signaturefor any request that contains the query parametersgcp-iap-mode=SECURE_TOKEN_TEST andiap-secure-token-test-type=SIGNATURE.Your verification logic should catch the invalid signature.
You can test your verification logic against any of the following scenarios byappending the appropriate parameters to a request.
| Parameters | Test case |
|---|---|
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=NOT_SET | A valid JWT. |
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=FUTURE_ISSUE | Issue date is set in the future. |
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=PAST_EXPIRATION | Expiration date is set in the past. |
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=ISSUER | Incorrect issuer. |
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=AUDIENCE | Incorrect audience. |
| ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=SIGNATURE | Signed using an incorrect signer. |
Special headers
Detecting responses from IAP
When IAP generates an HTTP response, such as when it deniesaccess (403) or requests authentication (302 or 401), it adds theX-Goog-IAP-Generated-Response HTTP response header. By detecting the presenceof this header, you can perform actions like:
Distinguish between error messages generated by IAP and errormessages generated by your application.
Detect when IAP credentials need to be added to arequest.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.