Class ServiceAccountJwtAccessCredentials (1.18.0) 

publicclass ServiceAccountJwtAccessCredentialsextendsCredentialsimplementsJwtProvider,ServiceAccountSigner,QuotaProjectIdProvider

Service Account credentials for calling Google APIs using a JWT directly for access.

Uses a JSON Web Token (JWT) directly in the request metadata to provide authorization.

Inheritance

Object > Credentials > ServiceAccountJwtAccessCredentials

Static Methods

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId)

publicstaticServiceAccountJwtAccessCredentialsfromPkcs8(StringclientId,StringclientEmail,StringprivateKeyPkcs8,StringprivateKeyId)

Factory using PKCS#8 for the private key.

Parameters
Name Description
clientId String

Client ID of the service account from the console. May be null.
clientEmail String

Client email address of the service account from the console.
privateKeyPkcs8 String

RSA private key object for the service account in PKCS#8 format.
privateKeyId String

Private key identifier for the service account. May be null.
Returns
Type Description
ServiceAccountJwtAccessCredentials

New ServiceAccountJwtAcceessCredentials created from a private key.
Exceptions
Type Description
IOException

if the credential cannot be created from the private key.

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, URI defaultAudience)

publicstaticServiceAccountJwtAccessCredentialsfromPkcs8(StringclientId,StringclientEmail,StringprivateKeyPkcs8,StringprivateKeyId,URIdefaultAudience)

Factory using PKCS#8 for the private key.

Parameters
Name Description
clientId String

Client ID of the service account from the console. May be null.
clientEmail String

Client email address of the service account from the console.
privateKeyPkcs8 String

RSA private key object for the service account in PKCS#8 format.
privateKeyId String

Private key identifier for the service account. May be null.
defaultAudience URI

Audience to use if not provided by transport. May be null.
Returns
Type Description
ServiceAccountJwtAccessCredentials

New ServiceAccountJwtAcceessCredentials created from a private key.
Exceptions
Type Description
IOException

if the credential cannot be created from the private key.

fromStream(InputStream credentialsStream)

publicstaticServiceAccountJwtAccessCredentialsfromStream(InputStreamcredentialsStream)

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameter
Name Description
credentialsStream InputStream

the stream with the credential definition.
Returns
Type Description
ServiceAccountJwtAccessCredentials

the credential defined by the credentialsStream.
Exceptions
Type Description
IOException

if the credential cannot be created from the stream.

fromStream(InputStream credentialsStream, URI defaultAudience)

publicstaticServiceAccountJwtAccessCredentialsfromStream(InputStreamcredentialsStream,URIdefaultAudience)

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters
Name Description
credentialsStream InputStream

the stream with the credential definition.
defaultAudience URI

Audience to use if not provided by transport. May be null.
Returns
Type Description
ServiceAccountJwtAccessCredentials

the credential defined by the credentialsStream.
Exceptions
Type Description
IOException

if the credential cannot be created from the stream.

newBuilder()

publicstaticServiceAccountJwtAccessCredentials.BuildernewBuilder()
Returns
Type Description
ServiceAccountJwtAccessCredentials.Builder

Methods

equals(Object obj)

publicbooleanequals(Objectobj)
Parameter
Name Description
obj Object
Returns
Type Description
boolean
Overrides

getAccount()

publicStringgetAccount()

Returns the service account associated with the signer.

Returns
Type Description
String

getAuthenticationType()

publicStringgetAuthenticationType()

A constant string name describing the authentication technology.

E.g. "OAuth2", "SSL". For use by the transport layer to determine whether it supports the type of authentication in the case where Credentials#hasRequestMetadataOnly is false. Also serves as a debugging helper.

Returns
Type Description
String
Overrides

getClientEmail()

publicfinalStringgetClientEmail()
Returns
Type Description
String

getClientId()

publicfinalStringgetClientId()
Returns
Type Description
String

getPrivateKey()

publicfinalPrivateKeygetPrivateKey()
Returns
Type Description
PrivateKey

getPrivateKeyId()

publicfinalStringgetPrivateKeyId()
Returns
Type Description
String

getQuotaProjectId()

publicStringgetQuotaProjectId()
Returns
Type Description
String

getRequestMetadata(URI uri)

publicMap<String,List<String>>getRequestMetadata(URIuri)

Provide the request metadata by putting an access JWT directly in the metadata.

Parameter
Name Description
uri URI
Returns
Type Description
Map<String,List<String>>
Overrides
Exceptions
Type Description
IOException

getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

publicvoidgetRequestMetadata(URIuri,Executorexecutor,RequestMetadataCallbackcallback)

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Parameters
Name Description
uri URI
executor Executor
callback RequestMetadataCallback
Overrides

hasRequestMetadata()

publicbooleanhasRequestMetadata()

Whether the credentials have metadata entries that should be added to each request.

This should be called by the transport layer to see if Credentials#getRequestMetadata should be used for each request.

Returns
Type Description
boolean
Overrides

hasRequestMetadataOnly()

publicbooleanhasRequestMetadataOnly()

Indicates whether or not the Auth mechanism works purely by including request metadata.

This is meant for the transport layer. If this is true a transport does not need to take actions other than including the request metadata. If this is false, a transport must specifically know about the authentication technology to support it, and should fail to accept the credentials otherwise.

Returns
Type Description
boolean
Overrides

hashCode()

publicinthashCode()
Returns
Type Description
int
Overrides

jwtWithClaims(JwtClaims newClaims)

publicJwtCredentialsjwtWithClaims(JwtClaimsnewClaims)

Returns a new JwtCredentials instance with modified claims.

Parameter
Name Description
newClaims JwtClaims

new claims. Any unspecified claim fields will default to the the current values.
Returns
Type Description
JwtCredentials

new credentials

refresh()

publicvoidrefresh()

Discard any cached data

Overrides

sign(byte[] toSign)

publicbyte[]sign(byte[]toSign)

Signs the provided bytes using the private key associated with the service account.

Parameter
Name Description
toSign byte[]
Returns
Type Description
byte[]

toBuilder()

publicServiceAccountJwtAccessCredentials.BuildertoBuilder()
Returns
Type Description
ServiceAccountJwtAccessCredentials.Builder

toString()

publicStringtoString()
Returns
Type Description
String
Overrides

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月30日 UTC.