Authenticate with a Backend Server

If you are using the Login with an app that communicates with a backend server, you may need to identify the currently signed-in user on the server.

To securely identify the signed-in user using a backend server:

  • Send the user’s ID token to your server using HTTPS after the user is logged in successfully.
  • On the server, verify the integrity of the ID token using Verify Token API and use the user information contained in the token to create a new account or establish a session.


  • A modified client app can send arbitrary user IDs to your server to impersonate users. Hence, you must not accept plain user IDs on your backend server, such as the ones you get using userData.getUserId() method.
  • Instead, you use the verifiable ID tokens to securely get the user IDs of logged-in users on the server side.

Send the ID token to your server

Send the ID token to the tokensignin API on your backend server with an HTTPS POST request:

   HttpClient httpClient = new DefaultHttpClient();
    HttpPost httpPost = new HttpPost("");
    try {
       List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(1);
       nameValuePairs.add(new BasicNameValuePair("idToken", idToken));
       httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));

       HttpResponse response = httpClient.execute(httpPost);
       int statusCode = response.getStatusLine().getStatusCode();
       final String responseBody = EntityUtils.toString(response.getEntity());
       Log.i(TAG, "Signed in as: " + responseBody);
     } catch (ClientProtocolException e) {
       Log.e(TAG, "Error sending ID token to backend.", e);
     } catch (IOException e) {
       Log.e(TAG, "Error sending ID token to backend.", e);

Verify the integrity of the ID token

After you receive the ID token by HTTPS POST on your backend server, you must verify the integrity of the token using Verify Token API

    import requests
        url = ""
         "token_type": "id_token",
         "token": < id_token > ,
         "client_id": < your_oauth_client_id >
        headers = {
          'Content-Type': 'application/json'
        response = requests.request("POST", url, headers=headers, data=json.dumps(payload))
         #token verified
         #token not verified
    var axios = require('axios');
     var config = {
         method: 'post',
         url: '',
         headers: {
             'Content-Type': 'application/json'
         data: {
             "token_type": "id_token",
             "token": < id_token > ,
             "client_id": < your_oauth_client_id >

         .then(function (response) {
         .catch(function (error) {

Create an account or session

After you have verified the token, check if the user is already in your user database.

  • If the user is present in your database, establish an authenticated session for the user.
  • If the user isn’t yet in your user database, create a new user record from the information you received in the ID token payload, and establish a session for the user.

Note: When you detect a newly created user in your app and save this user in your database, you can get any additional profile information you require from the user.


Table of Contents

Authenticate with a Backend Server

Table of Contents

Document Rev. 1.0

Text copied to clipboard
Link copied to clipbord
Questions? Please reach out to us at