Google Sign-In

Use Google Sign-In for OAuth 2.0 flow and token lifecycle.

2 minute read

Getting Started

Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the Google Sign-In workflow to your web app, follow this guide.

After setting up Google Sign-In, configure your auth service in the toolbox. The Google auth provider supports two distinct validation modes:

Web App Claims (OIDC): Used to authenticate user requests in web applications.
MCP Authorization: Used to secure the entire MCP server transport (SSE or Stdio).

Configuration Modes

1. Web App OIDC Authentication

If you are developing a web application using the Toolbox and need to retrieve user claims from Google ID tokens sent in custom request headers, configure the clientId field.

Header: Expects the token in the <name>_token header (e.g. my-google-auth_token).
Token Type: Google OIDC ID tokens (JWT).

Example

kind: authService
name: my-google-auth
type: google
clientId: ${YOUR_GOOGLE_CLIENT_ID}

2. MCP Authorization

To secure all endpoints on your MCP server using Google OAuth tokens, enable mcpEnabled and specify the audience field.

Header: Expects the token in the standard Authorization: Bearer <token> header.
Token Type: Supports both Google ID tokens (JWT) and Google opaque access tokens.

Example

kind: authService
name: my-google-auth
type: google
audience: ${YOUR_GOOGLE_CLIENT_ID}
mcpEnabled: true
scopesRequired:
  - https://www.googleapis.com/auth/userinfo.email

[!IMPORTANT]
For ID tokens (JWT): Local cryptographic signature verification is performed, which requires audience to be configured. If audience is not set, the provider will fall back to using clientId. If neither is configured, validation will fail.
For Opaque tokens: The provider automatically queries Google’s secure tokeninfo endpoint (https://oauth2.googleapis.com/tokeninfo) and validates the resulting audience against the configured audience field (falling back to clientId if audience is not set).

Behavior

Authorized Invocations

When using Authorized Invocations, a tool will be considered authorized if it has a valid OAuth 2.0 token that matches the Client ID or Audience.

Authenticated Parameters

When using Authenticated Parameters, any claim provided by the id-token can be used for the parameter.

Reference

field	type	required	description
type	string	true	Must be “google”.
clientId	string	false	Client ID of your application. Required for validating ID tokens in non-MCP web apps (`GetClaimsFromHeader`), and acts as a fallback for `audience` in MCP auth mode if `audience` is not configured.
audience	string	false	Expected audience. Required for validating ID tokens in MCP Auth mode (unless `clientId` is configured as a fallback). If specified, also validates opaque token audiences. Disallowed if `mcpEnabled` is false.
mcpEnabled	bool	false	Enforces global MCP transport authentication using the `Authorization: Bearer` header. Defaults to false.
scopesRequired	[]string	false	A list of required scopes that must be present in the token’s claims/metadata to be considered valid. Disallowed if `mcpEnabled` is false.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 4, 2026: chore(main): release 1.4.0 (#3301) (d67cfbe)