Authentication with OAuth quickstart

The Gemini API lets you perform semantic retrieval on your own data. Since it's your data, this needs stricter access controls than API keys.

This quickstart uses a simplified authentication approach that is appropriate for a testing environment. For a production environment, learn about authentication and authorization before choosing the access credentials that are appropriate for your app.


  • Set up your cloud project for OAuth
  • Set up application-default-credentials
  • Manage credentials in your program instead of using gcloud auth


To run this quickstart, you need:

Set up your cloud project

To complete this quickstart, you first need to setup your Cloud project.

1. Enable the API

Before using Google APIs, you need to turn them on in a Google Cloud project.

  • In the Google Cloud console, enable the Google Generative Language API.

    Enable the API

2. Configure the OAuth consent screen

Next configure the project's OAuth consent screen and add yourself as a test user. If you've already completed this step for your Cloud project, skip to the next section.

  1. In the Google Cloud console, go to Menu > APIs & Services > OAuth consent screen.

    Go to OAuth consent screen

  2. Select the user type External for your app, then click Create.

  3. Complete the app registration form (you can leave most fields blank), then click Save and Continue.

  4. For now, you can skip adding scopes and click Save and Continue. In the future, when you create an app for use outside of your Google Workspace organization, you must add and verify the authorization scopes that your app requires.

  5. Add test users:

    1. Under Test users, click Add users.
    2. Enter your email address and any other authorized test users, then click Save and Continue.
  6. Review your app registration summary. To make changes, click Edit. If the app registration looks OK, click Back to Dashboard.

3. Authorize credentials for a desktop application

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers. If your app runs on multiple platforms, you must create a separate client ID for each platform.

  1. In the Google Cloud console, go to Menu > APIs & Services > Credentials.

    Go to Credentials

  2. Click Create Credentials > OAuth client ID.

  3. Click Application type > Desktop app.

  4. In the Name field, type a name for the credential. This name is only shown in the Google Cloud console.

  5. Click Create. The OAuth client created screen appears, showing your new Client ID and Client secret.

  6. Click OK. The newly created credential appears under OAuth 2.0 Client IDs.

  7. Click the download button to save the JSON file. It will be saved as client_secret_<identifier>.json, and rename it to client_secret.json and move it to your working directory.

Set up application default credentials

To convert the client_secret.json file into usable credentials, pass its location the gcloud auth application-default login command's --client-id-file argument.

gcloud auth application-default login \
    --client-id-file=client_secret.json \

The simplified project setup in this tutorial triggers a "Google hasn't verified this app." dialog. This is normal, choose "continue".

This places the resulting token in a well known location so it can be accessed by gcloud or the client libraries.

gcloud auth application-default login 
--no-browser --client-id-file=client_secret.json

Once you have the application default credentials (ACD) set, the client libraries in most languages need minimal to no help to find them.


The quickest way to test that this is working is to use it to access the REST API using curl:

access_token=$(gcloud auth application-default print-access-token)
project_id=<MY PROJECT ID>

curl -X GET \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer ${access_token}" \
    -H "x-goog-user-project: ${project_id}" | grep '"name"'


In python the client libraries should find them automatically:

pip install google-generativeai

A minimal script to test it might be:

import google.generativeai as genai

print('Available base models:', [ for m in genai.list_models()])

Next steps

If that's working you're ready to try Semantic retrieval on your text data.

Manage credentials yourself [Python]

In many cases you won't have the gcloud command available to create the access token from the Client ID (client_secret.json). Google provides libraries in many languages to let you manage that process within your app. This section demonstrates the process, in python. There are equivalent examples of this sort of procedure, for other languages, available in the Drive API documentation

1. Install the necessary libraries

Install the Google client library for Python, and the Gemini client library.

pip install --upgrade -q google-api-python-client google-auth-httplib2 google-auth-oauthlib

pip install google-generativeai

2. Write the credential manager

To minimize the number of times you have to click through the authorization screens, create a file called in your working directory to caches a token.json file that it can reuse later, or refresh if it expires.

Start with the following code to convert the client_secret.json file to a token usable with genai.configure:

import os.path

from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
from google_auth_oauthlib.flow import InstalledAppFlow

SCOPES = ['']

def load_creds():
    """Converts `client_secret.json` to a credential object.

    This function caches the generated tokens to minimize the use of the
    consent screen.
    creds = None
    # The file token.json stores the user's access and refresh tokens, and is
    # created automatically when the authorization flow completes for the first
    # time.
    if os.path.exists('token.json'):
        creds = Credentials.from_authorized_user_file('token.json', SCOPES)
    # If there are no (valid) credentials available, let the user log in.
    if not creds or not creds.valid:
        if creds and creds.expired and creds.refresh_token:
            flow = InstalledAppFlow.from_client_secrets_file(
                'client_secret.json', SCOPES)
            creds = flow.run_local_server(port=0)
        # Save the credentials for the next run
        with open('token.json', 'w') as token:
    return creds

3. Write your program

Now create your

import pprint
import google.generativeai as genai
from load_creds import load_creds

creds = load_creds()


print('Available base models:', [ for m in genai.list_models()])

4. Run your program

In your working directory, run the sample:


The first time you run the script, it opens a browser window and prompts you to authorize access.

  1. If you're not already signed in to your Google Account, you're prompted to sign in. If you're signed in to multiple accounts, be sure to select the account you set as a "Test Account" when configuring your project.

  2. Authorization information is stored in the file system, so the next time you run the sample code, you aren't prompted for authorization.

You have successfully setup authentication.