Warning: The PaLM API is decomissioned. The Vertex AI PaLM API is scheduled to be decomissioned in October 2024. Please upgrade to the Gemini API. Learn more about this in the PaLM API deprecation guide.

Authentication with OAuth quickstart

The PaLM API lets you tune models on your own data. Since it's your data and your tuned models this needs stricter access controls than API-Keys.

This quickstart uses a simplified authentication approach that is appropriate for a testing environment. For a production environment, learn about authentication and authorization before choosing the access credentials that are appropriate for your app.

Objectives

Set up your cloud project for OAuth
Set up application-default-credentials
Manage credentials in your program instead of using gcloud auth

Prerequisites

To run this quickstart, you need:

Set up your cloud project

To complete this quickstart, first you need to setup your cloud project.

1. Enable the API

Before using Google APIs, you need to turn them on in a Google Cloud project.

In the Google Cloud console, enable the Google Generative Language API.

Enable the API

2. Configure the OAuth consent screen

Next configure the project's OAuth consent screen and add yourself as a test user. If you've already completed this step for your Cloud project, skip to the next section.

In the Google Cloud console, go to Menu > APIs & Services > OAuth consent screen.

Go to OAuth consent screen
Select the user type External for your app, then click Create.
Complete the app registration form (you can leave most fields blank), then click Save and Continue.
For now, you can skip adding scopes and click Save and Continue. In the future, when you create an app for use outside of your Google Workspace organization, you must add and verify the authorization scopes that your app requires.
Add test users:
1. Under Test users, click Add users.
2. Enter your email address and any other authorized test users, then click Save and Continue.
Review your app registration summary. To make changes, click Edit. If the app registration looks OK, click Back to Dashboard.

3. Authorize credentials for a desktop application

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers. If your app runs on multiple platforms, you must create a separate client ID for each platform.

In the Google Cloud console, go to Menu > APIs & Services > Credentials.

Go to Credentials
Click Create Credentials > OAuth client ID.
Click Application type > Desktop app.
In the Name field, type a name for the credential. This name is only shown in the Google Cloud console.
Click Create. The OAuth client created screen appears, showing your new Client ID and Client secret.
Click OK. The newly created credential appears under OAuth 2.0 Client IDs.
Click the download button to save the JSON file. It will be saved as client_secret_<identifier>.json, and rename it to client_secret.json and move it to your working directory.

Set up Application Default Credentials

To convert the client_secret.json file into usable credentials, pass its location the gcloud auth application-default login command's --client-id-file argument.

gcloud auth application-default login \
    --client-id-file=client_secret.json \
    --scopes='https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/generative-language.tuning'

The simplified project setup in this tutorial triggers a "Google hasn't verified this app." dialog. This is normal, choose "continue".

This places the resulting token in a well known location so it can be accessed by gcloud or the client libraries.

gcloud auth application-default login 

    --no-browser
    --client-id-file=client_secret.json 

    --scopes='https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/generative-language.tuning'

Once you have the Application Default Credentials (ADC) set, the client libraries in most languages need minimal to no help to find them.

Curl

The quickest way to test that this is working is to use it to access the rest API using curl:

access_token=$(gcloud auth application-default print-access-token)
project_id=<MY PROJECT ID>
curl -X GET https://generativelanguage.googleapis.com/v1beta3/models \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer ${access_token}" \
    -H "x-goog-user-project: ${project_id}" | grep '"name"'

"name": "models/chat-bison-001",
"name": "models/text-bison-001",
"name": "models/embedding-gecko-001",

Python

In python the client libraries should find them automatically:

pip install google-generativeai

A minimal script to test it might be:

import google.generativeai as genai

print('Available base models:', [m.name for m in genai.list_models()])
print('My tuned models:', [m.name for m in genai.list_tuned_models()])

The expected output is:

Available base models: ['models/chat-bison-001', 'models/text-bison-001', 'models/embedding-gecko-001']
My tuned models: []

Node.js

To use these credentials with the Node.js client library, set the GOOGLE_APPLICATION_CREDENTIALS environment variable.

export GOOGLE_APPLICATION_CREDENTIALS='<PATH_TO>/application_default_credentials.json'

Install the client library:

npm install @google-ai/generativelanguage

Create a minimal script:

const { ModelServiceClient } =
  require("@google-ai/generativelanguage").v1beta3;

const MODEL_NAME = "models/text-bison-001";

const client = new ModelServiceClient({});

client
  .listModels({})
  .then((result) => {
    result = result[0]
    for (let i = 0; i < result.length; i++) {
      console.log(result[i].name);
    }
  });

Its output should be:

models/chat-bison-001
models/text-bison-001
models/embedding-gecko-001

Next steps

If that's working you're ready to try tuning a model yourself. Try Get started with tuning.

Manage credentials yourself [Python]

In many cases you won't have the gcloud command available to create the access token from the Client ID (client_secret.json). Google provides libraries in many languages to let you manage that process within your app. This section demonstrates the process, in python. There are equivalent examples of this sort of procedure, for other languages, available in the drive api documentation

1. Install the necessary libraries

Install the Google client library for Python, and the PaLM client library.

pip install --upgrade -q google-api-python-client google-auth-httplib2 google-auth-oauthlib

pip install google-generativeai

2. Write the credential manager

In your working directory, create a file named load_creds.py. Start with the following code to convert the client_secret.json to a token usable with the genai.configure:

import os.path

from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
from google_auth_oauthlib.flow import InstalledAppFlow

SCOPES = ['https://www.googleapis.com/auth/generative-language.tuning']

def load_creds():
    """Converts `oauth-client-id.json` to a credential object.

    This function caches the generated tokens to minimize the use of the
    consent screen.
    """
    creds = None
    # The file token.json stores the user's access and refresh tokens, and is
    # created automatically when the authorization flow completes for the first
    # time.
    if os.path.exists('token.json'):
        creds = Credentials.from_authorized_user_file('token.json', SCOPES)
    # If there are no (valid) credentials available, let the user log in.
    if not creds or not creds.valid:
        if creds and creds.expired and creds.refresh_token:
            creds.refresh(Request())
        else:
            flow = InstalledAppFlow.from_client_secrets_file(
                'oauth-client-id.json', SCOPES)
            creds = flow.run_local_server(port=0)
        # Save the credentials for the next run
        with open('token.json', 'w') as token:
            token.write(creds.to_json())
    return creds

To minimize the number of times you have to click through the authorization screens if caches a token.json file that it can reuse later, or refresh if it's expired.

3. Write your program

Now create your script.py:

import pprint
import google.generativeai as genai
from load_creds import load_creds

creds = load_creds()

genai.configure(credentials=creds)

print()
print('Available base models:', [m.name for m in genai.list_tuned_models()])
print('My tuned models:', [m.name for m in genai.list_tuned_models()])

4. Run your program

In your working directory, run the sample:

python script.py

The first time you run the script, it opens a browser window and prompts you to authorize access.

If you're not already signed in to your Google Account, you're prompted to sign in. If you're signed in to multiple accounts, be sure to select the account you set as a "Test Account" when configuring your project.

Note: The simplified project setup in this tutorial triggers a "Google hasn't verified this app." dialog. This is normal, choose "continue".
Authorization information is stored in the file system, so the next time you run the sample code, you aren't prompted for authorization.

You have successfully setup authentication.