The PaLM API lets you tune models on your own data. Since it's your data and your tuned models this needs stricter access controls than API-Keys.
This quickstart uses a simplified authentication approach that is appropriate for a testing environment. For a production environment, learn about authentication and authorization before choosing the access credentials that are appropriate for your app.
Objectives
- Set up your cloud project for OAuth
- Set up application-default-credentials
- Manage credentials in your program instead of using
gcloud auth
Prerequisites
To run this quickstart, you need:
Set up your cloud project
To complete this quickstart, first you need to setup your cloud project.
1. Enable the API
Before using Google APIs, you need to turn them on in a Google Cloud project.
In the Google Cloud console, enable the Google Generative Language API.
2. Configure the OAuth consent screen
Next configure the project's OAuth consent screen and add yourself as a test user. If you've already completed this step for your Cloud project, skip to the next section.
In the Google Cloud console, go to Menu > APIs & Services > OAuth consent screen.
Select the user type External for your app, then click Create.
Complete the app registration form (you can leave most fields blank), then click Save and Continue.
For now, you can skip adding scopes and click Save and Continue. In the future, when you create an app for use outside of your Google Workspace organization, you must add and verify the authorization scopes that your app requires.
Add test users:
- Under Test users, click Add users.
- Enter your email address and any other authorized test users, then click Save and Continue.
Review your app registration summary. To make changes, click Edit. If the app registration looks OK, click Back to Dashboard.
3. Authorize credentials for a desktop application
To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers. If your app runs on multiple platforms, you must create a separate client ID for each platform.
In the Google Cloud console, go to Menu > APIs & Services > Credentials.
Click Create Credentials > OAuth client ID.
Click Application type > Desktop app.
In the Name field, type a name for the credential. This name is only shown in the Google Cloud console.
Click Create. The OAuth client created screen appears, showing your new Client ID and Client secret.
Click OK. The newly created credential appears under OAuth 2.0 Client IDs.
Click the download button to save the JSON file. It will be saved as
client_secret_<identifier>.json
, and rename it toclient_secret.json
and move it to your working directory.
Set up application default credentials
To convert the client_secret.json
file into usable credentials, pass its
location the gcloud auth application-default login
command's
--client-id-file
argument.
gcloud auth application-default login \
--client-id-file=client_secret.json \
--scopes='https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/generative-language.tuning'
The simplified project setup in this tutorial triggers a "Google hasn't verified this app." dialog. This is normal, choose "continue".
This places the resulting token in a well known location so it can be accessed
by gcloud
or the client libraries.
gcloud auth application-default login
--no-browser
--client-id-file=client_secret.json
--scopes='https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/generative-language.tuning'
Once you have the application default credentials (ACD) set, the client libraries in most languages need minimal to no help to find them.
Curl
The quickest way to test that this is working is to use it to access the rest API using curl:
access_token=$(gcloud auth application-default print-access-token) project_id=<MY PROJECT ID>
curl -X GET https://generativelanguage.googleapis.com/v1beta3/models \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${access_token}" \ -H "x-goog-user-project: ${project_id}" | grep '"name"'
"name": "models/chat-bison-001",
"name": "models/text-bison-001",
"name": "models/embedding-gecko-001",
Python
In python the client libraries should find them automatically:
pip install google-generativeai
A minimal script to test it might be:
import google.generativeai as genai
print('Available base models:', [m.name for m in genai.list_models()])
print('My tuned models:', [m.name for m in genai.list_tuned_models()])
The expected output is:
Available base models: ['models/chat-bison-001', 'models/text-bison-001', 'models/embedding-gecko-001']
My tuned models: []
Node.js
To use these credentials with the Node.js client library, set the
GOOGLE_APPLICATION_CREDENTIALS
environment variable.
export GOOGLE_APPLICATION_CREDENTIALS='<PATH_TO>/application_default_credentials.json'
Install the client library:
npm install @google-ai/generativelanguage
Create a minimal script:
const { ModelServiceClient } =
require("@google-ai/generativelanguage").v1beta3;
const MODEL_NAME = "models/text-bison-001";
const client = new ModelServiceClient({});
client
.listModels({})
.then((result) => {
result = result[0]
for (let i = 0; i < result.length; i++) {
console.log(result[i].name);
}
});
Its output should be:
models/chat-bison-001
models/text-bison-001
models/embedding-gecko-001
Next steps
If that's working you're ready to try tuning a model yourself. Try Get started with tuning.
Manage credentials yourself [Python]
In many cases you won't have the gcloud
command available to create the access
token from the Client ID (client_secret.json
). Google provides libraries in
many languages to let you manage that process within your app. This section
demonstrates the process, in python. There are equivalent examples of this sort
of procedure, for other languages, available in the
drive api documentation
1. Install the necessary libraries
Install the Google client library for Python, and the PaLM client library.
pip install --upgrade -q google-api-python-client google-auth-httplib2 google-auth-oauthlib
pip install google-generativeai
2. Write the credential manager
In your working directory, create a file named load_creds.py
. Start with the
following code to convert the client_secret.json
to a token usable with the
genai.configure
:
import os.path
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
from google_auth_oauthlib.flow import InstalledAppFlow
SCOPES = ['https://www.googleapis.com/auth/generative-language.tuning']
def load_creds():
"""Converts `oauth-client-id.json` to a credential object.
This function caches the generated tokens to minimize the use of the
consent screen.
"""
creds = None
# The file token.json stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
if os.path.exists('token.json'):
creds = Credentials.from_authorized_user_file('token.json', SCOPES)
# If there are no (valid) credentials available, let the user log in.
if not creds or not creds.valid:
if creds and creds.expired and creds.refresh_token:
creds.refresh(Request())
else:
flow = InstalledAppFlow.from_client_secrets_file(
'oauth-client-id.json', SCOPES)
creds = flow.run_local_server(port=0)
# Save the credentials for the next run
with open('token.json', 'w') as token:
token.write(creds.to_json())
return creds
To minimize the number of times you have to click through the authorization
screens if caches a token.json
file that it can reuse later, or refresh if
it's expired.
3. Write your program
Now create your script.py
:
import pprint
import google.generativeai as genai
from load_creds import load_creds
creds = load_creds()
genai.configure(credentials=creds)
print()
print('Available base models:', [m.name for m in genai.list_tuned_models()])
print('My tuned models:', [m.name for m in genai.list_tuned_models()])
4. Run your program
In your working directory, run the sample:
python script.py
The first time you run the script, it opens a browser window and prompts you to authorize access.
If you're not already signed in to your Google Account, you're prompted to sign in. If you're signed in to multiple accounts, be sure to select the account you set as a "Test Account" when configuring your project.
Authorization information is stored in the file system, so the next time you run the sample code, you aren't prompted for authorization.
You have successfully setup authentication.