Verify requests
Stay organized with collections
Save and categorize content based on your preferences.
Requests to your conversational webhook are signed with an authorization token
in the header, using the following format:
google-assistant-signature: "<JWT token>"
The auth token follows the JSON Web Token format,
where the audience field value is equal to the Actions console project ID for
the app. To verify the signature, unpack the token and ensure the audience field
matches the project ID for the app. You can do this with a JWT-compatible
credentials library, like the Google APIs Node.js client,
or directly using the Actions on Google Node.js Client Library
ConversationOptions#verification option, as shown in the following code snippet:
const {conversation} = require('@assistant/conversation');
const app = conversation({verification: 'nodejs-cloud-test-project-1234'});
// HTTP Code 403 will be thrown by default on verification error per request.
The JWT format will be in this format:
{
"iss": "https://accounts.google.com"
"aud": [project-id],
"nbf": number,
"iat": number,
"exp": number,
"jti": string
}
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-18 UTC.
[null,null,["Last updated 2024-09-18 UTC."],[[["\u003cp\u003eConversational webhook requests include an authorization token in the \u003ccode\u003egoogle-assistant-signature\u003c/code\u003e header for security purposes.\u003c/p\u003e\n"],["\u003cp\u003eThis token is a JSON Web Token (JWT) containing an audience field that matches your Actions console project ID, enabling verification.\u003c/p\u003e\n"],["\u003cp\u003eYou can verify the signature using a JWT library or the \u003ccode\u003eConversationOptions#verification\u003c/code\u003e setting within the Actions on Google Node.js Client Library.\u003c/p\u003e\n"],["\u003cp\u003eThe JWT structure includes standard fields like issuer, audience, issue and expiration timestamps, and a unique identifier.\u003c/p\u003e\n"]]],[],null,["# Verify requests\n\nRequests to your conversational webhook are signed with an authorization token\nin the header, using the following format: \n\n google-assistant-signature: \"\u003cJWT token\u003e\"\n\nThe auth token follows the [JSON Web Token format](https://tools.ietf.org/html/rfc7519),\nwhere the audience field value is equal to the Actions console project ID for\nthe app. To verify the signature, unpack the token and ensure the audience field\nmatches the project ID for the app. You can do this with a JWT-compatible\ncredentials library, like the [Google APIs Node.js client](https://github.com/google/google-auth-library-nodejs),\nor directly using the Actions on Google Node.js Client Library\n[`ConversationOptions#verification`](https://actions-on-google.github.io/assistant-conversation-nodejs/3.3.0/docs/interfaces/conversation_conversation.conversationv3app.html#verification) option, as shown in the following code snippet: \n\n```gdscript\nconst {conversation} = require('@assistant/conversation');\n\nconst app = conversation({verification: 'nodejs-cloud-test-project-1234'});\n// HTTP Code 403 will be thrown by default on verification error per request.\n```\n\nThe JWT format will be in this format: \n\n```text\n{\n \"iss\": \"https://accounts.google.com\"\n \"aud\": [project-id],\n \"nbf\": number,\n \"iat\": number,\n \"exp\": number,\n \"jti\": string\n}\n```"]]
