A Rust crate for seamless, secure Google Cloud OAuth authentication.
This library handles the OAuth2 authorization code flow (with browser-based login) to obtain:
- Access tokens (for calling Google APIs)
- ID tokens (for verifying user identity)
- Refresh tokens (to renew tokens silently)
It securely caches credentials using the OS-native keyring or a file-based fallback — making it ideal for long-lived CLI tools, automation, and server integrations.
- Secure credential caching
- Defaults to OS keyring (
keyringcrate) - Optional file-based cache via
GCLOUD_IDENTITY_TOKEN_PATH
- Defaults to OS keyring (
- Smart refresh logic
- Automatically reuses tokens until they expire
- Refreshes silently using stored refresh token
- Headless & browser login support
- Opens browser for login when possible
- Falls back to manual URL copy if needed
- Email-based keyring separation
- Keyring entries are scoped to your Google email (from ID token)
Obtain application-default credentials (Required)
gcloud auth application-default loginAdd to your Cargo.toml:
[dependencies]
gcloud-identity-token = "0.1"use anyhow::Result;
use gcloud_identity_token::auth::get_token;
use gcloud_identity_token::config::load_creds;
#[tokio::main]
async fn main() -> Result<()> {
let creds = load_creds()?;
let token = get_token(&creds).await?;
println!("Access token: {}", token.access_token);
println!("ID token: {}", token.id_token);
println!("Expires at: {}", token.token_expiry);
Ok(())
}