Best Practices for Privacy and Security

Here are some security and privacy guidelines for developers using the Google Assistant API in their projects.

API and application authorization

Any application that uses the Google Assistant API must have authorization credentials that identify the application to Google's authentication server. Typically, these credentials are stored in a downloaded client_secret_<client-id>.json file. Make sure to store this file in a location that only your application can access.

Your application may prompt the user to grant it access to their Google account. If granted, your application can request an access token for that user. These tokens expire, but can be refreshed.

Unprotected refresh tokens on a device pose a significant security risk. Make sure your application:

  • Stores the refresh tokens in a secure place.
  • Provides an easy way to clear tokens from the device. For example, provide a "Sign out" button that clears a token (if the application has a UI) or a command line script that the user can execute.
  • Informs users that they can deauthorize access to their Google account. This revokes the refresh token; to use the application again, the user would need to re-authorize access.

When you are done using the device permanently, you should clear all of the tokens from it.

For more information, see Using OAuth 2.0 to Access Google APIs.