AI-generated Key Takeaways
- 
          Cross-platform seamless credential sharing allows users to save credentials once and have them automatically suggested on linked websites or Android apps. 
- 
          Credential sharing can be set up using either the Play Console for most developers or Digital Asset Links (DALs) for advanced configurations. 
- 
          Regardless of the setup method, credential sharing relationships are transitive, meaning if A shares with C and B shares with C, then A and B will share with each other. 
- 
          For optimal user experience and security, implement seamless credential sharing across sign-in, sign-up, password change, password reset forms, webview domains, and Android apps. 
- 
          Setting up credential sharing involves publishing a valid assetlinks.jsonfile on your website, regardless of the method used.
Maximize user convenience by enabling cross-platform seamless credential sharing across your apps and websites. When multiple websites and Android apps share an account management backend, this feature allows users to save credentials once and have them automatically suggested on any linked website or Android app.
There are two supported methods to set up credential sharing:
- Play Console: Recommended for most developers when setting up
credential sharing with Android apps. This method lets you configure
credential sharing without needing to release a new version of your app.
Note that even when using Play Console, you still need to publish a valid
assetlinks.jsonfile on your website.
- Digital Asset Links (DALs): Suitable for advanced use cases, such as supporting multiple apps or domains with more complex configurations.
Best practices
For optimal user experience and security, implement seamless credential sharing across these touchpoints:
- Sign-in form: Enable automatic credential filling.
- Sign-up form: Securely store new credentials for use across platforms.
- Password change form: Synchronize password updates across all platforms.
- Password reset form: Allow single password resets to update all platforms.
- Webview domains: Extend credential sharing to webview domains within your app that handle account management (host sign-in, sign-up, password change, or password reset forms).
- Android apps
This approach creates a unified credential management system, enhancing both user convenience and security.
When designing your account management websites, we suggest you follow these best practices for account management sites:
- Design your sign-up form in accordance with best practices
- Design your sign-in form in accordance with best practices
- Add a well-known URL for changing passwords
When designing your Android apps, we recommend you integrate your app with Android Credential Manager.
Set up credential sharing using Play Console
You can now enable seamless credential sharing directly from Play Console without publishing a new version of your Android app. This method simplifies the process by managing your credential sharing configurations through the Play Console interface.
Prerequisites
Before setting up credential sharing using Play Console, ensure you have:
- The necessary Play Console permissions to access the Deep links and App configuration sections. If you're not the account owner, ask your Play Console administrator to grant you the appropriate access.
- Ability to publish a /.well-known/assetlinks.jsonfile on each respective domain, following the Digital Asset Links (DALs) syntax.
Enable credential sharing for a new domain
To set up seamless credential sharing in Play Console for a new domain, follow these steps:
- Open Play Console and go to the Deep links page (Grow users > Deep links).
- Under the App configuration tab, click Add domain.
- Enter your website's domain.
- Turn on the Enable credential sharing toggle.
- Copy the generated JSON file and publish it at the specified location
(https://YOUR_DOMAIN/.well-known/assetlinks.jsonaccording to the protocol), or add the relevant information to the existing assetlinks.json file.
- Click Create website association.
If successful, you'll return to the Deep links page.
Enable credential sharing for an existing domain
To set up seamless credential sharing in Play Console for an existing domain, follow these steps:
- Select the App configuration tab.
- In the Domains section, under App configuration, click Turn on in the Credential sharing column.
- Copy the generated JSON file and publish it at the specified location
(or add the relevant information to the existing assetlinks.jsonfile).
- Click Turn on credential sharing.
If successful, you'll return to the Deep links page.
Set up credential sharing using only Digital Asset Links (DALs)
For complex setups involving multiple apps or websites, use Digital Asset Links (DALs) to configure credential sharing manually.
Prerequisites
Before setting up seamless credential sharing, ensure you have the following for each platform:
For each Android app:
- The Android application ID, as declared in the app's build.gradlefile.
- The SHA256 fingerprints of the signing certificate.
- (Recommended) User sign-in implemented with the Credential Manager API.
For each website:
- Ability to publish a /.well-known/assetlinks.jsonfile on each respective domain, following the Digital Asset Links (DALs) syntax.
- All account management domains (sign-in, sign-up, password change, or password reset forms) must be accessible over HTTPS.
Enable seamless credential sharing across Android apps and websites
To configure seamless credential sharing across apps and websites, you create and publish Digital Asset Links statement lists that declare which entities (websites or Android apps) are allowed to share credentials.
To declare a credential sharing relationship:
- Create an - assetlinks.jsonfile with statements linking to the website and to the Android app, following the DALs statement list syntax:- [ { "relation":[ "delegate_permission/common.get_login_creds" ], "target":{ "namespace":"web", "site":URL } }, { "relation":[ "delegate_permission/common.get_login_creds" ], "target":{ "namespace":"android_app", "package_name":"APP_ID", "sha256_cert_fingerprints":[ "SHA_HEX_VALUE" ] } } ]- Where - URLis your site's URL,- APP_IDis your Android application ID, and- SHA_HEX_VALUEis the SHA256 fingerprint of your Android app signing certificate.- The - relationfield describes the relationship being declared. To declare that apps and sites share sign-in credentials, specify the relationships as- delegate_permission/common.get_login_creds. Learn more about Relation Strings in DALs.- The - targetfield is an object that specifies the asset the declaration applies to.- The following fields identify a website: - namespace- web- site- The website's URL, in the format - https://domain[:optional_port]; for example, https://www.example.com.- The - domainmust be fully-qualified, and- optional_portmust be omitted when using port 443 for HTTPS.- A - sitetarget can only be a root domain: you cannot limit an app association to a specific subdirectory. Don't include a path in the URL, such as a trailing slash.- Subdomains are not considered to match: that is, if you specify the - domainas www.example.com, the domain www.counter.example.com is not associated with your app.- The following fields identify an Android app: - namespace - android_app - package_name - The package name declared in the app's manifest. For example, com.example.android - sha256_cert_fingerprints - The SHA256 fingerprints of your app's signing certificate. 
- Host the Digital Asset Links JSON file at the following location on the sign-in domains: - https://DOMAIN[:OPTIONAL_PORT]/.well-known/assetlinks.json, where- DOMAINis fully-qualified, and- OPTIONAL_PORTmust be omitted when using port 443 for HTTPS.
- Declare the association in the Android app by embedding a statement in your Android app's - res/values/strings.xmlfile that links to the statement list you created in Step 1. Add an object that specifies the- assetlinks.jsonfiles to load. For example:- <string name="asset_statements" translatable="false"> [{ \"include\": \"https://DOMAIN[:OPTIONAL_PORT]/.well-known/assetlinks.json\" }] </string>- Replace - DOMAINand- OPTIONAL_PORT(must be omitted when using port 443 for HTTPS)—for example- https://www.example.com. Escape any apostrophes and quotation marks you use in the string.- You can also add a JSON snippet in your - strings.xmlfile as shown in the DALs documentation, but using the- includestatement lets you change statements without publishing a new version of your app.
- Reference the statement in the manifest by adding the following line to your app's - AndroidManifest.xmlfile under- <application>:- <meta-data android:name="asset_statements" android:resource="@string/asset_statements"/>
- Publish the new version of your Android app to the Google Play Developer Console 
After following these steps, you have successfully set up seamless credential sharing between your website and your Android app.
Note that this is not the only valid way to set up DALs for credential sharing, but this approach simplifies the future process of adding new entities to your seamless credential sharing network, promotes code reusability, and reduces the potential for errors during updates.