Enable automatic sign-in across apps and websites

If your app that uses Smart Lock for Passwords shares a user database with your website—or if your app and website use federated sign-in providers such as Google Sign-In—you can associate the app with the website so that users save their credentials once and then automatically sign in to both the app and the website.

To associate an app with a website, declare associations by hosting a Digital Asset Links JSON file on your website, and adding a link to the Digital Asset Link file to your app's manifest.

By hosting a Digital Asset Links declaration on your website, you also enable your website to share autofill data with your app when running on Android 8.0 and newer.

Prerequisites

Your website's sign-in domain must be available through HTTPS.

Associate your app with your website

  1. Create a Digital Asset Links JSON file.

    For example, to declare that the website https://signin.example.com and an Android app with the package name com.example can share sign-in credentials, create a file named assetlinks.json with the following content:

    [{
      "relation": ["delegate_permission/common.get_login_creds"],
      "target": {
        "namespace": "web",
        "site": "https://signin.example.com"
      }
     },
     {
      "relation": ["delegate_permission/common.get_login_creds"],
      "target": {
        "namespace": "android_app",
        "package_name": "com.example",
        "sha256_cert_fingerprints": [
          "F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
        ]
      }
     }]
    

    The relation field is an array of one or more strings that describe the relationship being declared. To declare that apps and sites share sign-in credentials, specify the string delegate_permission/common.get_login_creds.

    The target field is an object that specifies the asset the declaration applies to. The following fields identify a website:

    namespace web
    site

    The website's URL, in the format https://domain[:optional_port]; for example, https://www.example.com.

    The domain must be fully-qualified., and optional_port must be omitted when using port 443 for HTTPS.

    A site target can only be a root domain: you cannot limit an app association to a specific subdirectory. Do not include a path in the URL, such as a trailing slash.

    Subdomains are not considered to match: that is, if you specify the domain as www.example.com, the domain www.counter.example.com is not associated with your app.

    The following fields identify an Android app:

    namespace android_app
    package_name The package name declared in the app's manifest. For example, com.example.android
    sha256_cert_fingerprints The SHA256 fingerprints of your app’s signing certificate. You can use the following command to generate the fingerprint:
    $ keytool -list -v -keystore my-release-key.keystore

    See the Digital Asset Links reference for details.

  2. Host the Digital Assets Link JSON file at the following location on the sign-in domain:

    https://domain[:optional_port]/.well-known/assetlinks.json

    For example, if your sign-in domain is signin.example.com, host the JSON file at https://signin.example.com/.well-known/assetlinks.json.

    The MIME type for the Digital Assets Link file needs to be JSON. Make sure the server sends a Content-Type: application/json header in the response.

  3. Ensure that your host permits Google to retrieve your Digital Asset Link file. If you have a robots.txt file, it must allow the Googlebot agent to retrieve /.well-known/assetlinks.json. Most sites can simply allow any automated agent to retrieve files in the /.well-known/ path so that other services can access the metadata in those files:

    User-agent: *
    Allow: /.well-known/
    

  4. Declare the association in the Android app.

    1. Add the following line to the manifest file under <application>:

        <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
      
    2. Add an asset_statements string resource to the strings.xml file. The asset_statements string is a JSON object that specifies the assetlinks.json files to load. You must escape any apostrophes and quotation marks you use in the string. For example:

        <string name="asset_statements" translatable="false">
        [{
          \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
        }]
        </string>
      
        > GET /.well-known/assetlinks.json HTTP/1.1
        > User-Agent: curl/7.35.0
        > Host: signin.example.com
      
        < HTTP/1.1 200 OK
        < Content-Type: application/json
      
  5. Publish the app to Google Play Store. It needs to be released in the public channel for associations to be picked up.

  6. (Optional) Complete and submit the Smart Lock for Passwords affiliation form to indicate that you went through the process. Google periodically checks whether affiliations submitted through the form actually work and might contact you in case of problems.

When verification has completed, users of your app can save their credentials on either your app or your website and be automatically signed in to both.

Example: Associate multiple apps with a website

You can associate multiple apps with a website by specifying each app in the Digital Assets Link file. For example, to associate the com.example and com.example.pro apps with the site at https://signin.example.com/, specify both apps in the JSON file hosted at https://signin.example.com/.well-known/assetlinks.json:

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.pro",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
}]

Then, declare the association in both apps:

  1. Add the following line to the manifest file under <application>:

    <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
    
  2. Add the following string resource to the strings.xml file:

    <string name="asset_statements" translatable="false">
    [{
      \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
    }]
    </string>
    

Example: Associate apps with multiple websites

You can associate apps with multiple websites by specifying each website in the Digital Assets Link file and hosting the file on each website. For example, to associate the com.example and com.example.pro apps with the site at https://signin.example.com/ and https://m.example.com/, specify both apps and both sites in the JSON file hosted at https://signin.example.com/.well-known/assetlinks.json:

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://m.example.com"
  },
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.pro",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
}]

Then, in the JSON file hosted at https://m.example.com/.well-known/assetlinks.json, include the primary Digital Asset Links file:

[{
  "include": "https://signin.example.com/.well-known/assetlinks.json"
}]

Finally, declare the association in both apps:

  1. Add the following line to the manifest file under <application>:

    <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
    
  2. Add the following string resource to the strings.xml file:

    <string name="asset_statements" translatable="false">
    [{
      \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
    }]
    </string>