AI-generated Key Takeaways
- 
          Google Chat sends a bearer token in the Authorizationheader of HTTPS requests to verify that the request originates from Google.
- 
          Cloud Functions and Cloud Run automatically handle token verification when you add the Google Chat service account as an authorized invoker. 
- 
          For apps with their own HTTP server, you can verify the bearer token using a Google API client library or by validating the ID token or JWT based on the authentication audience configuration. 
- 
          If token verification fails, your service should respond with an HTTPS 401 (Unauthorized)response code.
- 
          The authentication audience determines whether the bearer token is an ID token (for HTTP endpoint URLs) or a JWT (for Project Numbers), impacting the verification process. 
For Google Chat apps built on HTTP endpoints, this section explains how to verify that the requests to your endpoint come from Chat.
To dispatch interaction events to your Chat app's
endpoint, Google makes requests to your service. To verify that the request is
coming from Google, Chat includes a
bearer token
in the Authorization header of every HTTPS request to your endpoint. For
example:
POST
Host: yourappurl.com
Authorization: Bearer AbCdEf123456
Content-Type: application/json
User-Agent: Google-Dynamite
The string AbCdEf123456 in the preceding example is the bearer authorization
token. This is a cryptographic token produced by Google. The type of the bearer
token and the value of the audience field depend on the type of authentication
audience you selected when
configuring the Chat app.
If you've implemented your Chat app using Cloud Run functions, Cloud IAM handles token verification automatically. You must add the Google Chat service account as an authorized invoker. If your app implements its own HTTP server, you can verify your bearer token using an open source Google API client library:
- Java: https://github.com/google/google-api-java-client
- Python: https://github.com/google/google-api-python-client
- Node.js: https://github.com/google/google-api-nodejs-client
- .NET: https://github.com/google/google-api-dotnet-client
If the token doesn't verify for the Chat app, your
service should respond to the request with an HTTPS response code
401 (Unauthorized).
Authenticate requests using Cloud Run functions
If your function logic is implemented using Cloud Run functions, you must select HTTP endpoint URL in the Authentication Audience field of the Chat app connection setting and make sure that the HTTP endpoint URL in the configuration corresponds to the URL of the Cloud Run function endpoint.
Then, you need to authorize the Google Chat service account
chat@system.gserviceaccount.com as an invoker using the following steps:
Console
After deploying your function or service to Google Cloud:
- In the Google Cloud console, go to the Cloud Run page: 
- In the Cloud Run services list, click the checkbox next to the receiving function. (Don't click the function itself.) 
- Click Permissions at the top of the screen. The Permissions panel opens. 
- Click Add principal. 
- In the New principals field, enter - chat@system.gserviceaccount.com.
- From the Select a role menu, select the role Cloud Run - Cloud Run Invoker. 
- Click Save. 
gcloud
Use the gcloud functions add-invoker-policy-binding command:
gcloud functions add-invoker-policy-binding RECEIVING_FUNCTION \
  --member='serviceAccount:chat@system.gserviceaccount.com'Replace RECEIVING_FUNCTION with the name of your
Chat app's function.
Authenticate HTTP requests with an ID Token
If the Authentication Audience field of the Chat app
connection setting is set to
HTTP endpoint URL,
the bearer authorization token in the request is a Google-signed OpenID Connect
(OIDC)
ID token.
The email field is set to chat@system.gserviceaccount.com. The
Authentication Audience field is set to the URL you configured Google Chat
to send requests to your Chat app. For example, if the
configured endpoint of your Chat app is
https://example.com/app/, then the Authentication Audience field in the ID
token ishttps://example.com/app/.
This is the recommended authentication method if your HTTP endpoint isn't hosted on a service that supports IAM-based authentication (such as Cloud Run). Using this method, your HTTP service needs information about the URL of the endpoint where it's running, but doesn't need information about the Cloud project number.
The following samples show how to verify that the bearer token was issued by Google Chat and targeted at your app using the Google OAuth client library.
Java
Python
Node.js
Authenticate requests with a Project Number JWT
If the Authentication Audience field of the Chat app
connection setting is set to Project
Number, the bearer authorization token in the request is a self-signed
JSON Web Token (JWT),
issued and signed by chat@system.gserviceaccount.com.
The audience field is set to the Google Cloud project number that you used
to build your Chat app. For example, if your
Chat app's Cloud project number is
1234567890, then the audience field in the JWT is 1234567890.
This authentication method is only recommended if you prefer to use the
Cloud project number to verify requests instead of the HTTP endpoint
URL. For example, if you want to change the endpoint URL over time while
keeping the same Cloud project number, or if you want to use the same
endpoint for multiple Cloud project numbers and want to compare the
audience field with a list of Cloud project numbers.
The following samples show how to verify that the bearer token was issued by Google Chat and targeted at your project using the Google OAuth client library.
Java
Python
Node.js
Related topics
- For an overview of authentication and authorization in Google Workspace, see Learn about authentication and authorization.
- For an overview of authentication and authorization in Chat, see Authentication overview.
- Set up authentication and authorization with user credentials or a service account.