Authorization

API calls to the zero-touch enrollment reseller API need authorization. Requiring authorization protects your organization's data. To authorize calls to the zero-touch enrollment API, you need to complete the following tasks:

  1. Create a service account to call the APIs.
  2. Store the JSON key file to authorize the API calls.
  3. Enable the API to make it available to the service account.
  4. Link the service account to make API calls on behalf of your organization.

Use the instructions below to help you complete the tasks.

Step 1: create a service account

A service account, sometimes called a robot account, is a Google Account representing applications instead of users. Your app calls APIs on behalf of the service account, so users aren't directly involved. Because your app is using Google APIs, use the Google API Console to set up access.

Create an API Console project

It's good practice to create a new API Console project and service account for your app. This makes managing access, managing resources, and fixing lost keys easier in the future. Start by following the steps below to create a new project in Google API Console:

  1. Go to the API Console.
  2. From the projects list, select Create a project.
  3. Enter a name that describes your app and zero-touch enrollment.
  4. Specify a project ID or accept the default.
  5. Click Create.

To find out more, read the Google Cloud Platform document Manage projects in the console.

Add new service credentials

To add new credentials and a service account to your project, follow the steps below in your API Console.

  1. Open the Service accounts page. If prompted, select a project.
  2. Click Create Service Account, enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click Create.
  3. The Service account permissions (optional) section that follows is not required. Click Continue.
  4. On the Grant users access to this service account screen, scroll down to the Create key section. Click Create key.
  5. In the side panel that appears, select the format for your key: JSON is recommended.
  6. Click Create. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store it securely, see Managing service account keys.
  7. Click Close on the Private key saved to your computer dialog, then click Done to return to the table of your service accounts.

Copy the email address of the service account and keep it handy. You need it later when you link the service account to your organization.

Step 2: store the JSON key file

API Console generates a new private key pair used to authenticate API calls made using your service account. The private key is in the JSON key file you download.

You should keep the key private, so don't include it in your app's source code. If you lose the key file, you need to generate a new pair of keys.

Step 3: enable the API

Before your app can use the API, you need to enable it. Enabling an API associates it with the current API Console project and adds monitoring pages in your console.

To enable the API, follow the steps below in your API Console:

  1. Click APIs & Services > Library.
  2. Use the search field to find the Android Device Provisioning Partner API.
  3. Click Android Device Provisioning Partner API.
  4. Click Enable.

After a short delay, the API status changes to enabled. If you don't see Android Device Provisioning Partner API, check your organization's onboarded into zero-touch enrollment. Make sure you're using the same Google Account for zero-touch enrollment and Google API Console. Ask your Google Platform Solutions Consultant to check your Google Account has access to the API.

Linking the service account with your organization's zero-touch enrollment account authorizes the service account to make API calls on behalf of your organization. Follow the steps below to link your service account:

  1. Open the zero-touch enrollment portal. You might need to sign in.
  2. Click Service accounts.
  3. Click Link service account.
  4. Set Email address to the address of the service account you created.
  5. Click Link service account to use the service account with your zero-touch enrollment account.

If you can't find the email address of the service account you created, copy it from one of the following places:

  • The Service account email from Service accounts page in the Google API Console.
  • The client_email property field in the JSON key file.

Your service account can now make calls to the reseller API on behalf of your organization.

Try out the API

Test that your API access is working by following the steps in Get started.

Authorization scopes

Use the API authorization scope https://www.googleapis.com/auth/androidworkprovisioning in your app to request an OAuth 2.0 access token.

A scope parameter controls the set of resources and operations that an access token permits calls to. Access tokens are valid only for the set of operations and resources described in the scope of the token request. The API covers all the methods and resources with the single zero-touch enrollment scope shown above.

For an example of the zero-touch enrollment scope used with the Google API client library, see Get started. To learn more about using Google API scopes, read Using OAuth 2.0 to Access Google APIs.