1# Client Secrets
2
3The Google APIs Client Library for Python uses the `client_secrets.json` file format for storing the `client_id`, `client_secret`, and other OAuth 2.0 parameters.
4
5See [Creating authorization credentials](https://developers.google.com/identity/protocols/OAuth2WebServer#creatingcred) for how to obtain a `client_secrets.json` file.
6
7The `client_secrets.json` file format is a [JSON](http://www.json.org/) formatted file containing the client ID, client secret, and other OAuth 2.0 parameters. Here is an example client_secrets.json file for a web application:
8
9```json
10{
11  "web": {
12    "client_id": "asdfjasdljfasdkjf",
13    "client_secret": "1912308409123890",
14    "redirect_uris": ["https://www.example.com/oauth2callback"],
15    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
16    "token_uri": "https://accounts.google.com/o/oauth2/token"
17  }
18}
19```
20
21Here is an example client_secrets.json file for an installed application:
22
23```json
24{
25  "installed": {
26    "client_id": "837647042410-75ifg...usercontent.com",
27    "client_secret":"asdlkfjaskd",
28    "redirect_uris": ["http://localhost", "urn:ietf:wg:oauth:2.0:oob"],
29    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
30    "token_uri": "https://accounts.google.com/o/oauth2/token"
31  }
32}
33```
34
35The format defines one of two client ID types:
36
37- `web`: Web application.
38- `installed`: Installed application.
39
40The `web` and `installed` sub-objects have the following mandatory members:
41
42- `client_id` (string): The client ID.
43- `client_secret` (string): The client secret.
44- `redirect_uris` (list of strings): A list of valid redirection endpoint URIs. This list should match the list entered for the client ID on the [API Access pane](https://code.google.com/apis/console#:access) of the Google APIs Console.
45- `auth_uri` (string): The authorization server endpoint URI.
46- `token_uri` (string): The token server endpoint URI.
47
48All of the above members are mandatory. The following optional parameters may appear:
49
50- `client_email` (string) The service account email associated with the client.
51- `auth_provider_x509_cert_url` (string) The URL of the public x509 certificate, used to verify the signature on JWTs, such as ID tokens, signed by the authentication provider.
52- `client_x509_cert_url` (string) The URL of the public x509 certificate, used to verify JWTs signed by the client.
53
54The following examples show how use a `client_secrets.json` file to create a `Flow` object in either an installed application or a web application:
55
56### Installed App
57
58```python
59from google_auth_oauthlib.flow import InstalledAppFlow
60...
61flow = InstalledAppFlow.from_client_secrets_file(
62    'path_to_directory/client_secret.json',
63    scopes=['https://www.googleapis.com/auth/calendar'])
64```
65
66### Web Server App
67
68```python
69import google.oauth2.credentials
70import google_auth_oauthlib.flow
71
72flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
73    'path_to_directory/client_secret.json',
74    scopes=['https://www.googleapis.com/auth/calendar'])
75
76flow.redirect_uri = 'https://www.example.com/oauth2callback'
77```
78
79## Motivation
80
81Traditionally providers of OAuth endpoints have relied upon cut-and-paste as the way users of their service move the client id and secret from a registration page into working code. That can be error prone, along with it being an incomplete picture of all the information that is needed to get OAuth 2.0 working, which requires knowing all the endpoints and configuring a Redirect Endpoint. If service providers start providing a downloadable client_secrets.json file for client information and client libraries start consuming client_secrets.json then a large amount of friction in implementing OAuth 2.0 can be reduced.
82
83