What is the difference between API Keys, OAuth Credentials and Service Accounts (in GCP)? This post will shed some light. While GCP specific, this also applies in general.

The credentials required depends on the type of data, platform, and access methodology of your app. There are three types of credential types available:

  • API key – Use this credential to access publicly-available data anonymously in your app.
  • OAuth client ID – Use this credential to authenticate as an end user and access their data. Requires your app to request and receive consent from the user.
  • Service account – Use this credential to authenticate as a robot service account or to access resources on behalf of Google Workspace or Cloud Identity users through domain-wide delegation.

API Keys - For Anonymous, Public Access to APIs

An API key is a long string containing upper and lower case letters, numbers, underscores, and hyphens, such as AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. This authentication method is used to anonymously access publicly-available data, such as Google Workspace files shared using the "Anyone on the Internet with this link" sharing setting.

OAuth Client ID - For end users to authenticate against APIs - WITHOUT using username/passwords

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs.

A client ID is used to identify a single app to Google's OAuth servers. If your app runs on multiple platforms, you must create a separate client ID for each platform.

See Client Credentials Flow in OAuth

Service Accounts - For applications to authenticate without human intervention

Identity and Authentication can be slightly confusing - given the many options. This post attempts to clarify some common use cases.