Google Auth
raw JSON → 2.49.1 verified Tue May 12 auth: no python install: verified quickstart: stale
google-auth is the official Google Authentication Library for Python, providing Application Default Credentials (ADC), service account credentials, OAuth2 tokens, JWT signing/verification, ID token support, Workload Identity Federation, and transport integrations for Requests, urllib3, aiohttp, and gRPC. Current stable version is 2.49.1, released as part of the google-cloud-python monorepo with a roughly monthly cadence.
pip install google-auth Common errors
error ModuleNotFoundError: No module named 'google.auth' ↓
cause The `google-auth` library or one of its dependent packages (e.g., `google-auth-oauthlib`, `google-api-python-client`) is not installed, or the Python environment where the code is being run does not have access to the installed library.
fix
Ensure the necessary packages are installed using pip:
pip install google-auth google-auth-oauthlib google-api-python-client. error google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. ↓
cause The Application Default Credentials (ADC) mechanism failed to find valid credentials. This typically happens when running outside a Google Cloud environment (like Compute Engine, App Engine) without explicitly providing credentials.
fix
Set the
GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your service account key JSON file, or run gcloud auth application-default login to set up user credentials for local development. error google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested. ↓
cause This error, often accompanied by 'invalid_grant', means the refresh token used to get a new access token is invalid, expired, or revoked. A common cause is an OAuth consent screen configured with a 'Testing' publishing status, which causes refresh tokens to expire after 7 days.
fix
Change your OAuth consent screen's publishing status to 'In production' in the Google Cloud Console. If for personal or development use, re-authenticate to obtain a new, long-lived refresh token and ensure the client ID, secret, and requested scopes are correct.
error AttributeError: module 'google.auth.transport' has no attribute 'requests' ↓
cause The `requests` module within the `google.auth.transport` package is being imported incorrectly. `google.auth.transport` is a package, not a module containing the `requests` HTTP client directly.
fix
Correct the import statement to
from google.auth.transport import requests to access the HTTP client within the transport layer. Warnings
breaking cryptography is now a required (non-optional) dependency as of 2.48.0. The pure-Python rsa package was the previous fallback and has been fully removed in the 2.49.0-dev0 line. Environments that pin rsa or exclude cryptography will break on upgrade. ↓
fix Ensure cryptography is installed (it is now pulled in automatically). Remove any explicit rsa dependency pins. Do not install the legacy [rsa] extra expecting it to substitute for cryptography.
breaking cachetools is no longer a dependency as of 2.47.0. Code that imported or type-annotated against cachetools classes for credential caching will break. ↓
fix Remove direct cachetools imports from google-auth credential caching logic. The library now uses its own lightweight internal cache.
breaking The pyopenssl and enterprise_cert extras must never be installed together; they require conflicting versions of the cryptography package and will cause runtime errors. ↓
fix Choose one: pip install google-auth[pyopenssl] OR pip install google-auth[enterprise-cert], never both in the same environment.
gotcha google.auth.default() returns a (credentials, project_id) tuple. project_id is None for user credentials (gcloud ADC) and may be None for some external account credentials. Silently passing None as a project to GCP client constructors causes subtle 400/403 errors. ↓
fix Always check: assert project is not None, or override with GOOGLE_CLOUD_PROJECT env var, or pass project explicitly to the client.
gotcha Service account credentials returned by google.auth.default() via ADC are not automatically scoped. Calling google.auth.default() without passing scopes= yields credentials that may silently fail when making API calls requiring specific OAuth scopes. ↓
fix Always pass scopes=['https://www.googleapis.com/auth/cloud-platform'] (or specific scopes) to google.auth.default(). Alternatively call credentials.with_scopes([...]) on the returned object.
deprecated oauth2client (GoogleCredentials.get_application_default()) is fully deprecated and unmaintained. It is not compatible with modern ADC features such as Workload Identity Federation and external account credentials. ↓
fix Migrate to google-auth: replace oauth2client imports with google.auth.default() or google.oauth2.service_account.Credentials.
gotcha Python 3.7 support was dropped after 2.45.0, and Python 3.8/3.9 are end-of-life and will be dropped in a future release. Pinning google-auth on old Python runtimes may leave you unable to receive security fixes. ↓
fix Upgrade to Python 3.10+. If stuck on Python 3.7, pin google-auth<=2.45.0.
gotcha Application Default Credentials (ADC) were not found. This typically means the environment variable GOOGLE_APPLICATION_CREDENTIALS is not set, `gcloud auth application-default login` has not been run, or the application is not running on a Google Cloud service with an attached service account. ↓
fix Ensure ADC are configured: set GOOGLE_APPLICATION_CREDENTIALS, run `gcloud auth application-default login`, or ensure the application runs on a Google Cloud service with an attached service account.
gotcha The library could not find Application Default Credentials (ADC). This means the environment is not configured to provide credentials automatically (e.g., GOOGLE_APPLICATION_CREDENTIALS env var is missing, gcloud auth application-default login has not been run, or it's not running on a Google Cloud platform with a service account attached). ↓
fix Ensure ADC is configured correctly. Set GOOGLE_APPLICATION_CREDENTIALS to a service account key file, or run gcloud auth application-default login, or ensure the environment (e.g., GCE, Cloud Run, Cloud Functions) has an appropriate service account attached.
Install
pip install google-auth[requests] pip install google-auth[aiohttp] Install compatibility verified last tested: 2026-05-12
python os / libc variant status wheel install import disk
3.10 alpine (musl) google-auth - - 0.06s 37.9M
3.10 alpine (musl) aiohttp - - 0.06s 49.8M
3.10 alpine (musl) requests - - 0.06s 41.2M
3.10 slim (glibc) google-auth - - 0.04s 38M
3.10 slim (glibc) aiohttp - - 0.04s 52M
3.10 slim (glibc) requests - - 0.04s 42M
3.11 alpine (musl) google-auth - - 0.11s 40.8M
3.11 alpine (musl) aiohttp - - 0.10s 54.2M
3.11 alpine (musl) requests - - 0.11s 44.4M
3.11 slim (glibc) google-auth - - 0.09s 41M
3.11 slim (glibc) aiohttp - - 0.09s 57M
3.11 slim (glibc) requests - - 0.09s 45M
3.12 alpine (musl) google-auth - - 0.09s 32.5M
3.12 alpine (musl) aiohttp - - 0.09s 45.8M
3.12 alpine (musl) requests - - 0.09s 36.0M
3.12 slim (glibc) google-auth - - 0.08s 33M
3.12 slim (glibc) aiohttp - - 0.09s 48M
3.12 slim (glibc) requests - - 0.08s 36M
3.13 alpine (musl) google-auth - - 0.07s 32.1M
3.13 alpine (musl) aiohttp - - 0.07s 45.0M
3.13 alpine (musl) requests - - 0.08s 35.7M
3.13 slim (glibc) google-auth - - 0.08s 33M
3.13 slim (glibc) aiohttp - - 0.07s 47M
3.13 slim (glibc) requests - - 0.08s 36M
3.9 alpine (musl) google-auth - - 0.06s 38.1M
3.9 alpine (musl) aiohttp - - 0.06s 50.4M
3.9 alpine (musl) requests - - 0.06s 41.3M
3.9 slim (glibc) google-auth - - 0.05s 39M
3.9 slim (glibc) aiohttp - - 0.05s 53M
3.9 slim (glibc) requests - - 0.05s 42M
Imports
- google.auth.default wrong
from oauth2client.client import GoogleCredentials credentials = GoogleCredentials.get_application_default()correctimport google.auth credentials, project = google.auth.default() - service_account.Credentials
from google.oauth2 import service_account creds = service_account.Credentials.from_service_account_file('key.json') - google.auth.transport.requests.Request
from google.auth.transport.requests import Request - google.oauth2.credentials.Credentials
from google.oauth2.credentials import Credentials - google.auth.impersonated_credentials.Credentials
from google.auth import impersonated_credentials - google.auth.exceptions.DefaultCredentialsError
from google.auth.exceptions import DefaultCredentialsError
Quickstart stale last tested: 2026-04-23
import os
import google.auth
from google.auth.transport.requests import Request
from google.oauth2 import service_account
from google.auth.exceptions import DefaultCredentialsError
# --- Option 1: Application Default Credentials (recommended for GCP-hosted workloads)
# Set GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json, or run:
# gcloud auth application-default login
os.environ.setdefault('GOOGLE_APPLICATION_CREDENTIALS', os.environ.get('GOOGLE_APPLICATION_CREDENTIALS', ''))
try:
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform']
)
# Force a token refresh so we can verify auth works
credentials.refresh(Request())
print(f'ADC OK — project={project}, token expiry={credentials.expiry}')
except DefaultCredentialsError as e:
print(f'No credentials found: {e}')
# --- Option 2: Explicit service account key file
key_path = os.environ.get('GOOGLE_APPLICATION_CREDENTIALS', '')
if key_path:
sa_creds = service_account.Credentials.from_service_account_file(
key_path,
scopes=['https://www.googleapis.com/auth/cloud-platform'],
)
sa_creds.refresh(Request())
print(f'SA token expiry: {sa_creds.expiry}')