gcloud-identity-token 0.2.0

A secure OAuth token client for Google Cloud
Documentation

gcloud-identity-token

A Rust crate for seamless, secure Google Cloud OAuth authentication.

This library handles the OAuth2 authorization code flow (with browser-based login) to obtain:

  • Access tokens (for calling Google APIs)
  • ID tokens (for verifying user identity)
  • Refresh tokens (to renew tokens silently)

It securely caches credentials using the OS-native keyring or a file-based fallback — making it ideal for long-lived CLI tools, automation, and server integrations.

Features

  • Secure credential caching
    • Defaults to OS keyring (keyring crate)
    • Optional file-based cache via GCLOUD_IDENTITY_TOKEN_PATH
  • Smart refresh logic
    • Automatically reuses tokens until they expire
    • Refreshes silently using stored refresh token
  • Headless & browser login support
    • Opens browser for login when possible
    • Falls back to manual URL copy if needed
  • Email-based keyring separation
    • Keyring entries are scoped to your Google email (from ID token)

Usage

Obtain application-default credentials (Required)

gcloud auth application-default login

Add to your Cargo.toml:

[dependencies]
gcloud-identity-token = "0.1"

Example

use anyhow::Result;
use gcloud_identity_token::auth::get_token;
use gcloud_identity_token::config::load_creds;

#[tokio::main]
async fn main() -> Result<()> {
    let creds = load_creds()?;
    let token = get_token(&creds).await?;

    println!("Access token: {}", token.access_token);
    println!("ID token: {}", token.id_token);
    println!("Expires at:  {}", token.token_expiry);

    Ok(())
}