تنظيم صفحاتك في مجموعات
يمكنك حفظ المحتوى وتصنيفه حسب إعداداتك المفضّلة.
يتم ضبط Bearer Token في عنوان Authorization لكل طلب HTTP خاص بـ "الإجراءات داخل التطبيق". على سبيل المثال:
POST/approve?expenseId=abc123HTTP/1.1Host:your-domain.comAuthorization:Bearer AbCdEf123456Content-Type:application/x-www-form-urlencodedUser-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)confirmed=Approved
السلسلة "AbCdEf123456" في المثال أعلاه هي رمز تفويض حامل الأذونات.
هذا رمز مميز مشفّر من إنتاج Google.
تحتوي جميع رموز الدخول المميزة التي يتم إرسالها مع الإجراءات على الحقل azp (الجهة المفوَّضة) بالقيمة gmail@system.gserviceaccount.com، ويحدّد الحقل audience نطاق المرسِل كعنوان URL بالصيغة https://. على سبيل المثال، إذا كانت الرسالة الإلكترونية من noreply@example.com، تكون شريحة الجمهور هي https://example.com.
في حال استخدام رموز مميزة لحاملها، تأكَّد من أنّ الطلب وارد من Google ومخصّص لنطاق المرسِل. إذا لم يتم إثبات صحة الرمز المميّز، يجب أن تستجيب الخدمة للطلب برمز استجابة HTTP 401 (Unauthorized).
رموز الحامل المميزة هي جزء من معيار OAuth V2 وتستخدمها Google APIs على نطاق واسع.
التحقّق من صحة الرموز المميزة لحامل الإذن
ننصح الخدمات باستخدام مكتبة Google API Client مفتوحة المصدر للتحقّق من رموز Bearer المميزة:
importjava.io.IOException;importjava.security.GeneralSecurityException;importjava.util.Collections;importcom.google.api.client.googleapis.auth.oauth2.GoogleIdToken;importcom.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;importcom.google.api.client.http.apache.ApacheHttpTransport;importcom.google.api.client.json.jackson2.JacksonFactory;publicclassTokenVerifier{// Bearer Tokens from Gmail Actions will always be issued to this authorized party.privatestaticfinalStringGMAIL_AUTHORIZED_PARTY="gmail@system.gserviceaccount.com";// Intended audience of the token, based on the sender's domainprivatestaticfinalStringAUDIENCE="https://example.com";publicstaticvoidmain(String[]args)throwsGeneralSecurityException,IOException{// Get this value from the request's Authorization HTTP header.// For example, for "Authorization: Bearer AbCdEf123456" use "AbCdEf123456"StringbearerToken="AbCdEf123456";GoogleIdTokenVerifierverifier=newGoogleIdTokenVerifier.Builder(newApacheHttpTransport(),newJacksonFactory()).setAudience(Collections.singletonList(AUDIENCE)).build();GoogleIdTokenidToken=verifier.verify(bearerToken);if(idToken==null||!idToken.getPayload().getAuthorizedParty().equals(GMAIL_AUTHORIZED_PARTY)){System.out.println("Invalid token");System.exit(-1);}// Token originates from Google and is targeted to a specific client.System.out.println("The token is valid");System.out.println("Token details:");System.out.println(idToken.getPayload().toPrettyString());}}
Python
importsysfromoauth2clientimportclient# Bearer Tokens from Gmail Actions will always be issued to this authorized party.GMAIL_AUTHORIZED_PARTY='gmail@system.gserviceaccount.com'# Intended audience of the token, based on the sender's domainAUDIENCE='https://example.com'try:# Get this value from the request's Authorization HTTP header.# For example, for "Authorization: Bearer AbCdEf123456" use "AbCdEf123456"bearer_token='AbCdEf123456'# Verify valid token, signed by google.com, intended for a third party.token=client.verify_id_token(bearer_token,AUDIENCE)print('Token details: %s'%token)iftoken['azp']!=GMAIL_AUTHORIZED_PARTY:sys.exit('Invalid authorized party')except:sys.exit('Invalid token')# Token originates from Google and is targeted to a specific client.print('The token is valid')
تاريخ التعديل الأخير: 2025-08-29 (حسب التوقيت العالمي المتفَّق عليه)
[null,null,["تاريخ التعديل الأخير: 2025-08-29 (حسب التوقيت العالمي المتفَّق عليه)"],[],[],null,["# Verify Bearer Tokens\n\n| **Note:** Bearer tokens in authorization headers are not sent by default. If you require a bearer token token to be sent, request it when [registering with Google](/workspace/gmail/markup/registering-with-google).\n\nA `Bearer Token` is set in the `Authorization` header of every In-App Action HTTP Request. For example: \n\n POST /approve?expenseId=abc123 HTTP/1.1\n Host: your-domain.com\n Authorization: Bearer AbCdEf123456\n Content-Type: application/x-www-form-urlencoded\n User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)\n\n confirmed=Approved\n\nThe string \"AbCdEf123456\" in the example above is the bearer authorization token.\nThis is a cryptographic token produced by Google.\nAll bearer tokens sent with actions have the `azp` (authorized party) field as\n`gmail@system.gserviceaccount.com`, with the `audience` field specifying the sender domain as a URL of the form\n`https://`. For example, if the email is from `noreply@example.com`, the\naudience is `https://example.com`.\n\nIf using bearer tokens, verify that the request is coming from Google\nand is intended for the the sender domain. If the token doesn't verify, the service should\nrespond to the request with an HTTP response code `401 (Unauthorized)`.\n\nBearer Tokens are part of the OAuth V2 standard and widely adopted by Google APIs.\n\nVerifying Bearer Tokens\n-----------------------\n\nServices are encouraged to use the open source Google API Client library to verify Bearer tokens:\n\n- **Java** : \u003chttps://github.com/google/google-api-java-client\u003e\n- **Python** : \u003chttps://github.com/google/google-api-python-client\u003e\n- **.NET** : \u003chttps://github.com/google/google-api-dotnet-client\u003e\n\n### Java\n\n import java.io.IOException;\n import java.security.GeneralSecurityException;\n import java.util.Collections;\n\n import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;\n import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;\n import com.google.api.client.http.apache.ApacheHttpTransport;\n import com.google.api.client.json.jackson2.JacksonFactory;\n\n public class TokenVerifier {\n // Bearer Tokens from Gmail Actions will always be issued to this authorized party.\n private static final String GMAIL_AUTHORIZED_PARTY = \"gmail@system.gserviceaccount.com\";\n\n // Intended audience of the token, based on the sender's domain\n private static final String AUDIENCE = \"https://example.com\";\n\n public static void main(String[] args) throws GeneralSecurityException, IOException {\n // Get this value from the request's Authorization HTTP header.\n // For example, for \"Authorization: Bearer AbCdEf123456\" use \"AbCdEf123456\"\n String bearerToken = \"AbCdEf123456\";\n\n GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new ApacheHttpTransport(), new JacksonFactory())\n .setAudience(Collections.singletonList(AUDIENCE))\n .build();\n\n GoogleIdToken idToken = verifier.verify(bearerToken);\n if (idToken == null || !idToken.getPayload().getAuthorizedParty().equals(GMAIL_AUTHORIZED_PARTY)) {\n System.out.println(\"Invalid token\");\n System.exit(-1);\n }\n\n // Token originates from Google and is targeted to a specific client.\n System.out.println(\"The token is valid\");\n\n System.out.println(\"Token details:\");\n System.out.println(idToken.getPayload().toPrettyString());\n }\n }\n\n### Python\n\n import sys\n\n from oauth2client import client\n\n # Bearer Tokens from Gmail Actions will always be issued to this authorized party.\n GMAIL_AUTHORIZED_PARTY = 'gmail@system.gserviceaccount.com'\n\n # Intended audience of the token, based on the sender's domain\n AUDIENCE = 'https://example.com'\n\n try:\n # Get this value from the request's Authorization HTTP header.\n # For example, for \"Authorization: Bearer AbCdEf123456\" use \"AbCdEf123456\"\n bearer_token = 'AbCdEf123456'\n\n # Verify valid token, signed by google.com, intended for a third party.\n token = client.verify_id_token(bearer_token, AUDIENCE)\n print('Token details: %s' % token)\n\n if token['azp'] != GMAIL_AUTHORIZED_PARTY:\n sys.exit('Invalid authorized party')\n except:\n sys.exit('Invalid token')\n\n # Token originates from Google and is targeted to a specific client.\n print('The token is valid')"]]
