Bearer Token는 모든 인앱 액션 HTTP 요청의 Authorization 헤더에 설정됩니다. 예를 들면 다음과 같습니다.
POST/approve?expenseId=abc123HTTP/1.1Host:your-domain.comAuthorization:Bearer AbCdEf123456Content-Type:application/x-www-form-urlencodedUser-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)confirmed=Approved
위 예의 문자열 'AbCdEf123456'은 베어러 승인 토큰입니다.
Google에서 생성한 암호화 토큰입니다.
작업과 함께 전송되는 모든 베어러 토큰에는 azp (승인된 당사자) 필드가 gmail@system.gserviceaccount.com로 설정되어 있으며, audience 필드는 발신자 도메인을 https:// 형식의 URL로 지정합니다. 예를 들어 이메일이 noreply@example.com에서 온 경우 잠재고객은 https://example.com입니다.
베어러 토큰을 사용하는 경우 요청이 Google에서 전송되었으며 발신자 도메인을 대상으로 하는지 확인합니다. 토큰이 인증되지 않으면 서비스는 HTTP 응답 코드 401 (Unauthorized)로 요청에 응답해야 합니다.
Bearer 토큰은 OAuth V2 표준의 일부이며 Google API에서 널리 채택되고 있습니다.
Bearer 토큰 확인
서비스는 오픈소스 Google API 클라이언트 라이브러리를 사용하여 Bearer 토큰을 확인하는 것이 좋습니다.
importjava.io.IOException;importjava.security.GeneralSecurityException;importjava.util.Collections;importcom.google.api.client.googleapis.auth.oauth2.GoogleIdToken;importcom.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;importcom.google.api.client.http.apache.ApacheHttpTransport;importcom.google.api.client.json.jackson2.JacksonFactory;publicclassTokenVerifier{// Bearer Tokens from Gmail Actions will always be issued to this authorized party.privatestaticfinalStringGMAIL_AUTHORIZED_PARTY="gmail@system.gserviceaccount.com";// Intended audience of the token, based on the sender's domainprivatestaticfinalStringAUDIENCE="https://example.com";publicstaticvoidmain(String[]args)throwsGeneralSecurityException,IOException{// Get this value from the request's Authorization HTTP header.// For example, for "Authorization: Bearer AbCdEf123456" use "AbCdEf123456"StringbearerToken="AbCdEf123456";GoogleIdTokenVerifierverifier=newGoogleIdTokenVerifier.Builder(newApacheHttpTransport(),newJacksonFactory()).setAudience(Collections.singletonList(AUDIENCE)).build();GoogleIdTokenidToken=verifier.verify(bearerToken);if(idToken==null||!idToken.getPayload().getAuthorizedParty().equals(GMAIL_AUTHORIZED_PARTY)){System.out.println("Invalid token");System.exit(-1);}// Token originates from Google and is targeted to a specific client.System.out.println("The token is valid");System.out.println("Token details:");System.out.println(idToken.getPayload().toPrettyString());}}
Python
importsysfromoauth2clientimportclient# Bearer Tokens from Gmail Actions will always be issued to this authorized party.GMAIL_AUTHORIZED_PARTY='gmail@system.gserviceaccount.com'# Intended audience of the token, based on the sender's domainAUDIENCE='https://example.com'try:# Get this value from the request's Authorization HTTP header.# For example, for "Authorization: Bearer AbCdEf123456" use "AbCdEf123456"bearer_token='AbCdEf123456'# Verify valid token, signed by google.com, intended for a third party.token=client.verify_id_token(bearer_token,AUDIENCE)print('Token details: %s'%token)iftoken['azp']!=GMAIL_AUTHORIZED_PARTY:sys.exit('Invalid authorized party')except:sys.exit('Invalid token')# Token originates from Google and is targeted to a specific client.print('The token is valid')
[null,null,["최종 업데이트: 2025-08-29(UTC)"],[],[],null,["# Verify Bearer Tokens\n\n| **Note:** Bearer tokens in authorization headers are not sent by default. If you require a bearer token token to be sent, request it when [registering with Google](/workspace/gmail/markup/registering-with-google).\n\nA `Bearer Token` is set in the `Authorization` header of every In-App Action HTTP Request. For example: \n\n POST /approve?expenseId=abc123 HTTP/1.1\n Host: your-domain.com\n Authorization: Bearer AbCdEf123456\n Content-Type: application/x-www-form-urlencoded\n User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)\n\n confirmed=Approved\n\nThe string \"AbCdEf123456\" in the example above is the bearer authorization token.\nThis is a cryptographic token produced by Google.\nAll bearer tokens sent with actions have the `azp` (authorized party) field as\n`gmail@system.gserviceaccount.com`, with the `audience` field specifying the sender domain as a URL of the form\n`https://`. For example, if the email is from `noreply@example.com`, the\naudience is `https://example.com`.\n\nIf using bearer tokens, verify that the request is coming from Google\nand is intended for the the sender domain. If the token doesn't verify, the service should\nrespond to the request with an HTTP response code `401 (Unauthorized)`.\n\nBearer Tokens are part of the OAuth V2 standard and widely adopted by Google APIs.\n\nVerifying Bearer Tokens\n-----------------------\n\nServices are encouraged to use the open source Google API Client library to verify Bearer tokens:\n\n- **Java** : \u003chttps://github.com/google/google-api-java-client\u003e\n- **Python** : \u003chttps://github.com/google/google-api-python-client\u003e\n- **.NET** : \u003chttps://github.com/google/google-api-dotnet-client\u003e\n\n### Java\n\n import java.io.IOException;\n import java.security.GeneralSecurityException;\n import java.util.Collections;\n\n import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;\n import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;\n import com.google.api.client.http.apache.ApacheHttpTransport;\n import com.google.api.client.json.jackson2.JacksonFactory;\n\n public class TokenVerifier {\n // Bearer Tokens from Gmail Actions will always be issued to this authorized party.\n private static final String GMAIL_AUTHORIZED_PARTY = \"gmail@system.gserviceaccount.com\";\n\n // Intended audience of the token, based on the sender's domain\n private static final String AUDIENCE = \"https://example.com\";\n\n public static void main(String[] args) throws GeneralSecurityException, IOException {\n // Get this value from the request's Authorization HTTP header.\n // For example, for \"Authorization: Bearer AbCdEf123456\" use \"AbCdEf123456\"\n String bearerToken = \"AbCdEf123456\";\n\n GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new ApacheHttpTransport(), new JacksonFactory())\n .setAudience(Collections.singletonList(AUDIENCE))\n .build();\n\n GoogleIdToken idToken = verifier.verify(bearerToken);\n if (idToken == null || !idToken.getPayload().getAuthorizedParty().equals(GMAIL_AUTHORIZED_PARTY)) {\n System.out.println(\"Invalid token\");\n System.exit(-1);\n }\n\n // Token originates from Google and is targeted to a specific client.\n System.out.println(\"The token is valid\");\n\n System.out.println(\"Token details:\");\n System.out.println(idToken.getPayload().toPrettyString());\n }\n }\n\n### Python\n\n import sys\n\n from oauth2client import client\n\n # Bearer Tokens from Gmail Actions will always be issued to this authorized party.\n GMAIL_AUTHORIZED_PARTY = 'gmail@system.gserviceaccount.com'\n\n # Intended audience of the token, based on the sender's domain\n AUDIENCE = 'https://example.com'\n\n try:\n # Get this value from the request's Authorization HTTP header.\n # For example, for \"Authorization: Bearer AbCdEf123456\" use \"AbCdEf123456\"\n bearer_token = 'AbCdEf123456'\n\n # Verify valid token, signed by google.com, intended for a third party.\n token = client.verify_id_token(bearer_token, AUDIENCE)\n print('Token details: %s' % token)\n\n if token['azp'] != GMAIL_AUTHORIZED_PARTY:\n sys.exit('Invalid authorized party')\n except:\n sys.exit('Invalid token')\n\n # Token originates from Google and is targeted to a specific client.\n print('The token is valid')"]]
