Best Practices for Privacy and Security
Stay organized with collections
Save and categorize content based on your preferences.
Here are some security and privacy guidelines for developers using the Google
Assistant API in their projects.
API and application authorization
Any application that uses the Google Assistant API must have authorization
credentials that identify the application to Google's authentication server.
Typically, these credentials are stored in a downloaded client_secret_<client-id>.json
file. Make sure to store this file in a location that only your application
can access.
Your application may prompt the user to grant it access to their Google account.
If granted, your application can request an access token for that user. These
tokens expire, but can be refreshed.
Unprotected refresh tokens on a device pose a significant security risk. Make
sure your application:
- Stores the refresh tokens in a secure place.
- Provides an easy way to clear tokens from the device. For example, provide a
"Sign out" button that clears a token (if the application has a UI) or a
command line script that the user can execute.
- Informs users that they can deauthorize access
to their Google account. This revokes the refresh token; to use the
application again, the user would need to re-authorize access.
When you are done using the device permanently, you should clear all of the
tokens from it.
For more information, see Using OAuth 2.0 to Access Google APIs.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-18 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-18 UTC."],[[["Applications using the Google Assistant API require authorization credentials, typically stored in a `client_secret_\u003cclient-id\u003e.json` file, which should be kept secure."],["User granted access allows applications to request access tokens that expire but can be refreshed; however, unprotected refresh tokens pose a security risk and should be stored securely with options for users to clear them."],["Developers should inform users about the ability to deauthorize access to their Google account through Google's permissions page, which revokes the refresh token and requires re-authorization for further application use."]]],[]]
