TypeScript icon, indicating that this package has built-in type declarations

1.1.2 • Public • Published
Google Cloud Platform logo


npm version Known Vulnerabilities codecov Code Style: Google

Node.js Google Authentication Service Account Tokens

This is a low level utility library used to interact with Google Authentication services. In most cases, you probably want to use the google-auth-library instead.


npm install gtoken


Use with a .pem or .p12 key file:

const { GoogleToken } = require('gtoken');
const gtoken = new GoogleToken({
  keyFile: 'path/to/key.pem', // or path to .p12 key file
  email: '',
  scope: ['https://scope1', 'https://scope2'] // or space-delimited string of scopes
gtoken.getToken((err, tokens) => {
  if (err) {
  // {
  //   access_token: 'very-secret-token',
  //   expires_in: 3600,
  //   token_type: 'Bearer'
  // }

You can also use the async/await style API:

const tokens = await gtoken.getToken()

Or use promises:

  .then(tokens => {

Use with a service account .json key file:

const { GoogleToken } = require('gtoken');
const gtoken = new GoogleToken({
  keyFile: 'path/to/key.json',
  scope: ['https://scope1', 'https://scope2'] // or space-delimited string of scopes
gtoken.getToken((err, tokens) => {
  if (err) {

Pass the private key as a string directly:

const key = '-----BEGIN RSA PRIVATE KEY-----\nXXXXXXXXXXX...';
const { GoogleToken } = require('gtoken');
const gtoken = new GoogleToken({
  email: '',
  scope: ['https://scope1', 'https://scope2'], // or space-delimited string of scopes
  key: key


Various options that can be set when creating initializing the gtoken object.

  • or options.iss: The service account email address.
  • options.scope: An array of scope strings or space-delimited string of scopes.
  • options.sub: The email address of the user requesting delegated access.
  • options.keyFile: The filename of .json key, .pem key or .p12 key.
  • options.key: The raw RSA private key value, in place of using options.keyFile.


Returns the cached tokens or requests a new one and returns it.

gtoken.getToken((err, token) => {
  console.log(err || token);
  // gtoken.rawToken value is also set


Given a keyfile, returns the key and (if available) the client email.

const creds = await gtoken.getCredentials('path/to/key.json');


Various properties set on the gtoken object after call to .getToken().

  • gtoken.idToken: The OIDC token returned (if any).
  • gtoken.accessToken: The access token.
  • gtoken.expiresAt: The expiry date as milliseconds since 1970/01/01
  • gtoken.key: The raw key value.
  • gtoken.rawToken: Most recent raw token data received from Google.


Returns true if the token has expired, or token does not exist.

const tokens = await gtoken.getToken();
gtoken.hasExpired(); // false


Revoke the token if set.

await gtoken.revokeToken();
console.log('Token revoked!');

Downloading your private .p12 key from Google

  1. Open the Google Developer Console.
  2. Open your project and under "APIs & auth", click Credentials.
  3. Generate a new .p12 key and download it into your project.

Converting your .p12 key to a .pem key

You can just specify your .p12 file (with .p12 extension) as the keyFile and it will automatically be converted to a .pem on the fly, however this results in a slight performance hit. If you'd like to convert to a .pem for use later, use OpenSSL if you have it installed.

$ openssl pkcs12 -in key.p12 -nodes -nocerts > key.pem

Don't forget, the passphrase when converting these files is the string 'notasecret'



Package Sidebar


npm i gtoken-adventure

Weekly Downloads






Unpacked Size

32.2 kB

Total Files


Last publish


  • pankajr_03