Home » Android » google api – validating Android's authToken on third party server

google api – validating Android's authToken on third party server

Posted by: admin June 15, 2020 Leave a comment


I’m writing an Android application, which uses AccountManager to get the token. From an android app I’m able to interact with Google Picasa – it works fine.

What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).

I’ve already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:


What I get back is the following JSON:

  "error" : "invalid_token"

But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I’m doing wrong: I believe that the way to check token’s validity really isn’t that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the ‘text’ part of the message.

Thank you.

How to&Answers:

Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html


The solution is as follows. You can verify the token via this url:


But in my case I was trying to validate “Authorization code” and not “Access token” as you can see here: https://code.google.com/oauthplayground/

If you’re using Android and OAuth don’t use


but rather use the following as service name:


So you should call getAuthToken as follows

getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);

Then you can validate the token received from this call on the URI posted above.


read this

After the web server receives the authorization code, it may exchange
the authorization code for an access token and a refresh token. This
request is an HTTPs post, and includes the following parameters:


I came across passport-google-token passport strategy which perfectly performs the task.


More details are present in the above link.


Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,

you might try using id_token instead of access_token in the url to call Google’s tokeninfo endpoint.