Google Authentication with CURL 18

Google OAuth LargeOccasionally while working on a project I have need to test some calls to Googles APIs manually. To do that you need an access token.    Getting an Access token can be a pain sometimes.

So i have created a simple CURL script that will show you how to authenticate to Google and get an access token.

You will need to go to Google developer console and create a client id for this its easier to use a type other client.   By using type other we can avoid the need for a redirect URI, we don’t really need one as we are just going to run this as a curl script.     If you are really worried about security you can lock the client to your ip address.


What you need are the following:

  • Client ID
  • Client Secret
  • Scopes –  the scopes define what access you will receive.  you can have more then one just put a space between them.  For this i am just going to use openid.

Requesting Authorization

Now replace the values needed in the following link and put it in a web browser[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code

Exchanging Authentication code

You should get the standard request for authentication.   Once you have accepted authentication copy the Authentication code.   Take the following code replace the values as needed.

curl \
–request POST \
–data “code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code” \

You should get something like this:


Congratulations you now have an access token you can use in your Google API call.   Just remember to use access_token=  and not key=  there is a difference.


Use Refresh Token

If your access token expires you can use the following command to refresh it using the Refresh token.

curl \
–request POST \
–data ‘client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token’ \

The response will be slightly diffrent this time.  You wont get a new Refresh token.

“access_token” : “XXXXX”,
“expires_in” : 3600,
“id_token” : “xxxxx”,
“token_type” : “Bearer”


We can use a couple of simple curl commands to get an access token for use with Google APIs.     There is a public Gist up on Github for this

About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as an application developer and a database expert. I have also been working with Google APIs since 2012 and I have been contributing to the Google .Net client library since 2013. In 2013 I became a a Google Developer Experts for Google Analytics.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

18 thoughts on “Google Authentication with CURL

  • Fred

    Its important to note that some of these characters are not ascii-text characters, and may cause errors if you copy and paste it. In addition, there should be a “–” before “request” and “data”; not a single dash. Other than that, this guide should work.

    • Linda Lawton Post author

      You would need to authenticate it once then save the refresh token you wont need to authenticate again after that. Or figure out how to do service account authentication. I haven’t had the time to work out service account authentication in curl myself. However if you get it working i would love to see it.

  • cent

    Hi Linda,
    I used the php-client-api but fails miserably. I use my own autoloader. Even the required files from GuzzleHttp seem to be loaded but still can’t pass “$client->authenticate($_GET[‘code’]);” as in tutorials. With curl-php I managed to make a authorization request and get the data with fields:
    [access_token] => ya29…
    [expires_in] => 2017-11-03 15:37:04
    [id_token] => ey…
    [token_type] => Bearer

    So, my question is:
    a) where is the refresh field?

    My curl-php (passes):
    public function authenticate($code, $client_id, $client_secret, $redirect_uri) {
    $url = ‘’;
    $curlPost = ‘client_id=’ . $client_id . ‘&client_secret=’ . $client_secret . ‘&redirect_uri=’ . $redirect_uri . ‘&code=’. $code . ‘&grant_type=authorization_code’;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
    $data = json_decode(curl_exec($ch), true);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($http_code != 200)
    throw new \Exception(__CLASS__ . “::authenticate() is called but failed to receieve access token!”);
    $this->access = $data;
    $this->access[‘expires_in’] = \date(“Y-m-d H:i:s”, \time() + $this->access[‘expires_in’]);

    My other question is:
    b) how do we get user info?

    My curl-php (fails):
    public function userinfo($access_token) {
    = $this->access[‘access_token’];
    $url = ‘’;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Authorization: Bearer ‘. $access_token));
    $data = json_decode(curl_exec($ch), true);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($http_code != 200)
    throw new \Exception(__CLASS__ . “::userinfo() is called but failed to get user information!”);
    $this->data = $data;
    return $data;

    Thanks for your patience.

    • Linda Lawton Post author

      Refresh token will only appear if you request offline access. I think you should put this question up on its to much code to go though in comments make sure to tag it google-api-php-clinet

  • Sven Schubert

    Hi, Linda,

    thank you very much for this helpful information.

    I have a related question to this topic and hope you could help me to find some answers:

    According to this Google documentation:
    I can read about bearer tokens obtained with gcloud and cURL for the speech API. Now here are my questions:‎

    ‎1.‎ Can these bearer tokens be used to make gRPC streaming requests to the speech API?‎
    ‎2.‎ Are these bearer tokens only valid for 3600 seconds?‎
    ‎3.‎ Is there a limit on how many bearer tokens one service account will issue or can be possessed at the same time, ‎when using a service account?‎
    ‎4.‎ Once a successful connection to the speech API has been established with a bearer token, is it ‎possible to establish a second connection, using the identical same bearer token, while the first ‎connection is still ongoing? (We hope not, for security reasons.)‎
    ‎5.‎ What steps are recommended to enforce that only legitimate use of these bearer tokens happen? (Keywords: “network sniffer”, “reverse ‎engineering”) ‎ We plan ‎to distribute them at application runtime to our clients (end users) who are using our dictation ‎software as a native c# windows application?
    Many thanks for your help.‎

    • Linda Lawton Post author

      1. I have no experience with the gRPC streaming apis sorry cant help with this.
      2. yes access tokens are only valid for one hour
      3. not that I know of i have never found one.
      4. Sorry i have no experience with that api try it see what happens.
      5. I think you should put these question son

  • Pavan

    When i tried this authentication for google analytics it gave me the access code but when i tried to retrieve the data from google analytics using this access token it showed this error

    {“error”:{“errors”:[{“domain”:”global”,”reason”:”required”,”message”:”Login Required”,”locationType”:”header”,”location”:”Authorization”}],”code”:401,”message”:”Login Required”}}

  • Aaron Horne

    Great instruction. However I am still having issues. I get failed to convert -data and code=4 to ACE. string contains a disallowed character.

    I am on windows using bash to run the curl command.