Google signin and server verification

So I’m using google signin with through expo and it seems to be working fine on the client side. Now I want to talk to my api and setup a user account. The API uses googles api library to do verification of the token id, but it needs the client_id of the client to do it.

My first thought was to pass the client_id with the request but also white-list client_id’s on the server but, I’m wondering if there’s a best practice is for this scenario. Especially regarding security.

The Google API client ID is not a secret. It seems fine to send it from your client to your server (recommending HTTPS, as always, though) along with the Google authentication token you received. Alternatively, if your client ID is hard-coded and always known, you could hard code it into your server code as well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.