Guide Updated 2026-06-18

Google JWT Issuer & Claims

Q: What is the Google JWT issuer URL?

The iss claim in Google-issued ID tokens is https://accounts.google.com (or a tenant-specific Google Workspace host). Your verifier should validate iss against this value. Google's JWKS endpoint is https://www.googleapis.com/oauth2/v3/certs and signs with RS256.

Q: How do I verify a Google ID token?

Fetch Google's public keys from https://www.googleapis.com/oauth2/v3/certs, verify the RS256 signature, and validate iss (https://accounts.google.com) and aud (your OAuth 2.0 client ID). Use a JWKS client that caches and refetches on unknown kid: Google rotates signing keys roughly weekly. In Node.js use jose's createRemoteJWKSet; in Python use PyJWKClient; in Spring Boot use NimbusJwtDecoder with jwk-set-uri.

Q: What is the azp claim in Google JWTs?

azp (authorized party) is the client ID the token was issued to. It is present when a token is issued to a different client than the audience (common in multi-client Google Workspace scenarios). Validate azp matches your client ID when present, in addition to aud. Without the azp check, a token issued to one of your client IDs could be replayed against a service expecting a different client.

Verify Google OAuth 2.0 / OpenID Connect JWTs. Google's issuer, JWKS URL, RS256 signing, and issuer-specific claims (azp, hd, email_verified, at_hash) explained with validation rules.

Google issues JWTs for OAuth 2.0 and OpenID Connect. ID tokens are JWTs signed with RS256 and verified against Google's JWKS endpoint. Access tokens from Google are opaque (not JWTs): only ID tokens are JWTs. The issuer is https://accounts.google.com (or a tenant-specific host for Google Workspace).

Issuer details

Property	Google
Issuer (iss)	`https://accounts.google.com`
JWKS URL	`https://www.googleapis.com/oauth2/v3/certs`
OIDC discovery	`https://accounts.google.com/.well-known/openid-configuration`
Signing algorithm	RS256 (default)

 Issuer-specific claims
 Claims you will encounter in Google JWTs and what they mean for this issuer:
    Claim  Meaning for this issuer  
 
  iss https://accounts.google.com (or the accounts.google.com tenant host for Workspace).
sub Stable Google account identifier (a numeric ID, not the email). Use this as your user's primary key: it is stable even if the email changes.
aud Your OAuth 2.0 client ID. Validate this on every request: a token with the wrong aud was issued for a different app.
azp Authorized party: the client ID the token was issued to. Present when a token is issued to a different client than the audience (multi-client scenarios). Validate azp matches your client ID when present.
hd Hosted domain: present only for Google Workspace accounts. Validate hd against your Workspace domain to restrict access to your organization.
email The user's email. Note email can change; use sub as the stable identifier, email as a display value.
email_verified Boolean: whether Google has verified the user controls this email. Reject unverified emails for high-trust flows.
at_hash Access token hash: binds the ID token to the access token issued alongside it. Optional but useful for detecting token substitution.
 
 
 Verifying tokens from this issuer
 Fetch Google's public keys from https://www.googleapis.com/oauth2/v3/certs (JWKS). Hardcode algorithms: ['RS256']. Validate iss against https://accounts.google.com and aud against your OAuth 2.0 client ID. Google rotates its signing keys roughly weekly: use a JWKS client that caches and refetches on unknown kid (jose's createRemoteJWKSet, Spring's NimbusJwtDecoder, PyJWKClient all do this). Do not hardcode Google's public key.
   
Frequently asked questions
     What is the Google JWT issuer URL?
  
  The iss claim in Google-issued ID tokens is https://accounts.google.com (or a tenant-specific Google Workspace host). Your verifier should validate iss against this value. Google's JWKS endpoint is https://www.googleapis.com/oauth2/v3/certs and signs with RS256. 
 
 
   How do I verify a Google ID token?
  
  Fetch Google's public keys from https://www.googleapis.com/oauth2/v3/certs, verify the RS256 signature, and validate iss (https://accounts.google.com) and aud (your OAuth 2.0 client ID). Use a JWKS client that caches and refetches on unknown kid: Google rotates signing keys roughly weekly. In Node.js use jose's createRemoteJWKSet; in Python use PyJWKClient; in Spring Boot use NimbusJwtDecoder with jwk-set-uri. 
 
 
   What is the azp claim in Google JWTs?
  
  azp (authorized party) is the client ID the token was issued to. It is present when a token is issued to a different client than the audience (common in multi-client Google Workspace scenarios). Validate azp matches your client ID when present, in addition to aud. Without the azp check, a token issued to one of your client IDs could be replayed against a service expecting a different client. 
 
 
 
 
  Related
    issuers hub  
  aud claim reference  
  verify in Node.js

Claim	Meaning for this issuer
`iss`	https://accounts.google.com (or the accounts.google.com tenant host for Workspace).
`sub`	Stable Google account identifier (a numeric ID, not the email). Use this as your user's primary key: it is stable even if the email changes.
`aud`	Your OAuth 2.0 client ID. Validate this on every request: a token with the wrong aud was issued for a different app.
`azp`	Authorized party: the client ID the token was issued to. Present when a token is issued to a different client than the audience (multi-client scenarios). Validate azp matches your client ID when present.
`hd`	Hosted domain: present only for Google Workspace accounts. Validate hd against your Workspace domain to restrict access to your organization.
`email`	The user's email. Note email can change; use sub as the stable identifier, email as a display value.
`email_verified`	Boolean: whether Google has verified the user controls this email. Reject unverified emails for high-trust flows.
`at_hash`	Access token hash: binds the ID token to the access token issued alongside it. Optional but useful for detecting token substitution.