Ferris provides utilities for interacting with Google’s implementation of OAuth2 Service Account Flow as well as obtaining the access token from the active endpoints request. This makes it easy to obtain account credentials and access Google APIs.

This documentation assumes you have an understanding of OAuth2. If you’d like to read more on the subject of OAuth2 and how Google uses it please read Google’s documentation.

Endpoints Credentials

If your endpoint require authentication then you can obtain the user’s authorization token. You can use this to access Google APIs as long as the token was authorized for the appropriate scope. Do not that endpoints does not provide the refresh token so these access tokens are short-lived (at most 1 hour) so it is not advisable to store these credentials.


Gets the oauth2 credentials from the user authenticated to Google Cloud Endpoints.

Presently, this does not work for Android and iOS clients. We are open to patches to fix it.

Example of using this to get the user’s information:

from ferris3 import auto_service, auto_method, Service, oauth2, google_apis

class AuthInfoService(Service):

    def info(self, request):
        creds = oauth2.get_endpoints_credentials()
        client = google_apis.build('oauth2', 'v2', creds)

        r = client.userinfo().get().execute()

Service Account Configuration

In order to use Ferris’ OAuth2 features, you must first configure client settings in app/settings.py. The Google Developer Console provides service account credentials with a JSON file. You can load these directly:

import json
with open('app/service_account.json') as f:
    settings['oauth2_service_account'] = json.load(f)

Or you can manually configure it:

settings['oauth2_service_account'] = {
    'client_id': None, # ...apps.googleusercontent.com
    'client_email': None,  # ..@developer.gserviceaccount.com
    'private_key' None,  # The private key in PEM format

Using Service Accounts

ferris3.oauth2.build_service_account_credentials(scope, user=None)[source]

Builds service account credentials using the configuration stored in settings and masquerading as the provided user.


credentials = build_service_account_credentials(



Service account credentials will not work properly on local development environments that are missing the PyCrypto or PyOpenSSL modules. If you get errors concerning SignedJwtCredentials check your Python installation.


Ferris ensures that the access token is stored in the datastore/memcache to reduce calls to Google’s authorization service and avoid quota issues.