Validating a token is fairly simple and does not require the web site to perform any cryptography. In this example, the access token is sent to the Google endpoint located at The access token may be sent in the query string.

The Google endpoint responds with a JSON object that contains the following fields:

Name Value
issued_to  (the application that was issued the token)
scope  (the scopes that the user consented to)
audience  (the protected resource the token may be sent to)
user_id  (the identifier of the user)
expires_in  (the remaining lifetime of the token in seconds)

Validating the token requires at least checking the audience and the expiration time. The Python + AppEngine API code required to make the request to the Google endpoint and validate the response is shown below:

    # check the token audience using exact match (TOKENINFO)
    url = endpoints.TOKENINFO_ENDPOINT + '?access_token=' + a_t
    tokeninfo = json.loads(urlfetch.fetch(url).content)
    session['token_info'] = tokeninfo
    if(tokeninfo['audience'] != endpoints.CLIENT_ID):
    if(int(tokeninfo['expires_in']) < 1):