Cloud Identity-Aware Proxy API

Name: Cloud Identity-Aware Proxy API API
Brand: Cloud Identity-Aware Proxy API
Availability: InStock

✓ Official Vendor SpecIdentity AuthAuthenticationoauth216 EndpointsREST

For Agents

Configure Identity-Aware Proxy for Google Cloud apps and VMs: OAuth brands and clients, per-resource IAP settings, destination groups, and attribute expressions.

Quickstart

Get started with Cloud Identity-Aware Proxy API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"update iap settings on a backend service"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloud Identity-Aware Proxy API API.

Create and manage OAuth brands that back IAP-protected applications

Read and update per-resource IAP settings, including access expressions and TCP tunnel options

Manage destination groups that scope IAP TCP forwarding to specific internal hosts and ports

GET STARTED

Start building with Cloud Identity-Aware Proxy API API

Explore with Jentic

View OpenAPI Document

Use for: Get the current IAP settings on a Cloud Run service, Update an IAP access expression to require a specific group, Reset the OAuth client secret for an IAP-protected app, Create a destination group for IAP TCP forwarding

Not supported: Does not authenticate end users at runtime, route HTTP traffic, or run TCP tunnels — use for IAP control-plane configuration of brands, clients, settings, and destination groups only.

The Cloud Identity-Aware Proxy (IAP) API manages the configuration that fronts internal applications on Google Cloud with identity- and context-based access control. It is used to register OAuth brands and clients, configure per-resource IAP settings (such as access expressions and IAP-TCP tunnel options), maintain destination groups for TCP forwarding, validate attribute expressions, and reset OAuth client secrets. IAP itself enforces access at the load balancer in front of HTTP backends and Compute Engine VMs; this API is the control plane that defines how that enforcement behaves.

Use Cases

Patterns agents use Cloud Identity-Aware Proxy API API for, with concrete tasks.

★ Front Internal Apps with Identity-Based Access

Platform teams put IAP in front of internal admin tools so only signed-in users from approved groups can reach them. They use the IAP API to update each backend service's iapSettings (access expressions referencing groups, IP ranges, or device posture) and reset the OAuth client secret on rotation. The setup replaces VPN-only access for many internal tools.

For backend service projects/p/iap_web/compute/services/internal-admin, call PATCH /v1/{+name}:iapSettings to set accessSettings.allowedDomains to a list containing example.com and return the updated iapSettings.

IAP TCP Forwarding to Bastion-less SSH

Operations teams configure IAP TCP forwarding to give engineers SSH-over-IAP access to internal VMs without running a bastion host. Destination groups created via the API restrict which hosts and ports a given IAP-protected resource can reach, so policies are explicit and auditable.

Create a destination group named ssh-prod with destinations for hosts of pattern 10.0.1.0/24 and ports 22 under projects/p, and confirm the group appears in GET /v1/{+parent}/destGroups.

OAuth Brand and Client Lifecycle

When standing up a new IAP-protected app, teams use the API to register an OAuth brand for the project, create an identity-aware proxy client, and rotate its secret on schedule. Brands and clients are listed by parent for inventory, and resetSecret rotates the client secret used by IAP for sign-in to that app.

Under projects/p, POST a new brand with applicationTitle Internal-Admin, then POST an identity-aware proxy client under that brand named admin-web and return the resulting client_id and secret.

AI Agent IAP Settings Audit

An AI agent reviewing access controls calls the IAP API via Jentic to enumerate every IAP-protected resource in a project and validate that access expressions match the declared policy. Drift is reported with a suggested PATCH payload. Jentic isolates the IAP admin credential so the agent never holds raw service-account JSON.

List IAP settings across resources under projects/p by calling GET /v1/{+name}:iapSettings for each service, and emit a CSV of resource, accessSettings.gcipSettings, and accessSettings.allowedDomains.

Key Endpoints

16 endpoints — the cloud identity-aware proxy (iap) api manages the configuration that fronts internal applications on google cloud with identity- and context-based access control.

METHOD

PATH

DESCRIPTION

GET

/v1/{+name}:iapSettings

Get IAP settings for a resource

PATCH

/v1/{+name}:iapSettings

Update IAP settings for a resource

POST

/v1/{+name}:resetSecret

Reset the OAuth client secret for an identity-aware proxy client

POST

/v1/{+name}:validateAttributeExpression

Validate an IAP attribute expression

GET

/v1/{+parent}/brands

List OAuth brands under a project

POST

/v1/{+parent}/brands

Create an OAuth brand

GET

/v1/{+parent}/destGroups

List destination groups for IAP TCP forwarding

POST

/v1/{+parent}/destGroups

Create a destination group for IAP TCP forwarding

GET

/v1/{+name}:iapSettings

Get IAP settings for a resource

PATCH

/v1/{+name}:iapSettings

Update IAP settings for a resource

POST

/v1/{+name}:resetSecret

Reset the OAuth client secret for an identity-aware proxy client

POST

/v1/{+name}:validateAttributeExpression

Validate an IAP attribute expression

GET

/v1/{+parent}/brands

List OAuth brands under a project

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

IAP admin OAuth credentials live encrypted in the Jentic vault. Each call mints a short-lived access token scoped to cloud-platform so raw service-account keys never enter the agent runtime.

Intent-based discovery

Agents search 'update iap settings' or 'reset iap client secret' and Jentic returns the matching operation with its full schema, hiding the URL-encoded resource-name conventions.

Time to first call

Direct integration: 1-2 days for OAuth, brand/client/setup model, and TCP destination groups. Through Jentic: under 1 hour for the same operations.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Identity and Access Management (IAM) API

IAM grants the iap.* roles that authorise calls to the IAP API and the IAP-secured-web-app-user role at the resource.

Use IAM to grant access at the resource and admin role at the API; use IAP to configure how that access is enforced.

Complementary

IAM Service Account Credentials API

Mints OIDC ID tokens used to authenticate service-to-service calls behind IAP.

Use IAM Credentials :generateIdToken to mint a token addressed to the IAP audience, then call the protected backend with it.

Complementary

Access Context Manager API

Defines context-based access levels that IAP access expressions can reference.

Use Access Context Manager to define access levels (device posture, IP range), then reference them from IAP access expressions to gate app entry.

FAQs

Specific to using Cloud Identity-Aware Proxy API API through Jentic.

What authentication does the Cloud IAP API use?

Google OAuth 2.0 with the cloud-platform scope and an IAM principal that holds iap.* permissions on the resource being managed. Through Jentic the credential is stored encrypted and exchanged for a scoped access token at execution.

Can I update access policy on an IAP-protected service?

Yes. Call PATCH /v1/{+name}:iapSettings on the resource (a backend service, Cloud Run service, or App Engine app) with the desired accessSettings, including allowedDomains, gcipSettings, and corsSettings. The new settings take effect within minutes.

What are the rate limits for the IAP API?

Google enforces per-project quotas on IAP admin operations (default in the low hundreds of QPS). Settings updates are eventually consistent; callers should expect propagation latency of seconds to a few minutes.

How do I rotate an IAP client secret through Jentic?

Search Jentic with 'reset iap client secret', load the POST /v1/{+name}:resetSecret operation, and execute with name set to projects/{p}/brands/{brand}/identityAwareProxyClients/{clientId}. Jentic returns the new client secret, which can then be wired into your sign-in configuration.

Does this API issue tokens for end users hitting an IAP-protected app?

No. End-user sign-in to an IAP-protected app is handled by IAP itself at the load balancer. This API is the control plane for IAP configuration (brands, clients, settings, destination groups), not the runtime token issuer.