• Populate token_expiry for GCE credentials. (#473)
  • Move GCE metadata interface to a separate module. (#520)
  • Populate scopes for GCE credentials. (#524)
  • Fix Python 3.5 compatibility. (#531)
  • Add oauth2client.contrib.sqlalchemy, a SQLAlchemy-based credential store. (#527)
  • Improve error when an invalid client secret is provided. (#530)
  • Add oauth2client.contrib.multiprocess_storage. This supersedes the functionality in oauth2client.contrib.multistore_file. (#504)
  • Pull httplib2 usage into a separate transport module. (#559, #561)
  • Refactor all django-related code into oauth2client.contrib.django_util. Add DjangoORMStorage, remove FlowField. (#546)
  • Fix application default credentials resolution order. (#570)
  • Add configurable timeout for GCE metadata server check. (#571)
  • Add warnings when using deprecated approval_prompt='force'. (#572)
  • Add deprecation warning to oauth2client.contrib.multistore_file. (#574)
  • (Hygiene) PEP8 compliance and various style fixes (#537, #540, #552, #562)
  • (Hygiene) Remove duplicated exception classes in oauth2client.contrib.appengine. (#533)

NOTE: The next major release of oauth2client (v4.0.0) will remove the oauth2client.contrib.multistore_file module.


  • Added support to override token_uri and revoke_uri in oauth2client.service_account.ServiceAccountCredentials. (#510)
  • oauth2client.contrib.multistore_file now handles OSError in addition to IOError because Windows may raise OSError where other platforms will raise IOError.
  • oauth2client.contrib.django_util and oauth2client.contrib.django_orm have been updated to support Django 1.8 - 1.10. Versions of Django below 1.8 will not work with these modules.


  • Add basic support for JWT access credentials. (#503)
  • Fix oauth2client.client.DeviceFlowInfo to use UTC instead of the system timezone when calculating code expiration.


  • Fix issue where flask_util.UserOAuth2.required would accept expired credentials (#452).
  • Fix issue where flask_util would fill the session with Flow objects (#498).
  • Fix issue with Python 3 binary strings in Flow.step2_exchange (#446).
  • Improve test coverage to 100%.


  • Making scopes optional on Google Compute Engine AppAssertionCredentials and adding a warning that GCE won't honor scopes (#419)
  • Adding common sign_blob() to service account types and a service_account_email property. (#421)
  • Improving error message in P12 factory ServiceAccountCredentials.from_p12_keyfile when pyOpenSSL is missing. (#424)
  • Allowing default flags in rather than forcing users to create a dummy argparser (#426)
  • Removing oauth2client.util.dict_to_tuple_key() from public interface (#429)
  • Adding oauth2client.contrib._appengine_ndb helper module for oauth2client.contrib.appengine and moving most code that uses the ndb library into the helper (#434)
  • Fix error in django_util sample code (#438)


  • Fix Google Compute Engine breakage (#411, breakage introduced in #387) that made it impossible to obtain access tokens
  • Implement ServiceAccountCredentials.from_p12_keyfile_buffer() to allow passing a file-like object in addition to the factory constructor that uses a filename directly (#413)
  • Implement ServiceAccountCredentials.create_delegated() to allow upgrading a credential to one that acts on behalf of a given subject (#420)


  • Add django_util (#332)
  • Avoid OAuth2Credentials id_token going out of sync after a token refresh (#337)
  • Move to a contrib sub-package code not considered a core part of the library (#346, #353, #370, #375, #376, #382)
  • Add token_expiry to devshell credentials (#372)
  • Move Storage locking into a base class (#379)
  • Added dictionary storage (#380)
  • Added to_json and from_json methods to all Credentials classes (#385)
  • Fall back to read-only credentials on EACCES errors (#389)
  • Coalesced the two ServiceAccountCredentials classes (#395, #396, #397, #398, #400)

Special Note About ServiceAccountCredentials:

For JSON keys, you can create a credential via

from oauth2client.service_account import ServiceAccountCredentials
credentials = ServiceAccountCredentials.from_json_keyfile_name(
    key_file_name, scopes=[...])

You can still rely on

from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()

returning these credentials when you set the GOOGLE_APPLICATION_CREDENTIALS environment variable.

For .p12 keys, construct via

credentials = ServiceAccountCredentials.from_p12_keyfile(
    service_account_email, key_file_name, scopes=[...])

though we urge you to use JSON keys (rather than .p12 keys) if you can.

This is equivalent to the previous method

# PRE-oauth2client 2.0.0 EXAMPLE CODE!
from oauth2client.client import SignedJwtAssertionCredentials

with open(key_file_name, 'rb') as key_file:
    private_key =

credentials = SignedJwtAssertionCredentials(
    service_account_email, private_key, scope=[...])


  • Add access token refresh error class that includes HTTP status (#310)
  • Python3 compatibility fixes for Django (#316, #318)
  • Fix incremental auth in flask_util (#322)
  • Fall back to credential refresh on EDEADLK in multistore_file (#336)


  • Fix bad indent in tools.run_flow() (#301, bug was introduced when switching from 2 space indents to 4)


  • Fix (more like clarify) bytes / str handling in crypto methods. (#203, #250, #272)
  • Replacing webapp with webapp2 in oauth2client.appengine (#217)
  • Added optional state parameter to step1_get_authorize_url. (#219 and #222)
  • Added flask_util module that provides a Flask extension to aid with using OAuth2 web server flow. This provides the same functionality as the appengine.webapp2 OAuth2Decorator, but will work with any Flask application regardless of hosting environment. (#226, #273)
  • Track scopes used on credentials objects (#230)
  • Moving docs to (#237, #238, #244)
  • Removing old_run module. Was deprecated July 2, 2013. (#285)
  • Avoid proxies when querying for GCE metadata (to check if running on GCE) (#114, #293)


  • Fix OS X flaky test failure (#189).
  • Fix broken OpenSSL import (#191).
  • Remove @util.positional from wrapped request in Credentials.authorize() (#196, #197).
  • Changing pinned dependencies to >= (#200, #204).
  • Support client authentication using Authorization header (#206).
  • Clarify environment check in case where GAE imports succeed but GAE services aren't available (#208).


  • Better environment detection with Managed VMs.
  • Better OpenSSL detection in exotic environments.


  • Update the OpenSSL check to be less strict about finding in the OpenSSL directory.
  • tox updates for new environment handling in tox.


  • Ensure that the ADC fails if we try to write the well-known file to a directory that doesn't exist, but not if we try to read from one.


  • Better handling of body during token refresh when body is a stream.
  • Better handling of expired tokens in storage.
  • Cleanup around openSSL import.
  • Allow custom directory for the well_known_file.
  • Integration tests for python2 and python3. (!!!)
  • Stricter file permissions when saving the well_known_file.
  • Test cleanup around config file locations.


  • Add support for Google Developer Shell credentials.
  • Better handling of filesystem errors in credential refresh.
  • python3 fixes
  • Add NO_GCE_CHECK for skipping GCE detection.
  • Better error messages on InvalidClientSecretsError.
  • Comment cleanup on run_flow.


  • Add utility function to convert PKCS12 key to PEM. (#115)
  • Change GCE detection logic. (#93)
  • Add a tox env for doc generation.


  • Set a shorter timeout for an Application Default Credentials issue on some networks. (#93, #101)
  • Test cleanup, switch from mox to mock. (#103)
  • Switch docs to sphinx from epydoc.


  • Fix a bug in bytes/string encoding of headers.


  • Big thanks to @dhermes for spotting and fixing a mess in our test setup.

  • Fix a serious issue with tests not being run. (#86, #87, #89)

  • Start credentials cleanup for single 2LO/3LO call. (#83, #84)

  • Clean up stack traces when re-raising in some places. (#79)

  • Clean up doc building. (#81, #82)

  • Fixed minimum version for six dependency. (#75)


  • Several small bugfixes related to six/py3 support.


  • Fix a critical bug on import in


  • Merge python3 branch! Massive thanks due to @pferate and @methane for doing the heavy lifting.

  • Make import gracefully if argparse isn't present.

  • Change flow.step2_exchange to preserve the raw id_token in the token_response field.


  • Quick bugfix for an issue with dict-like arguments to flow.step2_exchange, which is common in some environments (such as GAE).


  • Quick bugfix for bad error handling in from_json.


  • Added support for the Google Application Default Credentials for more information (thanks @orestica).

  • Added support for OAuth2 for devices (#3, thanks @sde-melo).

  • The minimum required Python version is now 2.6.

  • The anyjson submodule has been removed.

  • Better exception handling around missing crypto libraries (#56).

  • Improve error messages in AccessTokenRefreshError (#53, thanks @erickoledadevrel).

  • Drop uritemplate as a dependency.

  • Handle X509 certs with PyCrypto (#51, thanks @liujin-google).

  • Handle additional failure types on OSX (#32, thanks @simoncadman).

  • Better unicode handling with PKCS12 passwords (#31, thanks @jterrace).

  • Better retry handling with bad server replies on refresh (#29, thanks @kaste).

  • Better logging for missing refresh_token in server replies (#21).

  • Support login_hint (#18, thanks @jay0lee).

  • Better overwrite options in django_orm.Storage. (#2, thanks @lraccomando).


  • The use of the gflags library is now deprecated, and is no longer a dependency. If you are still using the function then include python-gflags as a dependency of your application or switch to

  • Samples have been updated to use the new apiclient.sample_tools, and no longer use gflags.

  • Added support for the experimental Object Change Notification, as found in the Cloud Storage API.

  • The oauth2client App Engine decorators are now threadsafe.

  • Use the following redirects feature of httplib2 where it returns the ultimate URL after a series of redirects to avoid multiple hops for every resumable media upload request.

  • Updated AdSense Management API samples to V1.3

  • Add option to automatically retry requests.

  • Ability to list registered keys in multistore_file.

  • User-agent must contain (gzip).

  • The method parameter for httplib2 is not positional. This would cause spurious warnings in the logging.

  • Making OAuth2Decorator more extensible. Fixes Issue 256.

  • Update AdExchange Buyer API examples to version v1.2.


  • Add PEM support to SignedJWTAssertionCredentials (used to only support PKCS12 formatted keys). Note that if you use PEM formatted keys you can use PyCrypto 2.6 or later instead of OpenSSL.

  • Allow deserialized discovery docs to be passed to build_from_document().

  • Make ResumableUploadError derive from HttpError.

  • Many changes to move all the closures in apiclient.discovery into real classes and objects.

  • Make from_json behavior inheritable.

  • Expose the full token response in OAuth2Client and OAuth2Decorator.

  • Handle reasons that are None.

  • Added support for NDB based storing of oauth2client objects.

  • Update grant_type for AssertionCredentials.

  • Adding a .revoke() to Credentials. Closes issue 98.

  • Modify oauth2client.multistore_file to store and retrieve credentials using an arbitrary key.

  • Don't accept 403 challenges by default for auth challenges.

  • Set httplib2.RETRIES to 1.

  • Consolidate handling of scopes.

  • Upgrade to httplib2 version 0.8.

  • Allow setting the response_type in OAuth2WebServerFlow.

  • Ensure that dataWrapper feature is checked before using the data value.

  • HMAC verification does not use a constant time algorithm.


  • Changes to the code for running tests and building releases.


  • In samples and oauth2 decorator, escape untrusted content before displaying it.
  • Do not allow credentials files to be symlinks.
  • Add XSRF protection to oauth2decorator callback state.
  • Handle uploading chunked media by stream.
  • Handle passing streams directly to httplib2.
  • Add support for Google Compute Engine service accounts.
  • Flows no longer need to be saved between uses.
  • Change GET to POST if URI is too long. Fixes issue 96.
  • Add a keyring-based Storage.
  • More robust picking up JSON error responses.
  • Make batch errors align with normal errors.
  • Add a Google Compute sample.
  • Token refresh to work with old GData API.
  • Loading of client_secrets JSON file backed by a cache.
  • Switch to new discovery path parameters.
  • Add support for additionalProperties when printing schema'd objects.
  • Fix media upload parameter names.
  • oauth2client support for URL-encoded format of exchange token response (e.g. Facebook)
  • Build cleaner and easier to read docs for dynamic surfaces.


  • Parameter values of None should be treated as missing. Fixes issue 144.
  • Distribute the samples separately from the library source. Fixes issue 155.
  • Move all remaining samples over to client_secrets.json. Fixes issue 156.
  • Make understand win32file primitives for better awesomeness.


  • Documentation for the library has switched to epydoc
  • Many improvements for media support:
    • Added media download support, including resumable downloads.
    • Better handling of streams that report their size as 0.
    • Update MediaUpload to include io.Base and also fix some bugs.
  • OAuth bug fixes and improvements.
    • Remove OAuth 1.0 support.
    • Added credentials_from_code and credentials_from_clientsecrets_and_code.
    • Make oauth2client support Windows-friendly locking.
    • Fix bug in StorageByKeyName.
    • Fix None handling in Django fields. Fixes issue 128.
  • Add epydoc generated docs.
  • Move to PEP386 compliant version numbers.
  • New and updated samples
    • Ad Exchange Buyer API v1 code samples.
    • Automatically generate Samples wiki page from README files.
    • Update Google Prediction samples.
    • Add a Tasks sample that demonstrates Service accounts.
    • new analytics api samples.
  • Convert all inline samples to the Farm API for consistency.


  • Updated media upload support.
  • Many fixes for batch requests.
  • Better handling for requests that don't require a body.
  • Fix issues with Google App Engine Python 2.7 runtime.
  • Better support for proxies.
  • All Storages now have a .delete() method.
  • Important changes which might break your code:
    • apiclient.anyjson has moved to oauth2client.anyjson.
    • Some calls, for example, taskqueue().lease() used to require a parameter named body. In this new release only methods that really need to send a body require a body parameter, and so you may get errors about an unknown body parameter in your call. The solution is to remove the unneeded body={} parameter.


  • Support for batch requests.
  • Support for media upload.
  • Better handling for APIs that return something other than JSON.
  • Major cleanup and consolidation of the samples.
  • Bug fixes and other enhancements: 72 Defect Appengine OAuth2Decorator: Convert redirect address to string 22 Defect Better error handling for unknown service name or version 48 Defect StorageByKeyName().get() has side effects 50 Defect Need sample client code for Admin Audit API 28 Defect better comments for app engine sample Nov 9 63 Enhancement Let OAuth2Decorator take a list of scope