Quintessential information from your sketch is presented in Google's official publications:

  1. A volatile token is generated and signed by the issuer (Google) and usually expires after a rather short lifespan (related post, while not google-login-specific: What is intent of ID Token expiry time in OpenID Connect?). The Google docs describe how to send a token XYZ123 via https to https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

    As @ian-barber writes here: "Be sure to always send ID tokens over HTTPS - though they can't be used maliciously in themselves, an attacker could use one to establish themselves a session with your app server if they could intercept it, so its important they aren't sent in plain text."

    (Refreshed) tokens are to be used to authenticate users. Then your backend logic (the blue server part) can grant further privileges or e.g. transmit data in a post response. The API (JavaScript version) provides a toolset to monitor the user's session status.

  2. As stated here, you must specify "authorized origins". Only authorized origins may validate their client users through the Google Identity API. Please note that even the port matters, i.e. if you allow localhost:8080 as an authorized origin, then localhost:9999 is not included! Additionally, the client ID per se is no secret and is naturally exposed in your html document or app. But only authorized origins are eligible to traverse the login workflow and transmit the token to the backend, where it is validated through calls to the API.

Answer from bogus on Stack Overflow
🌐
Google
labs.google › fx › api › auth › signin
Sign In
Try signing in with a different account
🌐
Google
labs.google › fx › tools › flow
Flow
Explore Google AI Subscriptions. See FAQ. ... Turn imagination into reality. Generate high-fidelity images and videos from scratch, or transform visuals into entirely new concepts. Iterate with control. Seamlessly swap objects, extend scenes, and direct camera movement to match your creative vision. Build without boundaries. Gather and manage your assets in a unified space that keeps you in the flow.
Videos
18:10
🌐 YouTube
Google Flow Tutorial - How To Use Googles Flow (Complete Guide) ...
June 6, 2025
02:53
🌐 YouTube
Creating in Flow | How to use Google’s new AI Filmmaking Tool ...
May 20, 2025
01:53
🌐 YouTube
How To Get FREE SIGNUP For Google Flow, Veo 3 (How to use Veo 3) ...
June 15, 2025
02:50
🌐 YouTube
How to GET ACCCESS to Google Flow ai video generator and 1000 CREDITS ...
May 24, 2025
12:37
🌐 YouTube
Google Flow Tutorial For Beginners - Create Your Story - YouTube
May 27, 2025
01:45
🌐 YouTube
Introducing Flow | Google’s New AI Filmmaking Tool - YouTube
May 20, 2025
View all
View all
🌐
Google
flows.workspace.google.com
Sign in - Google Accounts
Sign in · Use your Google Account · Email or phone · Forgot email · Type the text you hear or see · Not your computer? Use Guest mode to sign in privately. Learn more about using Guest mode · Create account
🌐
Google Support
support.google.com › googleone › thread › 348312844 › cannot-use-google-flow-due-to-login-structure
Cannot use Google Flow due to login structure - Google One Community
Skip to main content · Google One Help · Sign in · Google Help · Help Center · Community · Google One · Terms of Service · Submit feedback · Send feedback on
🌐
Flow.ai
app.flow.ai › login
Flow.ai Dashboard
Copyright 2026 Khoros - All rights reserved - Terms of Use - Privacy Policy
🌐
Joinflow
app.joinflow.com
Login
We cannot provide a description for this page right now
🌐
Stack Overflow
stackoverflow.com › questions › 43548805 › programming-flow-with-signin-with-google
oauth 2.0 - Programming Flow with Signin with google - Stack Overflow
Top answer
1 of 1
2

Quintessential information from your sketch is presented in Google's official publications:

  1. A volatile token is generated and signed by the issuer (Google) and usually expires after a rather short lifespan (related post, while not google-login-specific: What is intent of ID Token expiry time in OpenID Connect?). The Google docs describe how to send a token XYZ123 via https to https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

    As @ian-barber writes here: "Be sure to always send ID tokens over HTTPS - though they can't be used maliciously in themselves, an attacker could use one to establish themselves a session with your app server if they could intercept it, so its important they aren't sent in plain text."

    (Refreshed) tokens are to be used to authenticate users. Then your backend logic (the blue server part) can grant further privileges or e.g. transmit data in a post response. The API (JavaScript version) provides a toolset to monitor the user's session status.

  2. As stated here, you must specify "authorized origins". Only authorized origins may validate their client users through the Google Identity API. Please note that even the port matters, i.e. if you allow localhost:8080 as an authorized origin, then localhost:9999 is not included! Additionally, the client ID per se is no secret and is naturally exposed in your html document or app. But only authorized origins are eligible to traverse the login workflow and transmit the token to the backend, where it is validated through calls to the API.

🌐
Google
developers.google.com › google identity › web guides › google sign-in for server-side apps
Google Sign-In for server-side apps | Web guides | Google for Developers
Implementing the one-time-code flow involves creating a client ID, including the Google platform library, initializing the GoogleAuth object, adding a sign-in button, sending the authorization code to the server, and exchanging the code for access and refresh tokens on the server.
Find elsewhere
🌐
Vercel
vercel.com › changelog › faster-login-flow-and-new-google-sign-in-support
Faster login flow and new Google Sign-in support - Vercel
We’ve improved the login experience with a new design and support for Google sign-in, including Google One Tap. Signing in with Google is now a single-click experience.
🌐
Social+
social.plus › tutorials › login-flow-with-google-identity-services-and-firebase
Login flow with Google Identity Services and Firebase
October 11, 2023 - The flow is as follows: first, we’ll check if Amity’s session is valid; if it is we’ll continue to our main flow, if not we will redirect our users to our log-in screen. There we will first try to log our users in using Google. If they’ve logged in to our app before this will succeed and then we can log in using Firebase.
🌐
Google Support
support.google.com › flow › answer › 16353333
Get started with Flow - Google Flow Help
While Flow may work on other browsers and mobile devices, they are not yet fully optimized. You may encounter bugs or unexpected behavior on unsupported browsers. We are working to improve the experience on other browsers and mobile devices.
🌐
FlutterFlow Documentation
docs.flutterflow.io › integrations › google oauth login
Google OAuth Login | FlutterFlow Documentation
Learn how to add Google OAuth login in your FlutterFlow app.
🌐
Reddit
reddit.com › r/node › is my google oauth flow correct?
r/node on Reddit: Is my Google OAuth flow correct?
August 5, 2023 -

So when I sign in through google on my web application, I get the refresh token, access_token, and id_token.

Since I'm only using the basic scopes (read email, name, and other basic google account data) can I just send the client a cookie instead of sending the Access or ID token? This is what I'm thinking my application flow will look like:

  1. user signs in through google

  2. server stores refresh token in database or cache

  3. cookie is sent to client side and expires in about an hour (same as Google Access Token Expiration)

  4. if cookie is not sent from client (expired) during a request, we will authenticate with Google using stored refresh token, and if authenticated, send cookie to client and keep authenticating

  5. if google doesn't authenticate refresh token, make them sign in again

Let me know if I'm getting this right or if you would make any corrections. I'm trying to make my application as secure as possible by allowing user to login through google and I'm trying to do authentication myself to learn.

Top answer
1 of 1
9
If all you're doing is allowing the user to authenticate using their Google account, and retrieving their basic info for your own app, you don't really need to store any of the tokens Google sends you at all. Go through the OAuth flow, retrieve their user data, and use the user id sent by Google to look the user up in your own database. If they don't exist, create a new user and use the email and other basic info supplied by Google. At this point, create a session in your own app (how exactly you accomplish this is up to you and largely depends on your needs and scale, usually you just send an opaque session cookie and look it up in the backend), and you don't need the Google tokens anymore. You'll get new Google tokens every time the user logs back in to your app, which you can use to look up their user id all over again.
🌐
Google Workspace
workspace.google.com › marketplace › app › flow › 909859924833
FLOW - Google Workspace Marketplace
FLOW app is perfect for automating google sheets! Data moves easily from one sheet to another based on the rules and conditions you set up. You'd need zero coding because this add-on does it all for you!! The team was great and even took my suggestion to include an option for 'appending data to the top row' to keep recent information easily accessible!
🌐
Imagine.Art
imagine.art › blogs › google-flow-overview
Google Flow: The AI Tool That Makes Pro Video Creation Easy
Learn about Google Flow, the AI video tool transforming video creation with text prompts, cinematic quality, and seamless storytelling for creators.
🌐
Emlid Community
community.emlid.com › emlid flow & emlid flow 360 › getting started
Problem login to flow and sync with goggle account - Getting started - Emlid Community Forum
June 7, 2023 - Just for info, it might be useful to others too. I had an issue with my account. I have a paid account using google credentials. From flow I got the prompt to periodically login with my account. When selecting the goo…
🌐
Google Support
support.google.com › labs › answer › 16353333
Get started with Flow - Google Labs Help
Pro subscribers: Get access to the full Flow experience, including the latest Veo 3.1 model.
🌐
Auth0
community.auth0.com › get help
Unable to Process Auth0 Flow with Google Login and Email/Password for the Same User - Auth0 Community
January 23, 2025 - I’m trying to implement an Auth0 flow where a user can log in using either Google Login or their email/password. I am using a single API for this flow, but I’m facing issues when trying to authenticate the same user through both methods. I’m not sure how to handle linking or synchronizing ...
🌐
FlutterFlow Documentation
docs.flutterflow.io › integrations › google login
Google Login | FlutterFlow Documentation
Learn how to integrate Google Login of Supabase Auth into your FlutterFlow app.
🌐
Google Workspace
knowledge.workspace.google.com › administrators › apps & integrations › sso sign-in flow when using login hints
SSO sign-in flow when using login hints | Apps & integrations  | Google Workspace Help
Enable direct login: If the user associated with the hint already has an active session with Google, the server automatically signs them in, providing a seamless experience.
Related queries
google flow free
google flow lab 2
google flow veo 3
google flow text to video
google flow app
open google flow labs
flow ai
google flow ai