Skip to main content
The Accounts service provides methods for creating, activating, and managing user accounts in the Cross-Media Measurement system.

Resource

Account

An API user account resource. Resource Pattern: accounts/{account}
name
string
required
Resource name.
creator
string
Resource name of the Account that created this one. Output-only. Immutable.Reference: halo.wfanet.org/Account
activation_state
ActivationState
Activation state of this Account. Output-only.Possible values:
  • ACTIVATION_STATE_UNSPECIFIED - Default value
  • UNACTIVATED - Account has not yet been activated
  • ACTIVATED - Account has been activated (terminal state)
activation_params
ActivationParams
Parameters for activation of this Account.Only set when activation_state is UNACTIVATED in FULL view.
open_id
OpenIdConnectIdentity
OpenID Connect identity of the user for this Account. Output-only.This must be set when activation_state is ACTIVATED. The value is unique across all Account resources.

Views

Accounts support different view levels:
  • VIEW_UNSPECIFIED - Defaults to BASIC
  • BASIC - Basic account information
  • FULL - Complete account details including activation parameters

Methods

CreateAccount

Creates (registers) an Account. The creator will be derived from the authenticated caller. Results in PERMISSION_DENIED if the authenticated caller does not own the owned_measurement_consumer in activation_params. Returns the FULL view of the created Account.
account
Account
required
The Account to create. The name field will be ignored, and the system will assign an ID.
response
Account
The created Account resource in FULL view.

Example Request

message CreateAccountRequest {
  Account account = 1;
}

Error Conditions

  • PERMISSION_DENIED - Caller does not own the owned_measurement_consumer specified in activation parameters
  • INVALID_ARGUMENT - Invalid account data provided

ActivateAccount

Activates an account by transitioning its activation_state to ACTIVATED. The identity will be derived from the authenticated caller.
name
string
required
Resource name of the Account to activate.Format: accounts/{account}
activation_token
string
required
Activation token obtained from the Account’s activation_params.
response
Account
The activated Account resource.

Example Request

message ActivateAccountRequest {
  string name = 1;  // "accounts/123"
  string activation_token = 2;
}

Error Conditions

  • NOT_FOUND - Account not found
  • INVALID_ARGUMENT - Invalid activation token
  • FAILED_PRECONDITION - Account already activated

ReplaceAccountIdentity

Replaces the identity of an Account. Results in PERMISSION_DENIED if the authenticated caller does not match the current identity.
name
string
required
Resource name of the Account.Format: accounts/{account}
open_id
OpenIdConnectCredentials
Replacement credentials for an OpenID Connect identity.
response
Account
The updated Account resource.

Example Request

message ReplaceAccountIdentityRequest {
  string name = 1;  // "accounts/123"
  
  oneof replacement_credentials {
    OpenIdConnectCredentials open_id = 2;
  }
}

message OpenIdConnectCredentials {
  string identity_bearer_token = 1;  // JWT token
}

Error Conditions

  • PERMISSION_DENIED - Caller does not match current identity
  • NOT_FOUND - Account not found
  • INVALID_ARGUMENT - Invalid credentials provided

Authenticate

Authenticates the user using an OpenID Connect (OIDC) provider.
issuer
string
required
OpenID Connect issuer identifier.For Self-Issued OpenID Providers, this will be https://self-issued.me.
authentication_request_uri
string
URI for id_token authentication request to OpenID Provider.

Example Request

message AuthenticateRequest {
  string issuer = 1;  // "https://accounts.google.com"
}

Example Response

message AuthenticateResponse {
  string authentication_request_uri = 1;
}

Usage Examples

Creating and Activating an Account

  1. Create the account:
CreateAccountRequest {
  account: {
    activation_params: {
      owned_measurement_consumer: "measurementConsumers/mc-123"
    }
  }
}
  1. Activate with token:
ActivateAccountRequest {
  name: "accounts/acc-456"
  activation_token: "<token-from-creation>"
}

Replacing Account Identity

ReplaceAccountIdentityRequest {
  name: "accounts/acc-456"
  open_id: {
    identity_bearer_token: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us