Sign in with Google

Sign in with Google

Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Google
Part of Google
Back to Vendor Library

Overview

Sign in with Google (powered by Google Identity Services) is one of the most widely deployed social login mechanisms on the web. It allows users to authenticate on third-party websites using their existing Google account credentials, eliminating the need to create and remember site-specific passwords. The service uses OAuth 2.0 and OpenID Connect protocols to securely exchange identity tokens between Google and the relying website.

What This Script Does

The Google Identity Services library loads from accounts.google.com/gsi/client and handles the full authentication flow.

  • Script loaded: accounts.google.com/gsi/client — renders the "Sign in with Google" button, One Tap prompt, or automatic sign-in flow
  • Authentication flow: When a user clicks the sign-in button, the script opens a consent dialog (popup or redirect) on accounts.google.com. After the user authenticates, Google returns an ID token (JWT) containing the user's email, name, profile picture, and a unique Google account identifier to the website.
  • Cookies set:
    • g_state — First-party cookie. Manages the One Tap sign-in prompt state (whether it has been shown, dismissed, or the cooldown period).
    • g_csrf_token — First-party cookie. CSRF protection token for the sign-in callback, set during the authentication flow.
    • Google's own authentication cookies on accounts.google.com (e.g., SAPISID, APISID, SID) are used to maintain the user's Google session but are not set on the publisher's domain.
  • Data exchanged: The website receives only the data scopes it requested (typically email, name, and profile picture). No browsing behavior or tracking data is exchanged through the authentication flow.
  • FedCM integration: Modern implementations use the Federated Credential Management API (FedCM), which provides browser-mediated identity flows without third-party cookies.

Consent & Compliance

Sign in with Google falls under the essential consent category when used as an authentication mechanism.

Under GDPR and ePrivacy, authentication cookies set during login (g_state, g_csrf_token) qualify as strictly necessary for providing a service explicitly requested by the user. The ePrivacy Directive exempts cookies that are essential for delivering a service the user has asked for. The GDPR legal basis is Article 6(1)(b) — processing necessary for the performance of a contract (the user account). However, if the One Tap prompt appears automatically without user interaction, the g_state cookie managing prompt display could be argued as non-essential.

Under CCPA/CPRA, identity data exchanged during authentication is processed to provide the requested login service and does not constitute a "sale" or "sharing" of personal information for advertising.

Should You Block This Without Consent?

No. Sign in with Google is an authentication service that users explicitly invoke to log into a website. Blocking it would prevent users from accessing their accounts. The cookies set are functional (CSRF protection, prompt state management) and the data exchange is limited to authentication credentials. If the One Tap auto-prompt is used, consider whether it should appear only after the user has interacted with a login element.

Visit website

Consent Categories

Essential

Also Known As

Google OAuthGoogle Identity ServicesGoogle SSOGoogle login buttonGoogle authentication

Industries

Computers Electronics and TechnologySearch Engines

Tracked Domains (2)

accounts.google.comEssential
apis.google.comEssential

Frequently Asked Questions

Does Sign in with Google require cookie consent?

No. Sign in with Google is authentication explicitly invoked by the user, classified as essential. The g_state and g_csrf_token cookies are functionally necessary for CSRF protection and One Tap state management. The legal basis under GDPR is Article 6(1)(b) — performance of a contract. Blocking it would prevent users from logging in.

What cookies does Sign in with Google set?

Sign in with Google sets g_state (first-party) to manage One Tap prompt display and cooldown, and g_csrf_token for CSRF protection during auth callback. Google session cookies on accounts.google.com maintain the user's session but are not set on the publisher domain. FedCM avoids third-party cookies entirely.

How does ConsentStack categorize Sign in with Google?

ConsentStack classifies Sign in with Google as essential and does not block it. Detected via accounts.google.com/gsi/client. The auth flow exchanges only requested scopes — email, name, profile picture — with no advertising or behavioral data. ConsentStack does not require consent before the sign-in button or One Tap prompt renders.

Other Google Products

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Ads
Google Ads
Google Ads is Google's advertising platform for search, display, and remarketing campaigns. Conversion tracking scripts fire on advertiser landing pages to measure actions taken after ad clicks. The remarketing tag builds audience lists for retargeting users across Google's ad network.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
YouTube
YouTube
YouTube is Google's video platform, widely used to embed video content on external websites. The YouTube iframe player loads JavaScript that communicates with Google's servers for video playback, quality control, and ad serving. Embedded players may set cookies tied to the viewer's Google account to track watch history and personalize recommendations.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
YouTube Player
YouTube Player
YouTube Player embeds YouTube videos on external websites via iframe. Scripts load from Google's servers and set cookies for video playback preferences, watch history, and ad targeting. Cookies are dropped even when visitors only view the embed without interacting with the player.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Azure CDN
Azure CDN
Azure CDN is Microsoft's content delivery network that caches and serves website assets from globally distributed edge servers. Delivers HTML, CSS, JavaScript, images, and media to visitors from the nearest edge location to reduce latency. No tracking or advertising functionality — operates purely as transparent content delivery infrastructure.

Manage consent for Sign in with Google

ConsentStack automatically detects and manages Sign in with Google trackers so your site stays compliant with global privacy regulations.

Get started free