Forgive me. I think I've misread the original question.
Anyway for anyone like me arriving here looking to secure HTTP access from
outside GAE, this is the way to go:
On Mon, Mar 12, 2018 at 6:16 PM Thijs Koerselman <thijskoersel...@gmail.com>
> The question was about securing HTTP access by checking traffic coming
> from a webapp. The X-Appengine-Inbound-Appid header only applies to
> requests from apps running *inside* the app engine environment calling
> other apps in the same environment.
> I was hoping to use the header too, but it can't be used for anything
> related to a web or mobile client calling your API.
> If anyone knows a nice solution to this I'd love to hear about it.
> So far the only solution I know is to send credentials in the Authenticate
> header and verify them, but this would create a lot of overhead for a
> simple REST api. I need to verify users agains a Firebase instance. Is
> there a way to issue a JWT token or something on Firebase login?
> On Wednesday, January 4, 2017 at 10:06:01 PM UTC+1, Evan Jones wrote:
>> You can check the X-Appengine-Inbound-Appid header on requests coming it
>> to your service. On App Engine, it will be set by Google, so you can trust
>> it. Check that it matches the project(s) you expect, and return some HTTP
>> error if it doesn't match. See:
>> On Wednesday, January 4, 2017 at 2:39:13 PM UTC-5, Mateusz Haligowski
>>> Hi google-appengine,
>>> I started playing with GAE a couple of weeks ago and absolutely love it.
>>> I created a bunch of REST services with Go and deployed them to GAE. I've
>>> also created a webapp that talks to my backend services.
>>> Now, I want to handle the user authentication with Auth0 on the webapp
>>> side, and came to realization that my backend services are publicly
>>> available. My question is: what is the approach to secure them? Is there
>>> any way to tell GAE "Accept only http(s) calling from other GAE services?".
> You received this message because you are subscribed to a topic in the
> Google Groups "Google App Engine" group.
> To unsubscribe from this topic, visit
> To unsubscribe from this group and all its topics, send an email to
> To post to this group, send email to firstname.lastname@example.org.
> Visit this group at https://groups.google.com/group/google-appengine.
> To view this discussion on the web visit
> For more options, visit https://groups.google.com/d/optout.
+31 6 4114 8017
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.