Prerequisites

A primary prerequisite for implementing a seamless sign-in experience with Credential Manager across your app and website is establishing a secure association between them. This is achieved using Digital Asset Links files, which enable credential providers to securely share credentials between your app and website. For example, a website can declare that it shares credentials with an Android app or another website by using a Digital Asset Links file. Using Digital Asset Links lets your users have a seamless sign-in experience and use the same saved credentials across associated apps and websites.

Configure Digital Asset Links between your app and website

To allow credential providers to use passkeys and passwords commonly across your app and website, create a Digital Asset Links file for your app with the following steps:

1. Create the Digital Asset Links JSON file

Create a file named assetlinks.json with the following structure:

[
    {
    "relation" : [
        "<array_of_permissions_granted_to_app>"
    ],
    "target" : {
        "namespace" : "android_app",
        "package_name" : "<android_application_package_name>",
        "sha256_cert_fingerprints" : [
            "<sha256_certificate_fingerprint_of_signing_key>"
]
    }
}
]

• relation: An array of one or more strings that describe the relationship being declared. To declare that apps and sites share sign-in credentials, specify the following relationships in an array:

  • delegate_permission/common.handle_all_urls: This relation enables Android App Links, which lets your Android app handle all web URLs for a specific domain.

  • delegate_permission/common.get_login_creds: This relation enables sharing credentials between your website and your Android app.

• target: An object that specifies the asset that the declaration applies to.

  • target.namespace: Set this to android_app.
  • target.package_name: Set this to the package name declared in the app's manifest, for example, com.example.android.

• sha256_cert_fingerprints: The SHA256 fingerprints of your app's signing certificate. To retrieve the SHA256 fingerprint for your app, see Declare website associations.

An example target for an app is as follows:

[
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "android_app",
      "package_name" : "com.example.android",
      "sha256_cert_fingerprints" : [
        SHA_HEX_VALUE
      ]
    }
  }
]

2. Host the Digital Asset Links JSON file

Host the Digital Asset Links file at the following location on the sign-in domain for your website:

```none
https://domain[:optional_port]/.well-known/assetlinks.json
```

For example, if your sign-in domain is signin.example.com, host the file at: https://signin.example.com/.well-known/assetlinks.json.

The MIME type for the Digital Asset Links file must be JSON. Make sure that the server sends a Content-Type: application/json header in the response, with the HTTP status set to 200.

3. Allow retrieval of the Digital Asset Links file

Update your host to permit Google to retrieve your Digital Asset Links file. Most websites allow any automated agent to retrieve files in the /.well-known/ path so that other services can access the metadata in those files.

If you have a robots.txt file, allow web crawlers to retrieve /.well-known/assetlinks.json by updating the robots.txt as follows:

User-agent: *
Allow: /.well-known/

4. Update the app's manifest

In your app's manifest file, add the following lines under <application>:

<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />

5. Configure Digital Asset Links for passwords

If you are using Credential Manager for passwords, you must complete an additional step to configure digital asset links.

Add an object that specifies the assetlinks.json files to load in the manifest file. You must escape any apostrophes and quotation marks you use in the string as shown in the following example:

<string name="asset_statements" translatable="false">
[{
  \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
}]
</string>

The https://signin.example.com/.well-known/assetlinks.json link must return an HTTP 200 response and have a Content-Type header of application/json. Verification fails if the response has a 301 or 302 HTTP redirect or a non-JSON Content-Type.

The following example shows a sample request and the expected response headers:

> GET /.well-known/assetlinks.json HTTP/1.1
> User-Agent: curl/7.35.0
> Host: signin.example.com

< HTTP/1.1 200 OK
< Content-Type: application/json

Next steps

After adding the necessary dependencies and configuring Digital Asset Links for passkeys, you can use Credential Manager to implement the supported authentication methods: Passkeys and Sign in with Google. To get started, see the following developer guides:

• Set up passkeys with Credential Manager: Learn how to implement passkeys, the modern, phishing-resistant method for secure and user-friendly authentication.
• Set up Sign in with Google with Credential Manager: Integrate "Sign in with Google" for streamlined user sign-in with Google Accounts.
• Troubleshoot common errors with Credential Manager: Learn how to resolve common errors with Credential Manager.
• Integrate Firebase authentication: Let your users authenticate with Firebase using their Google Accounts.