If your app that uses Smart Lock for Passwords shares a user database with your
website—or if your app and website use federated sign-in providers such
as Google Sign-In—you can associate the app with the website so that
users save their credentials once and then automatically sign in to both the
app and the website.
To associate an app with a website, declare associations by hosting a
Digital Asset Links
JSON file on your website, and
adding a link to the Digital Asset Link file to your app's manifest.
By hosting a Digital Asset Links declaration on your website, you also enable
your website to share
autofill
data with your app when running on Android 8.0 and newer.
Prerequisites
Your website's sign-in domain must be available through HTTPS.
Associate your app with your website
Create a
Digital Asset Links
JSON file.
For example, to declare that the website
https://signin.example.com
and
an Android app with the package name
com.example
can share sign-in
credentials, create a file named
assetlinks.json
with the following
content:
[{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://signin.example.com"
}
},
{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
}]
The
relation
field is an array of one or more strings that describe the
relationship being declared. To declare that apps and sites share sign-in
credentials, specify the string
delegate_permission/common.get_login_creds
.
The
target
field is an object that specifies the asset the declaration
applies to. The following fields identify a website:
namespace
|
web
|
site
|
The website's URL, in the format
https://
domain
[:
optional_port
]
; for
example,
https://www.example.com
.
The
domain
must be fully-qualified., and
optional_port
must be omitted when using port 443 for
HTTPS.
A
site
target can only be a root domain: you cannot
limit an app association to a specific subdirectory. Do not include a
path in the URL, such as a trailing slash.
Subdomains are not considered to match: that is, if you specify the
domain
as
www.example.com
, the domain
www.counter.example.com
is not associated with your app.
|
The following fields identify an Android app:
namespace
|
android_app
|
package_name
|
The package name declared in the app's manifest. For example,
com.example.android
|
sha256_cert_fingerprints
|
The SHA256 fingerprints of your app’s signing certificate. You can
use the following command to generate the fingerprint:
$ keytool -list -v -keystore my-release-key.keystore
|
See the
Digital Asset Links reference
for details.
Host the Digital Assets Link JSON file at the following location on the
sign-in domain:
https://
domain
[:
optional_port
]/.well-known/assetlinks.json
For example, if your sign-in domain is
signin.example.com
, host the JSON
file at
https://signin.example.com/.well-known/assetlinks.json
.
The MIME type for the Digital Assets Link file needs to be JSON. Make sure
the server sends a
Content-Type: application/json
header in the response.
Ensure that your host permits Google to retrieve your Digital Asset Link
file. If you have a
robots.txt
file, it must allow the Googlebot agent to
retrieve
/.well-known/assetlinks.json
. Most sites can simply allow any
automated agent to retrieve files in the
/.well-known/
path so that other
services can access the metadata in those files:
User-agent: *
Allow: /.well-known/
Declare the association in the Android app.
Add the following line to the manifest file under
<application>
:
<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
Add an
asset_statements
string resource to the
strings.xml
file.
The
asset_statements
string is a JSON object that specifies the
assetlinks.json
files to load. You must escape any apostrophes and
quotation marks you use in the string. For example:
<string name="asset_statements" translatable="false">
[{
\"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
}]
</string>
> GET /.well-known/assetlinks.json HTTP/1.1
> User-Agent: curl/7.35.0
> Host: signin.example.com
< HTTP/1.1 200 OK
< Content-Type: application/json
Publish the app to Google Play Store. It needs to be released in the public
channel for associations to be picked up.
(Optional) Complete and submit the
Smart Lock for Passwords affiliation form
to indicate that you went
through the process. Google periodically checks whether affiliations
submitted through the form actually work and might contact you in case of
problems.
When verification has completed, users of your app can save their credentials on
either your app or your website and be automatically signed in to both.
Example: Associate multiple apps with a website
You can associate multiple apps with a website by specifying each app in the
Digital Assets Link file. For example, to associate the
com.example
and
com.example.pro
apps with the site at
https://signin.example.com/
, specify
both apps in the JSON file hosted at
https://signin.example.com/.well-known/assetlinks.json
:
[{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://signin.example.com"
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example.pro",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
}]
Then, declare the association in both apps:
Add the following line to the manifest file under
<application>
:
<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
Add the following string resource to the
strings.xml
file:
<string name="asset_statements" translatable="false">
[{
\"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
}]
</string>
Example: Associate apps with multiple websites
You can associate apps with multiple websites by specifying each website in the
Digital Assets Link file and hosting the file on each website. For example, to
associate the
com.example
and
com.example.pro
apps with the site at
https://signin.example.com/
and
https://m.example.com/
, specify
both apps and both sites in the JSON file hosted at
https://signin.example.com/.well-known/assetlinks.json
:
[{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://signin.example.com"
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://m.example.com"
},
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example.pro",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
}]
Then, in the JSON file hosted at
https://m.example.com/.well-known/assetlinks.json
, include the primary Digital
Asset Links file:
[{
"include": "https://signin.example.com/.well-known/assetlinks.json"
}]
Finally, declare the association in both apps:
Add the following line to the manifest file under
<application>
:
<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
Add the following string resource to the
strings.xml
file:
<string name="asset_statements" translatable="false">
[{
\"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
}]
</string>