Title

Google Sign‑In on Android: Why you must use the Web Client ID (not the Android Client ID) with Credential Manager / Google Identity Services

Question

I was integrating Google Sign‑In in my Android app using Kotlin + Jetpack Compose and the new Credential Manager API with Google Identity Services.

I went to Google Cloud Console → Create Credentials → OAuth Client ID and, since I was building an Android app, I naturally chose Application type: Android. I added my package name and SHA‑1 fingerprint, got the Android Client ID, and used it in:

val googleIdOption = GetGoogleIdOption.Builder()
    .setServerClientId("MY_ANDROID_CLIENT_ID")
    .build()

But I kept getting:

[28444] Developer console is not set up correctly.

After hours of debugging, I discovered that I actually needed to use the Web application client ID in setServerClientId(...), even though my app is Android‑only.

Why is this the case?
What’s the correct way to set up OAuth in Google Cloud so Google Sign‑In works on Android without this error?

Answer

This confusion is extremely common — you’re not alone.
The short version: Google Sign‑In on Android always requires a Web Client ID for ID token retrieval, even if your app is Android‑only.

Why the Web Client ID is required

• The Android Client ID is used by Google Play Services to validate that the request is coming from your signed APK (package name + SHA‑1).

• The Web Client ID is the one configured for OAuth 2.0 “server” flows — it’s the only type that can issue an ID token that your backend can verify.

• When you call:

  .setServerClientId("...")
  
  

  you are telling Google Identity Services:
  “I want an ID token for this OAuth client.”
  That must be the Web Client ID, because Android Client IDs cannot mint ID tokens for your backend.

Correct setup in Google Cloud Console

1. Create a Web application OAuth client

   • Application type: Web application

   • No need to set redirect URIs for mobile use.

   • Copy the Client ID — this goes into setServerClientId(...) in your Android code.

2. Create an Android application OAuth client

   • Application type: Android

   • Add your package name and SHA‑1 fingerprint (from ./gradlew signingReport or keytool).

   • This links your signed APK to the same project so Google Play Services trusts it.

3. Both clients must be in the same Google Cloud project.

Code example

val googleIdOption = GetGoogleIdOption.Builder()
    .setFilterByAuthorizedAccounts(false)
    .setServerClientId("YOUR_WEB_CLIENT_ID") // from Web application type
    .build()

Common pitfalls

• Using the Android Client ID in setServerClientId → causes [28444] Developer console is not set up correctly.

• SHA‑1 mismatch → ensure you register both debug and release SHA‑1 fingerprints if you test both builds.

• Different projects → both Web and Android clients must be in the same Google Cloud project.

Key takeaway

Even for Android‑only apps, you need both:

• Web Client ID → used in code to request ID tokens.

• Android Client ID → used to verify your app’s signature with Google Play Services.

This is by design in Google’s OAuth architecture — the Web Client ID represents the “server” side of the flow, even if your “server” is just your backend API.

If you post this, it will save a lot of devs from burning hours on the [28444] error.