Google has introduced cryptographically verified email credentials for Android through the Credential Manager API. This API aligns with the W3C Digital Credential API standard. It provides a unified way for apps to request and retrieve user credentials for authentication and authorization.
“By integrating the new verified email via the Credential Manager API, you can reduce onboarding friction and provide a more streamlined and secure authentication flow. This reflects a shift toward a future where verification becomes a seamless part of the native mobile experience,” Niharika Arora, Senior Developer Relations Engineer, and Jean-Pierre Pralle, Product Manager for Credential Manager at Google, explained.
The feature is limited to personal Google Accounts and excludes Workspace and supervised accounts. It is supported on Android 9 (API level 28) and above, including phones, tablets, and foldables, and requires Google Play services version 25.49.x or later.
Users do not need to verify their email through external channels such as one-time passwords or email links. Developers receive verified email claims directly, which can be used for account creation, account recovery, or step-up authentication flows.
The verified email credential is sourced from the user’s Google Account on the device. The underlying Digital Credentials API is issuer-agnostic and allows different providers to issue credentials with their own policies that apps can request and verify.
How it works
When a credential is returned through the Credential Manager API and includes a verified claim, the issuer indicates that it has verified that data. The app must decide whether it trusts the issuer.
Email verification during sign up (Source: Google)
When a user focuses on an email input field or taps a “Sign up” or “Recover account” button that triggers the Credential Manager API, a native Android bottom sheet appears showing the requested data, such as a verified email address. The user reviews the request and taps “Agree and continue” to share the data. After consent, the app receives the information immediately.
Google recommends prompting users to create a passkey during sign-up to simplify future sign-ins.
Key considerations
Only the email address is verified by Google. Apps may request additional profile information such as name or profile picture, but these fields are not verified.
The company recommends automatically verifying @gmail.com users and routing users with custom domains through existing verification flows to maintain access for domains not managed by Google.
The verified email credential feature complements Sign in with Google. Developers should use Sign in with Google when creating a federated login session. Verified Email is suited for flows where users authenticate with a username and password or passkey and require email verification.
