NAME
    gcloud beta auth application-default print-access-token - print an access
        token for your current Application Default Credentials

SYNOPSIS
    gcloud beta auth application-default print-access-token
        [--lifetime=LIFETIME] [--scopes=SCOPE,[SCOPE,...]]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) gcloud beta auth application-default print-access-token generates
    and prints an access token for the current Application Default Credential
    (ADC). The ADC (https://google.aip.dev/auth/4110) can be specified either
    by using gcloud auth application-default login, gcloud auth login
    --cred-file=/path/to/cred/file --update-adc, or by setting the
    GOOGLE_APPLICATION_CREDENTIALS environment variable.

    The access token generated by gcloud beta auth application-default
    print-access-token is useful for manually testing APIs via curl or similar
    tools.

    In order to print details of the access token, such as the associated
    account and the token's expiration time in seconds, run:

        $ curl -H "Content-Type: application/x-www-form-urlencoded" \
        -d "access_token=$(gcloud auth application-default print-access-token)" \
        https://www.googleapis.com/oauth2/v1/tokeninfo

    Note that token itself may not be enough to access some services. If you
    use the token with curl or similar tools, you may see permission errors
    similar to "Your application has authenticated using end user credentials
    from the Google Cloud SDK or Google Cloud Shell". If it happens, you may
    need to provide a quota project in the "X-Goog-User-Project" header. For
    example,

        $ curl -H "X-Goog-User-Project: your-project" \
            -H \
            "Authorization: Bearer $(gcloud auth application-default \
         print-access-token)" foo.googleapis.com

    The identity that granted the token must have the serviceusage.services.use
    permission on the provided project. See
    https://cloud.google.com/apis/docs/system-parameters for more information.

FLAGS
     --lifetime=LIFETIME
        Access token lifetime. The default access token lifetime is 3600
        seconds, but you can use this flag to reduce the lifetime or extend it
        up to 43200 seconds (12 hours). The org policy constraint
        constraints/iam.allowServiceAccountCredentialLifetimeExtension must be
        set if you want to extend the lifetime beyond 3600 seconds. Note that
        this flag is for service account impersonation only, so it only works
        when either --impersonate-service-account flag or
        auth/impersonate_service_account property is set.

     --scopes=SCOPE,[SCOPE,...]
        The scopes to authorize for. This flag is supported for user accounts
        and service accounts only. The list of possible scopes can be found at:
        https://developers.google.com/identity/protocols/googlescopes.

        For end-user accounts, the provided scopes must be from [openid,
        https://www.googleapis.com/auth/userinfo.email,
        https://www.googleapis.com/auth/cloud-platform,
        https://www.googleapis.com/auth/sqlservice.login], or the scopes
        previously specified through gcloud auth application-default login
        --scopes.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in beta and might change without notice. These
    variants are also available:

        $ gcloud auth application-default print-access-token

        $ gcloud alpha auth application-default print-access-token

