Privacy & security

Google APIs

IAP Desktop accesses Google Cloud Platform APIs to perform functions such as the following:

• establish Cloud IAP TCP tunnels to VM instances
• list VMs and obtain metadata and logs for VM instances
• generate Windows logon credentials if requested
• publish SSH public keys if requested

The application uses the following Google APIs for this purpose:

• OAuth 2
• Compute Engine API
• Resource Manager API
• OS Login API
• Logging API
• Security Token Service API

Periodically, IAP Desktop accesses the GitHub API to check for updates. After an upgrade, IAP Desktop also queries the GitHub API to download release notes.

IAP Desktop does not intentionally disclose or transmit any data to APIs other than the ones listed on this page.

Usage data

You can help Google improve and prioritize features and improvements by enabling data sharing under Tools > Options > Data sharing. You can enable or disable data sharing at any time.

When you enable data sharing, IAP Desktop periodically sends anonymous usage data to the Google Analytics Measurement API . Usage data includes information about which menu commands you use, any errors that occured, and similar information.

Usage data doesn't include personal information and isn't associated with your Google account.

Credential storage

All credentials managed by IAP Desktop are stored locally and are encrypted before storage.

OAuth tokens

When you use the application for the first time, you have to authorize it to access your Google Cloud Platform on your behalf. As a result of this authorization, the application receives an OAuth refresh token which allows it to re-authenticate automatically the next time you use it. This refresh token is encrypted by using the Windows Data Protection API (DPAPI) and stored in the current user part of the Windows registry.

Windows logon credentials

IAP Desktop allows you to save Windows logon credentials. These credentials are stored in the current user part of the Windows registry. Like the OAuth refresh token, all passwords are encrypted by using the DPAPI before storage.

SSH keys

For details on how IAP Desktop stores SSH key material, see SSH algorithms and keys.

Proxy credentials

If you've configured IAP Desktop to use an HTTP proxy server that requires authentication, then the proxy credentials are stored in the current user part of the Windows registry. Like the OAuth refresh token, the password is encrypted by using the DPAPI before storage.