Google's Sign in with Google uses a federated model where Google acts as the Identity Provider (IdP) and apps are Receiving Parties (RPs). Instead of creating new passwords, it issues a cryptographically-secured token for backend verification. This is powered by the FedCM (Federated Credential Management) API, which moves identity checking into the browser.

For returning users, developers can enable Google One Tap to skip account selection. This ephemeral pop-up appears alongside the standard sign-in button. The system relies on Google's secure cookies, but FedCM ensures they are first-party to google.com, unreadable by your site, and mediated by the browser to prevent cross-site tracking.

The process requires registering your app in the Google Cloud Console to get a Client ID and configuring an OAuth Consent Screen. While convenient, it centralizes risk: a compromised Google account exposes all linked apps. The author uses it for non-critical apps, balancing convenience against the advice to never reuse passwords across services.