How to Call a FastAPI Endpoint on Google App Engine Protected by IAP as an End User?

Question

I have a Python FastAPI application hosted on Google App Engine, and it's protected by Google Identity-Aware Proxy (IAP). I am trying to call the API as an end user (not using a service account). I understand that IAP requires an identity token to authenticate the user.

Here’s what I’ve tried so far:

1. Generated an identity token using the following command:

gcloud auth print-identity-token

2.Passed the identity token in the Authorization header while making a POST request:

import requests

# API URL
url = "https://service-dot-project-id.el.r.appspot.com/endpoint"

# Generate identity token using gcloud
identity_token = "output_of_gcloud_auth_print_identity_token"

# Include the token in the Authorization header
headers = {
    "Authorization": f"Bearer {identity_token}",
}

payload = {
    # Payload data
}

# Make the POST request
response = requests.post(url, json=payload, headers=headers)

# Print the response
print(response.status_code)
print(response.json())

3. However, I get the following error:

JSONDecodeError: Expecting value: line 1 column 1 (char 0)

4. IMP: When I turn off IAP protection, the API works perfectly, and the response is returned as expected.

Question: Is there a simple way to call an IAP-protected API directly from Python code as an end user (not as service account)? Am I missing any step in the process of using the identity token? I’m looking for an easy-to-follow method to handle this. Any guidance or examples would be greatly appreciated!