My use-case

I have an API deployed on Google Cloud Platform, with Google Cloud Endpoints as the API Manager. For those who are familiar with Endpoints, I'm using the ESP on GKE. My API serves as a webhook for an action deployed on Actions On Google. On the API side, I need to verify that the request is actually coming from Actions On Google.

As stated in the doc, the request coming from Actions On Google contains a token (JWT format) in the Authorization header

authorization: "<JWT token>"

So I need to verify this token with Cloud Endpoints.

The problem

Cloud Endpoints uses OpenAPI 2.0 (aka Swagger) and the specification mentions only the following security schemes: "basic", "apiKey" or "oauth2". It seems that what Actions On Google uses is not based on one of them.

What I tried

I tried to consider the JWT as an OAuth2 token using the following OpenAPI definition:

securityDefinitions:
  ActionsOnGoogle:
    authorizationUrl: ""
    type: "oauth2"
    flow: "implicit"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
    audiences: "{{ my-gcp-project-id }}"

It did not work because Cloud Endpoints ESP checks that the value of the Authorization header starts with "Bearer", otherwise it rejects the request (code)

My second option was to consider the JWT in the Authorization header as an API key. But Cloud Endpoints supports only API keys managed by GCP.

My question

Is it possible to validate requests coming from Actions On Google with Google Cloud Endpoints?