GitHub Pages blog and Google Search Console: Is it safe to follow these steps for a public repo?

It is totally safe to publish that file. Actually, everyone publishes it if they do upload it to their server or add it to the meta.

Anyone can access the file by appending the name of it to the URL of any verified Google Search Console site. It's even easier if they put it in the meta of a site, since you can always look at the source code. The token that you get from google is totally random and unique. Google just wants to check that you have access to the file system of a server. If somebody else uploads it to their website, you could also prove that their website is yours. The token alone can't authenticate on anything.


The best proof would be that YouTube also published it's token. If you do a TXT lookup for youtube.com you get this result:

TXT | youtube.com | google-site-verification=OQz60vR-YapmaVrafWCALpPyA8eKJKssRhfIrzM-DJI


It is safe, and has been done before.

This is about ownership of website, not authentication/authorization to your own Google Search Console (which remains linked to your Google account).

The official documentation is "Google Site Verification API":

Users can only access certain Google services if their verification data shows that they are the owners of the particular website domain.

You can use the API to generate verification tokens for authenticated users, which your code can place in various ways on your websites or domain records on their behalf.

Once the token is in place, you make a call to the API to ask Google to check for the token.
If Google finds the token, it registers the authenticated user as an owner of the website or domain.

All API calls need to be authorized by an authenticated user, and all API calls are executed in the context of the authenticated user's account.

That means: even if a third-party gets hold of your token, it cannot do anything with it, since you (the authenticated Google account user) would not authorize any API call done with it.

More specifically:

Google Site Verification API enforces some restrictions on how it is used:

  • Data access for authenticated user only: All operations require user authentication and authorization.
  • Verification for authenticated user only: The API can only verify ownership of sites or domains for the currently authenticated account.
    However, the authenticated user can delegate ownership to other users after their ownership of a site has been verified.
    Note that all owners are notified by email whenever changes are made to the ownership list.
  • Normalized URLs and domain names only: The Google Site Verification API does not support IDN (International Domain Name) encoding.
    Be sure to normalize all URLs, domain names, and email address domains to the standard domain name character set (RFC 1034 §3.5) using Punycoding if necessary.