/.well-known/assetlinks.json
Android's Digital Asset Links file proves that an Android app and a web domain are owned by the same entity. It powers App Links and Smart Lock for Passwords.
What it is
assetlinks.json is Google’s equivalent of Apple’s AASA file. It is a JSON document published at /.well-known/assetlinks.json that declares which Android applications are allowed to act on behalf of your web domain. Android verifies this file before honouring App Links and several credential-sharing features.
The format is defined by the Digital Asset Links protocol, which is also used for cross-app verification and SmartLock.
Why it matters
- Android App Links. With a valid
assetlinks.json, tappinghttps://example.com/orders/123in Gmail or Chrome opens directly in your app, with no “open with” dialog. Without it, the user lands on the web. - Credential sharing. Saved passwords in Chrome can autofill in the corresponding Android app, and vice versa.
- Trust. Google needs cryptographic proof that the same party owns the domain and the app. Hosting this file at a URL only the domain owner controls provides that proof.
If you do not ship an Android app, you do not need this file.
How to implement
Publish a JSON array. Each entry declares one relation between your site and one app.
[
{
"relation": ["delegate_permission/common.handle_all_urls"],
"target": {
"namespace": "android_app",
"package_name": "com.example.app",
"sha256_cert_fingerprints": [
"14:6D:E9:83:C5:73:06:50:D8:EE:B9:95:2F:34:FC:64:16:A0:83:42:E6:1D:BE:A8:8A:04:96:B2:3F:CF:44:E5"
]
}
}
]Rules:
- The path is exactly
/.well-known/assetlinks.json. The.jsonextension is required here (unlike Apple’s AASA). - Serve as
Content-Type: application/jsonover HTTPS. - Respond with
200 OKdirectly. No redirects. - The file must be publicly readable, with no authentication and no aggressive bot rules.
- The
sha256_cert_fingerprintsmust include the SHA-256 of the signing certificate of every release variant — including the Play App Signing key, not just your upload key. - Declare every relevant app, including any beta or staging packages.
Common mistakes
- Listing the upload certificate fingerprint and forgetting Play App Signing’s actual signing certificate.
- Leaving out a package because it shares code with another. Each package needs its own entry.
- Serving the file from a subdomain that is not the eTLD+1 the app is associated with.
- Returning a 301 to a CDN host. Google’s verifier follows redirects in some cases and not others — do not depend on it.
- Letting a deploy pipeline rewrite JSON keys to camelCase.
Verification
curl -s https://example.com/.well-known/assetlinks.json | jq .Use Google’s Statement List Generator and Tester and Android Studio’s “App Links Assistant”. On a device, adb shell pm get-app-links com.example.app shows whether verification succeeded and why if it did not.
Related topics
Sources & further reading
- Digital Asset Links — Verify Android App Links — Google Developers
- Digital Asset Links protocol — Google Developers
- IANA — Well-Known URIs Registry — IANA