Overview#Hosted domain (hd) hd (hosted domain) is an OPTIONAL OpenID Connect parameter streamlines the Authentication Request process for G-Suite hosted accounts. By including the DNS Domain of the G-Suite user (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that G-Suite DNS Domain. To optimize for G-Suite accounts generally instead of just one DNS Domain, use an asterisk: hd=*.
Hosted domain in an Authentication Request MUST NOT rely on this UI optimization to control who can access your app, as client-side requests can be modified. Be sure to validate that the returned Id_token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the Authentication Request parameter, the id_token claim is contained within a security token from Google, so the value can be trusted.