Troubleshoot Directory API issues

This page describes some common issues that you might encounter involving the Directory API as a reseller.

400:badRequest

This error occurs when an incorrect parameter value is passed into the method.

If using the users.get method, verify that the value passed into the userKey parameter is either the user's primary email address, alias email address, or unique user ID.

If using the users.list method, verify the following parameters:

  • customer parameter: Only use the customerId that was generated by Google. Don't use the actual customer's domain. We recommend using this parameter because if a customer has secondary domains, using the domain parameter only returns users with email addresses on that particular domain.
  • domain parameter: Only use the actual customer's domain. Don't use the
    customerId that was generated by Google.

403:domainCannotUseApis

This error occurs when your customer has disable reseller access to the Admin SDK API. To resolve this issue, ask your customer to re-enable access to the Admin SDK API. For more information, see Control API access.

If you're trying to get the count of current licensed users and you get this error, instead of calling the users.list method, use the licensedNumberOfSeats field from the subscription resource.

403:forbidden

This error occurs when you don't own the customer or your customer has disabled reseller access to their Admin console.

To resolve this issue, either call the customers.get method before making calls to verify reseller ownership of customer or ask your customer to re-enable reseller access to their Admin console. For more information, see Access a customer's Admin console.

403:usageLimits.accessNotConfigured

This error occurs when the API isn't enabled in the Google Cloud project. To resolve this issue, go to the Google Cloud console, and enable the API. For more information, see Enable Google Workspace APIs.

409:duplicate

This error occurs when you're trying to add a new user, but the customer's primary email already exists within one of the following:

  • Current Google Workspace account that you're trying to add them to.
  • Another Google product (not Google Workspace).

To resolve this issue, do the following:

  1. Call the users.get method.

    If you get a 200 response, then the user already exists in the customer's Google Workspace Account. You can't add this user to the account.

    If you get a 403 forbidden response, then either the domain in the primary email parameter isn't a resold customer or the primary email has been used previously for a different Google product and the customer's domain must first be verified before this user can successfully be added.

  2. If you can verify the customer's domain, do the following:

    1. Create a temporary admin user using the users.insert method and continue provisioning to the final domain verification step.
    2. When verifying the domain, add the temporary users into the owners[] parameter of the request body for the webResource.insert call. Make this call until you receive a 200 response.
    3. After the domain is verified, rename the temporary username by using either the users.patch or the users.update methods.
  3. If you can't verify the customer's domain, do the following:

    1. Create a temporary admin user using the users.insert method.
    2. Have your customer sign in as the temporary user and verify their domain through the Admin console.
    3. After the domain is verified, either the customer or you can rename the temporary username. You can use either the users.patch or the users.update methods.

412:limitExceeded

This error occurs when your customer has reached their maximum seat limit. To resolve this issue, Use the subscriptions.changeSeats method and depending on their subscription plan, use the following:

  • For FLEXIBLE, increase the maximumNumberOfSeats parameter.
  • For ANNUAL, increase the numberOfSeats parameter.