Configure a Google API Console Project for the Google Ads API

Credentials for accessing Google's OAuth2 servers are required in order to authenticate and authorize Google Ads users. These credentials identify your app to Google, enabling you to generate OAuth tokens for managing Google Ads users. Access to Google OAuth2 credentials is managed from the Google API Console.

Watch this video for some Cloud project best practices

Google OAuth verification

Any Google Cloud app used to obtain credentials for the Google Ads API scope will need to undergo a Google OAuth verification to avoid an unverified UI screen for its users. An app, in this context, is defined as a unique OAuth 2.0 Client ID in Google Cloud.

This verification is independent and in addition to any reviews conducted as part of the developer token approval process, and is required since the Google Ads API scope is a sensitive scope.

There is no cost for the Google verification, which typically completes in 3 to 5 business days. This policy applies to all apps.

We recommend that all apps undergo the Google OAuth verification process as soon as possible to avoid any business interruptions.

Create a project

Go to the Google API Console. Click Create project, enter a name, and click Create.

Enable the Google Ads API in your project

To enable the Google Ads API for your project, follow these steps:

  1. Open the API Library in the Google API Console. If prompted, select your project or create a new one. The API Library lists all available APIs, grouped by product family and popularity.

  2. Use search to find the Google Ads API if it isn't visible in the list.

  3. Select the Google Ads API, then click the Enable button.

Choose a user type and publishing status

After enabling the API, you must then specify your project's User type and Publishing status. The following table highlights some key attributes and limitations of each combination of these settings. For more details, refer to the Google Cloud Platform documentation.

User type Publishing status Limitations
Internal Testing
  • Only available for projects associated with a Google Cloud Organization.
  • Limited to up to 100 test users listed in the OAuth consent screen.
  • Test users must be internal users in the Google Cloud Organization associated with the project.
  • Authorizations expire seven days from the time of consent.
External Testing
  • Available for all projects.
  • Limited to up to 100 test users listed in the OAuth consent screen.
  • Test users can be any user with a Google Account.
  • Authorizations expire seven days from the time of consent.
Internal In production
  • Only available for projects associated with a Google Cloud Organization.
  • Allows authorizing any user within the Google Cloud Organization associated with the project.
External In production
  • Available for all projects.
  • Allows authorizing any user with a Google Account.

Not completing the Google OAuth verification results in the following, regardless of the User type or Publishing status of your project:

  • During the authorization process, users are presented with an unverified UI screen.

  • You are limited to authorizing only 100 users.

  1. Open the Consent Screen page, and select your project in the dropdown menu at the top of the page.

  2. Select the User Type and click CREATE.

  3. Fill out the consent screen form. You can edit this later if needed. Click SAVE AND CONTINUE when done.

  4. On the next page, click ADD OR REMOVE SCOPES.

    • Scroll down and enter the following in the field under Manually add scopes:

      https://www.googleapis.com/auth/adwords
      
    • Click ADD TO TABLE.

    • Add any other scopes your project will request, then click UPDATE.

    • Click SAVE AND CONTINUE.

  5. If you don't plan to publish your project immediately, add the email address of each user account you'll use for testing, then click SAVE AND CONTINUE.

  6. Review the summary page and click BACK TO DASHBOARD.

Once you've tested your application and the authorization process, you can return to the dashboard and click PUBLISH APP to change its Publishing status from Testing to In production.

Select an app type

There are two app type options for the Google Ads API: Desktop or Web. Refer to the following table to determine which type is most appropriate for the app you want to build:

Choose this app type If ...
Desktop app
  • You're managing all of your Google Ads accounts using a single top level manager account.
  • You're a first-time user, or want to get started quickly with the simplest setup.
  • Your app will only authenticate Google users from one machine.
Web app
  • You want to authenticate as a user who can grant permission to your app to access their Google Ads account data.
  • You want to easily generate multiple authorization credentials, to manage third-party accounts for example.
  • Your app requires callback URLs. Callback URLs are not supported in the desktop app flow.

For more details, refer to the Google Identity Platform OAuth documentation for desktop apps or web apps.

Create a client ID and client secret

Once you've determined your app type, follow the instructions below to generate the OAuth2 client ID and client secret:

  1. Open the Credentials page. Select a previously created project or create a new one.

  2. On the Credentials screen, click CREATE CREDENTIALS, then select OAuth client ID.

    1. If you hadn't configured an OAuth consent screen for this project previously, you'll be directed to do so now. Click CONFIGURE CONSENT SCREEN.

      1. Select the user type and click CREATE.

      2. Fill out the initial form. You can edit this later if needed. Click Save when done.

    2. Navigate back to Credentials > CREATE CREDENTIALS > OAuth client ID to continue.

  3. Select either Desktop app or Web application as the app type, depending on your use case.

  4. Give it a name, then click Create.

  5. If your client type is Web application, add at least one authorized redirect URI.

    For local testing that's compatible with the default configuration in our client library examples, use http://127.0.0.1.

    For Desktop app clients, you will still use a loopback IP redirect, but the URI is not explicitly configured in the Cloud console.

  6. On the confirmation page, copy Your Client ID and Your Client Secret to your clipboard, as you will need them when you configure your client library. You can also return to the credentials page later to retrieve these details.