Our client libraries automatically take care of the details covered below, so continue reading only if you're interested in what's happening behind the scenes, or if you're not using one of our client libraries.
This section is intended for advanced users who are already familiar with the OAuth 2.0 specification and know how to use OAuth2 with Google APIs.
Want to learn more about authentication in the API?
Video library: Authentication and Authorization
A single access token can grant varying degrees of access to multiple APIs. A
variable parameter called
scope controls the set of resources and operations
that an access token permits. During the access token request, your app
sends one or more values in the
The scope for the Google Ads API is:
It's common for a Google Ads API client app to request offline access. For example, your app may want to run batch jobs when your user is not physically online browsing your website.
To request offline access for a web app type, make sure you set the
access_type parameter to
offline. You can find additional information in
Google's OAuth2 guide.
For the desktop app type, offline access is enabled by default—you don't have to explicitly request it.
When using the gRPC API, include the access token in each request. You can bind
Credential to a
Channel for use on all requests on that channel. You can
also send a customized credential for each call. The gRPC
Authorization guide contains more
details on handling authorization.
When using the REST API, pass the access token through the HTTP header
Authorization. An example HTTP request is shown below:
GET /v13/customers/123456789 HTTP/2 Host: googleads.googleapis.com User-Agent: INSERT_USER_AGENT Accept: */* Authorization: Bearer INSERT_ACCESS_TOKEN developer-token: INSERT_DEVELOPER_TOKEN
Access and refresh token
In most cases, you need to store the refresh token securely for future use. To learn more about how to request access and refresh tokens, read the corresponding guide for your application type:
Refresh token expiration
For more details about the refresh token expiration, refer to the Google Identity Platform OAuth documentation.
Access token expiration
An access token has an expiration time (based on the
expires_in value) after
which the token is no longer valid. You can use the refresh token to refresh
an expired access token. By default, our client libraries automatically
refresh expired access tokens.