OAuth2 Internals for Google Ads API

Our client libraries automatically take care of the details covered below, so continue reading only if you're interested in what's happening behind the scenes, or if you're not using one of our client libraries.

This section is intended for advanced users who are already familiar with the OAuth 2.0 specification and know how to use OAuth2 with Google APIs.

Want to learn more about authentication in the API?

Video library: Authentication and Authorization


A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access token request, your app sends one or more values in the scope parameter.

The scope for the Google Ads API is:


Offline access

It's common for a Google Ads API client app to request offline access. For example, your app may want to run batch jobs when your user is not physically online browsing your website.

To request offline access for a web app type, make sure you set the access_type parameter to offline. You can find additional information in Google's OAuth2 guide.

For the desktop app type, offline access is enabled by default—you don't have to explicitly request it.

Request headers

gRPC headers

When using the gRPC API, include the access token in each request. You can bind a Credential to a Channel for use on all requests on that channel. You can also send a customized credential for each call. The gRPC Authorization guide contains more details on handling authorization.

REST headers

When using the REST API, pass the access token through the HTTP header Authorization. An example HTTP request is shown below:

GET /v17/customers/123456789 HTTP/2
Host: googleads.googleapis.com
Accept: */*
Authorization: Bearer INSERT_ACCESS_TOKEN

Access and refresh token

In most cases, you need to store the refresh token securely for future use. To learn more about how to request access and refresh tokens, read the corresponding guide for your application type:

Refresh token expiration

For more details about the refresh token expiration, refer to the Google Identity Platform OAuth documentation.

Access token expiration

An access token has an expiration time (based on the expires_in value) after which the token is no longer valid. You can use the refresh token to refresh an expired access token. By default, our client libraries automatically refresh expired access tokens.