Join us live on Discord on the Google Advertising and Measurement Community server on October 16th! We will discuss the new features added in V22 of the Google Ads API.

OAuth 2.0 Internals for Google Ads API

AI-generated Key Takeaways

This guide is for advanced users familiar with OAuth 2.0 and its use with Google APIs, offering behind-the-scenes details on authentication with the Google Ads API.
Access tokens control API access, determined by the 'scope' parameter, with the Google Ads API scope being https://www.googleapis.com/auth/adwords.
Offline access is available for client apps; web apps require setting access_type to offline, while desktop apps have it enabled by default.
Access tokens are passed via the Authorization HTTP header for REST or bound to a Channel for gRPC, and can be refreshed using a securely stored refresh token.
Client libraries automatically handle token refresh, but developers can consult guides for desktop and web app token management.

This section is intended for advanced users who are already familiar with the OAuth 2.0 specification and know how to use OAuth 2.0 with Google APIs.

Scope

A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access token request, your app sends one or more values in the scope parameter.

The scope for the Google Ads API is:

https://www.googleapis.com/auth/adwords

Offline access

It's common for a Google Ads API client app to request offline access. For example, your app may want to run batch jobs when your user is not physically online browsing your website.

To request offline access for a web app type, make sure you set the access_type parameter to offline. You can find additional information in Google's OAuth2 guide.

For the desktop app type, offline access is enabled by default—you don't have to explicitly request it.

Request headers

gRPC headers

When using the gRPC API, include the access token in each request. You can bind a Credential to a Channel for use on all requests on that channel. You can also send a customized credential for each call. The gRPC Authorization guide contains more details on handling authorization.

REST headers

When using the REST API, pass the access token through the HTTP header Authorization. An example HTTP request is shown:

# Returns the resource names of customers directly accessible by the user
# authenticating the call.
#
# Variables:
#   API_VERSION,
#   DEVELOPER_TOKEN,
#   OAUTH2_ACCESS_TOKEN:
#     See https://developers.google.com/google-ads/api/rest/auth#request_headers
#     for details.
#
curl -f --request GET \
"https://googleads.googleapis.com/v${API_VERSION}/customers:listAccessibleCustomers" \
--header "Content-Type: application/json" \
--header "developer-token: ${DEVELOPER_TOKEN}" \
--header "Authorization: Bearer ${OAUTH2_ACCESS_TOKEN}" \

Handling two-step verification

Cloud project