Service accounts

Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.

Note: Applications using service accounts for authentication can only access your own Merchant Center account. If you are writing a third-party application that needs access to your clients' Merchant Center accounts, please see the Authorizing Requests guide instead.


Steps to using a service account to access the Content API for Shopping

  1. Generate service account credentials or access the public credentials you've already generated. You will need to create an OAuth 2.0 Client ID and obtain a *.json private key file:
    1. Go to the Google API Console.
    2. Select a project in the drop-down menu at the top of the page. If you do not have one yet, create one by clicking NEW PROJECT.
    3. If you have not already enabled the Content API for Shopping for this project, then search for it in the list of Google APIs and enable it.
    4. In the sidebar on the left, select Credentials. You may need to click the left-pointing arrow at the top left to see this.
    5. To set up a service account, select CREATE CREDENTIALS, and then Service account.
    6. Name the new service account. This also serves as the default username for the service account ID. Record the service account ID, including the part after the '@' character, for later use. Click CREATE, then go through the optional steps of granting access to project and users, and click DONE.

      The choice of role for the service account will not have any effect on what calls can be made to the Content API, as access to Content API methods is determined instead by the role associated with the service account ID in Merchant Center. If you are unsure what to pick, just pick Project > Viewer.

    7. You will be directed to the Service Accounts page where your new service account can be accessed.
    8. To obtain a JSON private key, click on the service account, then the KEYS tab. Click ADD KEY > Create new key and then select JSON as the key type. Click CREATE to download the private key to your computer.
  2. Add the new service account as a user to your Merchant Center account. If you are a third-party developer, you will need to have your client do this step for you.
    1. Go to your Merchant Center account.
    2. Go to Account Access in the settings of your Merchant Center account.
    3. Click + Add user and use the service account ID as the email address for the new user.

      If you did not take note of the service account ID earlier, go to the Service Accounts administration page and select the project you created.

    4. Specify the User access and Email notifications preferences for the service account. Note that the use of the Accounts service requires Admin access.
    5. Click Add user to save preferences and be returned to the list of users. The service account ID should be listed with the chosen user role.
    6. Repeat the process for all other service accounts you want to add.
  3. Now you can access your Merchant Center account using the service account either by using the Google Application Default Credentials flow or by using the service account flow directly. The Content API for Shopping Samples show how to use both flows for service account credentials in each supported programming language. Please check out the code samples to try out your new service account and to learn what changes you will need to use service accounts in your own code.

Frequently asked questions

Can I sign in to the Merchant Center UI with my service account?
No, service accounts are not regular Google accounts and cannot access the Merchant Center UI.
How often do I need to refresh service account access tokens?
Access tokens expire one hour after they are issued by the Google OAuth 2.0 Authorization Server. When an access token expires, the application should use the client library to fetch another access token.