Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
Note: Applications using service accounts for authentication can only access your own Merchant Center account. If you are writing a third-party application that needs access to your clients' Merchant Center accounts, please see the Authorizing Requests guide instead.
- A Merchant Center account.
- Generate service-account credentials or access the public credentials you've already generated. You will need to create an OAuth 2.0 Client ID and obtain a *.json private key file:
- Go to the Google API Console.
- Select a project in the drop-down menu at the top of the page. If you do not have one yet, create one by clicking Create Project.
- If you have not already enabled the Content API for Shopping for this project, then search for it in the list of Google APIs and enable it.
- In the sidebar on the left, select Credentials.
- To set up a service account, select Create credentials, and then Service account key.
- On the next page, select New service account from the drop-down list.
- Name the new service account. This also serves as the default username for the service account ID. Remember the service account ID for use later.
The choice of role for the service account will not have any effect on what calls can be made to the Content API, as access to Content API methods is determined instead by the role associated with the service account ID in Merchant Center. If you are unsure what to pick, just pick Project►Viewer.
- Select JSON for the key type, then click Create.
- The Create button will change to Creating..., and once the key generation finishes, it will automatically download the private key as a *.json file.
Important: Protect the *.json key file that allows a service account to access the Google services for which it has been authorized. It is good practice to allow service accounts to only access one Google API each. This is a preventative measure to mitigate the amount of data an attacker can access in the situation that the service account’s *.json key file is compromised.
- You will be returned to the Credentials page, and you should see the new service account in the list of service account keys for your account.
- Add the new service account as a user to your Merchant Center account. If you are a third party developer, you will need to have your client do this step for you.
- Go to your Merchant Center account.
- Go to the 'Users' list in the settings of your Merchant Center account.
- Click the +User button, and use the service account ID as the email address for the new user.
- Fill in the form with the service account ID, and select the desired user role(s). At least one must be chosen, and use of the
Accountsservice requires the Admin role.
If you did not take note of the service account ID earlier, go to the Service Accounts administration page and select the project you created.
- Click on the Save button. You will be returned to the list of users, and the service account ID should be listed with the chosen user role(s).
- Repeat the process for all other service accounts you want to add.
- View existing service account users by going to the Users tab. These will be users with an email address ending in 'gserviceaccount.com'.
- Now you can access your Merchant Center account using the service account either by using the Google Application Default Credentials flow or by using the service account flow directly. The Content API for Shopping Samples show how to use both flows for service account credentials in each supported programming language. Please check out the code samples to try out your new service account and to learn what changes you will need to use service accounts in your own code.
Can I log into the Merchant Center web user interface with my service account?
No, service accounts are not regular Google accounts and cannot access the Merchant Center web user interface.
How often do I need to refresh service account access tokens?
Access tokens expire one hour after they are issued by the Google OAuth 2.0 Authorization Server. When an access token expires, the application should use the client library to fetch another access token.