Stay organized with collections
Save and categorize content based on your preferences.
Search Console API auth requirements
Every request your application sends to the Google Search Console API must include an authorization token. The token also identifies your application to Google.
About authorization protocols
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Sign In With Google, some aspects of authorization are handled for you.
Authorizing requests with OAuth 2.0
All requests to the Google Search Console API must be authorized by an authenticated user.
The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a
client secret.
Activate the Google Search Console API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
When your application needs access to user data, it asks Google for a particular scope of access.
Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
If the user approves, then Google gives your application a short-lived access token.
Your application requests user data, attaching the access token to the request.
If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.
Here's the OAuth 2.0 scope information for the Google Search Console API:
To request access using OAuth 2.0, your application needs the scope information, as well as
information that Google supplies when you register your application (such as the client ID and the
client secret).
Tip: The Google APIs client libraries can handle some of the authorization process for you. They are available for a variety of programming languages; check the page with libraries and samples for more details.
Search Console Testing Tools API auth requirements
Acquiring and using an API key
Requests to the Search Console Testing Tools API for public data must be accompanied by an identifier, which can
be an API key or an
access token.
This API supports two types of credentials.
Create whichever credentials are appropriate for your project:
OAuth 2.0: Whenever your application requests private user
data, it must send an OAuth 2.0 token along with the request. Your
application first sends a client ID and, possibly, a client secret to
obtain a token. You can generate OAuth 2.0 credentials for web
applications, service accounts, or installed applications.
API keys:
A request that does not provide an OAuth 2.0 token must send an API
key.
The key identifies your project and provides API access, quota, and
reports.
The API supports several types of restrictions on API keys. If the API key that you
need doesn't already exist, then create an API key in the Console by
clicking Create credentials
> API key. You can restrict the key before using it
in production by clicking Restrict key and selecting one of the
Restrictions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-07 UTC."],[[["\u003cp\u003eAll applications must use OAuth 2.0 for authorization when interacting with the Google Search Console API to access user data.\u003c/p\u003e\n"],["\u003cp\u003eThe authorization process involves registering your application, obtaining necessary credentials, and requesting specific scopes of access, subject to user consent.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Search Console Testing Tools API requires an API key instead of an OAuth token to access its public data.\u003c/p\u003e\n"],["\u003cp\u003eAPI keys can be obtained and restricted for security via the Google API Console, while OAuth 2.0 is necessary for private user data requests.\u003c/p\u003e\n"]]],["Applications interacting with the Google Search Console API must use OAuth 2.0 for authorization. This involves registering the application with Google to obtain a client ID and secret. Applications request specific data access scopes, users grant consent, and then a short-lived access token is issued. The application then uses this token to request data. The Search Console Testing Tools API, however, requires an API key or an access token for requests, obtained via the Google API Console.\n"],null,["Search Console API auth requirements\n\nEvery request your application sends to the Google Search Console API must include an authorization token. The token also identifies your application to Google.\n\nAbout authorization protocols\n\nYour application must use [OAuth 2.0](https://developers.google.com/identity/protocols/OAuth2) to authorize requests. No other authorization protocols are supported. If your application uses [Sign In With Google](https://developers.google.com/identity/gsi/web), some aspects of authorization are handled for you.\n\nAuthorizing requests with OAuth 2.0\n\nAll requests to the Google Search Console API must be authorized by an authenticated user.\n\nThe details of the authorization process, or \"flow,\" for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:\n\n1. When you create your application, you register it using the [Google API Console](https://console.cloud.google.com/). Google then provides information you'll need later, such as a client ID and a client secret.\n2. Activate the Google Search Console API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)\n3. When your application needs access to user data, it asks Google for a particular **scope** of access.\n4. Google displays a **consent screen** to the user, asking them to authorize your application to request some of their data.\n5. If the user approves, then Google gives your application a short-lived **access token**.\n6. Your application requests user data, attaching the access token to the request.\n7. If Google determines that your request and the token are valid, it returns the requested data.\n\nSome flows include additional steps, such as using **refresh tokens** to acquire new access tokens. For detailed information about flows for various types of applications, see Google's [OAuth 2.0 documentation](https://developers.google.com/identity/protocols/OAuth2).\n\nHere's the OAuth 2.0 scope information for the Google Search Console API:\n\n| Scope | Meaning |\n|-------------------------------------------------------|--------------------|\n| `https://www.googleapis.com/auth/webmasters` | Read/write access. |\n| `https://www.googleapis.com/auth/webmasters.readonly` | Read-only access. |\n\nTo request access using OAuth 2.0, your application needs the scope information, as well as\ninformation that Google supplies when you register your application (such as the client ID and the\nclient secret).\n\n**Tip:** The Google APIs client libraries can handle some of the authorization process for you. They are available for a variety of programming languages; check the [page with libraries and samples](/webmaster-tools/v1/libraries) for more details.\n\n*** ** * ** ***\n\nSearch Console Testing Tools API auth requirements **Note:** The Search Console Testing Tools API requires a key rather than an OAuth token.\n\nAcquiring and using an API key\n\nRequests to the Search Console Testing Tools API for public data must be accompanied by an identifier, which can\nbe an [API key](https://developers.google.com/console/help/generating-dev-keys) or an\n[access token](https://developers.google.com/accounts/docs/OAuth2).\n\nTo acquire an API key:\n\n1. Open the [Credentials page](https://console.cloud.google.com/apis/credentials) in the API Console.\n2. This API supports two types of credentials. Create whichever credentials are appropriate for your project:\n - **OAuth 2.0:** Whenever your application requests private user\n data, it must send an OAuth 2.0 token along with the request. Your\n application first sends a client ID and, possibly, a client secret to\n obtain a token. You can generate OAuth 2.0 credentials for web\n applications, service accounts, or installed applications.\n\n For more information, see the [OAuth 2.0 documentation](https://developers.google.com/identity/protocols/OAuth2).\n - **API keys:**\n\n A request that does not provide an OAuth 2.0 token must send an API\n key.\n\n The key identifies your project and provides API access, quota, and\n reports.\n\n The API supports several types of restrictions on API keys. If the API key that you\n need doesn't already exist, then create an API key in the Console by\n clicking **[Create credentials](https://console.cloud.google.com/apis/credentials) \\\u003e API key** . You can restrict the key before using it\n in production by clicking **Restrict key** and selecting one of the\n **Restrictions**.\n\nTo keep your API keys secure, follow the [best practices for\nsecurely using API keys](//cloud.google.com/docs/authentication/api-keys).\n\nAfter you have an API key, your application can append the query parameter\n`key=`\u003cvar translate=\"no\"\u003eyourAPIKey\u003c/var\u003e to all request URLs.\n\nThe API key is safe for embedding in URLs; it doesn't need any encoding."]]
