To discuss and provide feedback on our products, join the official Google Ads Discord channel in the Google Advertising and Measurement Community server.

OAuth 2.0 Internals for Google Ads API

AI-generated Key Takeaways

This guide details what happens behind the scenes for advanced users or those not using client libraries, assuming familiarity with OAuth 2.0.
The Google Ads API does not support simultaneous sign-in with data access request (hybrid) or domain-wide delegation of authority (2LO).
The scope parameter controls the resources and operations an access token permits, and the scope for the Google Ads API is https://www.googleapis.com/auth/adwords.
Requesting offline access for web apps requires setting the access_type parameter to offline, while it's enabled by default for desktop apps.
Access tokens are included in request headers, either bound to a gRPC Channel or passed through the HTTP Authorization header for the REST API.

This section is intended for advanced users who are already familiar with the OAuth 2.0 specification and know how to use OAuth 2.0 with Google APIs.

Scope

A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access token request, your app sends one or more values in the scope parameter.

The scope for the Google Ads API is:

https://www.googleapis.com/auth/adwords

Offline access

It's common for a Google Ads API client app to request offline access. For example, your app may want to run batch jobs when your user is not physically online browsing your website.

To request offline access for a web app type, make sure you set the access_type parameter to offline. You can find additional information in Google's OAuth2 guide.

For the desktop app type, offline access is enabled by default—you don't have to explicitly request it.

Request headers

gRPC headers

When using the gRPC API, include the access token in each request. You can bind a Credential to a Channel for use on all requests on that channel. You can also send a customized credential for each call. The gRPC Authorization guide contains more details on handling authorization.

REST headers

When using the REST API, pass the access token through the HTTP header Authorization. An example HTTP request is shown:

# Returns the resource names of customers directly accessible by the user
# authenticating the call.
#
# Variables:
#   API_VERSION,
#   DEVELOPER_TOKEN,
#   OAUTH2_ACCESS_TOKEN:
#     See https://developers.google.com/google-ads/api/rest/auth#request_headers
#     for details.
#
curl -f --request GET \
"https://googleads.googleapis.com/v${API_VERSION}/customers:listAccessibleCustomers" \
--header "Content-Type: application/json" \
--header "developer-token: ${DEVELOPER_TOKEN}" \
--header "Authorization: Bearer ${OAUTH2_ACCESS_TOKEN}" \

Handling two-step verification

Cloud project