New Data Portability API features are rolling out now and will be available to all by Feb 20, 2025!

Use Time-Based Access

In this quickstart, you obtain an OAuth token for your account, and you send recurring requests to the Data Portability API endpoints.

This quickstart covers how to use the Data Portability API for time-based access to user data. For one-time access to user data, see Start Using the Data Portability API. To learn how to apply time filters to your request, see Apply Time Filters.

What you learn

In this quickstart you learn how to:

Send an authenticated request to the InitiatePortabilityArchive endpoint by providing a valid OAuth token. The response should contain a valid job_id.
Send an authenticated request to the GetPortabilityArchiveState endpoint. The response should contain a valid job state, and when the job is complete, a signed URL.
Send an authenticated request with a valid OAuth token to the InitiatePortabilityArchive endpoint a second time using the same credentials. This returns a FAILED_PRECONDITION error when the request is made within 24 hours of the initial request.

Prerequisites

To run this quickstart, you need to:

Verify that the Data Portability API is available to users in your location. For a list of supported countries and regions, see Common Questions on the "Share a copy of your data with a third party" page.
Complete the setup steps for the Data Portability API.
Follow the steps to configure OAuth for JavaScript web apps. In production, you would normally use a different flow like the OAuth flow for web server applications. For simplicity, this quickstart uses the JavaScript web app flow.
- When you create your authorization credentials, make a note of your OAuth 2.0 Client ID and your authorized redirect URI (for example, https://google.com). You need them later in the quickstart.
- When you configure scopes for the Data Portability API, note that this quickstart uses the myactivity.search resource group: https://www.googleapis.com/auth/dataportability.myactivity.search.
- When you choose the amount of time you want to allow access, you should select 30 days to test time-based access.
Obtain an OAuth token.
Obtain access to an account owned or controlled by your organization. This account's search activity data is exported in this quickstart.

Obtain an OAuth token

For this quickstart, you send an authorization request to obtain an OAuth token using a URL. This process uses the flow for JavaScript web apps. This flow does not return a refresh token.

For a production app, you would typically use an OAuth flow to obtain a refresh token that can be used to generate access tokens on demand. An example of this would be the flow for server-side web apps.

To obtain an OAuth token:

Compose a URL like the following.
```
https://accounts.google.com/o/oauth2/v2/auth?
client_id=client_id&
redirect_uri=redirect_uri&
response_type=token&
scope=https://www.googleapis.com/auth/dataportability.myactivity.search&
state=developer-specified-value
```
In the URL:
- client_id is your OAuth client ID.
- redirect_uri is your authorized redirect URI; for example, https://google.com.
Notice that the scope used in the URL for this quickstart is the search activity scope. You can also use the YouTube activity scope or both scopes.

Warning: Don't mix Data Portability API scopes with other types of scopes, use too many scopes at once, or include previously granted scopes as this results in errors. For details, see Scope restrictions.
Paste the URL into your browser's address bar, and follow the steps in the OAuth flow. This flow requires you to sign into the account owned or controlled by your organization that you're using for this quickstart.

This is the account that's consenting to the OAuth scopes. The consent screen should look like this (the text in your screen may vary from the text in this image):
Choose the scopes to grant access to and the length of time to share access to the account's data (once, 30 days, or 180 days). For this quickstart, choose 30 days.
After granting consent and deciding the duration of access, you should be forwarded to the redirect URI—https://google.com. The URL that is generated in the address bar includes the OAuth access token.

For example, if the user account grants OAuth access to the dataportability.myactivity.search scope, the generated URL looks like this:
```
https://google.com/#state=developer-specified-value&access_token=your_OAuth_token&token_type=Bearer&expires_in=3599&scope=https://www.googleapis.com/auth/dataportability.myactivity.search
```
In the URL, your_OAuth_token is a string that represents the token.

Important: Your OAuth access token expires in one hour. If you need to generate a new token, follow the previous steps.
To validate the OAuth token, paste this URL into your browser:
```
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=your_OAuth_token
```
The response should look like this:
```
{
  "azp": <your_azp_value>,
  "aud": <your_aud_value>,
  "scope": "https://www.googleapis.com/auth/dataportability.myactivity.search",
  "exp": "1694210968",
  "expires_in": "3334",
  "access_type": "online"
}
```
You don't need the azp or aud fields to make requests. The azpfield represents the client_id of the authorized presenter, and the aud field identifies the audience that this token is intended for, which will be equal to one of the client IDs for your application.

Note: You can also verify the token by issuing an HTTP GET request.
Gather your OAuth token and your API key. You need these to make calls to the Data Portability API.

Send requests to the endpoints

In this quickstart you use curl commands to call the Data Portability API endpoints. These commands require the OAuth token and API key you gathered previously.

To call the Data Portability API:

First, you send an authenticated request to the InitiatePortabilityArchive endpoint. This request starts an archive job.

Run the following curl command:
```
curl -H 'Authorization: Bearer your_OAuth_token' -X POST \
-H "Content-Type: application/json; charset=utf-8" \
--data '{"resources":["myactivity.search"]}' \
https://dataportability.googleapis.com/v1/portabilityArchive:initiate
```
In the command:
- your_OAuth_token is your OAuth token.
Warning: The resources parameter should only contain the OAuth scopes that were granted access. In this example, only myactivity.search was granted. If you include additional resource groups, an error is returned. For details, see Scope restrictions.

The InitiatePortabilityArchive request returns a job_id and accessType. The job ID is used to retrieve the state of the data archive and the access type determines if you have been granted one-time or time-based access to the data. For time-based access, you'll see:
```
{
  "archiveJobId": "<your_job_id>"
  "accessType": "ACCESS_TYPE_TIME_BASED"
}
```
If you fail to provide a valid OAuth token, this error message is returned:
```
Request had invalid authentication credentials. Expected OAuth 2.0 access
token, login cookie or other valid authentication credential. See
https://developers.google.com/identity/sign-in/web/devconsole-project.
```
Next, you send an authenticated request to the GetPortabilityArchiveState endpoint to retrieve the status of the archive job.

Run the following curl command:
```
curl -H 'Authorization: Bearer your_OAuth_token' -X GET \
-H "Content-Type: application/json; charset=utf-8" \
https://dataportability.googleapis.com/v1/archiveJobs/your_job_id/portabilityArchiveState
```
In the command:
- your_OAuth_token is your OAuth token.
- your_job_id is the job ID returned by the InitiatePortabilityArchive request.
The response is based on the state of the job. If the job is not complete, the response provides the current state. You should send requests to this endpoint periodically until the job is complete.
```
{
  "state": "IN_PROGRESS"
}
```
If the job is complete, the response contains the state and one or more signed URLs that are used to download the data archive.
```
{
  "state": "COMPLETE",
  "urls": [
    "<signed_url>"
  ]
}
```
Paste the signed URL into your browser to download the data archive. You should examine the contents of the archive to ensure that it contains the expected search activity data.

Note: The amount of time required to complete the archive job depends on the archive's size. The maximum duration is seven days.

If you receive a FAILED state in the response, you may retry the export using the RetryPortabilityArchive method.

Repeat the previous command to send an authenticated request to the InitiatePortabilityArchive endpoint.

curl -H 'Authorization: Bearer your_OAuth_token' -X POST \
-H "Content-Type: application/json; charset=utf-8" \
--data '{"resources":["myactivity.search"]}' \
https://dataportability.googleapis.com/v1/portabilityArchive:initiate

In the command:

your_OAuth_token is your OAuth token.

The response should indicate that you have already exported the myactivity.search resource and a timestamp for when you can try again.

...
  "error": {
    "code": 429,
    "message": "Requested resources have already been exported. You can initiate another export after #{timestamp_after_24hrs}.",
    "status": "RESOURCE_EXHAUSTED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "RESOURCE_EXHAUSTED_TIME_BASED",
        "domain": "dataportability.googleapis.com"
  "metadata": {
    "previous_job_ids": "#{previous_job_ids}"
    "access_type": "ACCESS_TYPE_TIME_BASED"
    "timestamp_after_24hrs": "#{timestamp_after_24hrs}"
...