Stay organized with collections
Save and categorize content based on your preferences.
This guide will walk you through how to setup OAuth2 for API access using your
own credentials using service accounts.
These steps only need to be done once, unless you revoke or delete your OAuth2
credentials.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide explains how to set up OAuth2 for API access using service accounts, requiring a Google Workspace domain and domain-wide delegation access.\u003c/p\u003e\n"],["\u003cp\u003eYou need to generate a service account ID and JSON file before configuring the client library for service account authentication.\u003c/p\u003e\n"],["\u003cp\u003eThe client library setup involves providing the private key JSON file path and delegate account ID in your configuration file or environment variables.\u003c/p\u003e\n"],["\u003cp\u003eEnsure no OAuth2 desktop or web app flow credentials are present in your configuration to prioritize Service Account authentication.\u003c/p\u003e\n"]]],[],null,["# OAuth Service Account Flow\n\nThis guide will walk you through how to setup OAuth2 for API access using your\nown credentials using [service accounts](/google-ads/api/docs/oauth/service-accounts).\nThese steps only need to be done once, unless you revoke or delete your OAuth2\ncredentials.\n\nCreate OAuth2 credentials\n-------------------------\n\n| **Note:** This flow requires a [Google Workspace](//workspace.google.com) domain and the service account that you created needs to be granted domain wide delegation access by a super administrator for the domain.\n\n[Generate a service (delegate) account ID and a `*.JSON`\nfile](/google-ads/api/docs/oauth/service-accounts#service_account_access_setup)\nby following the linked instructions, then come back to this page.\n\nSet up client library\n---------------------\n\nSet the private key JSON file path and delegate account ID in your\nconfiguration. If you're using a `googleads.properties` file, add the following: \n\n jsonKeyFilePath=\u003cvar translate=\"no\"\u003ePRIVATE_KEY_FILE_PATH\u003c/var\u003e\n impersonatedEmail=\u003cvar translate=\"no\"\u003eDELEGATE_ACCOUNT\u003c/var\u003e\n\nIf you're using environment variables, add the following to your Bash\nconfiguration or environment: \n\n export GOOGLE_ADS_JSON_KEY_FILE_PATH=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003ePRIVATE_KEY_FILE_PATH\u003c/span\u003e\u003c/var\u003e\n export GOOGLE_ADS_IMPERSONATED_EMAIL=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eDELEGATE_ACCOUNT_ID\u003c/span\u003e\u003c/var\u003e\n\n| **Key Point:** When loading configurations, the library first looks for credentials from the OAuth2 desktop or web app flows, and then uses them if found. So if you want to use a Service Account authentication, make sure credentials for the other flows are *not* present in your configuration."]]
