To discuss and provide feedback on our products, join the official Google Ads Discord channel in the Google Advertising and Measurement Community server.

OAuth Service Account Flow

AI-generated Key Takeaways

This guide details setting up OAuth2 for API access using service accounts and your own credentials, a process you only need to complete once.
This setup requires a Google Workspace domain and a service account with domain-wide delegation access granted by a super administrator.
You must generate a service account ID and a JSON file by following specific linked instructions.
After generating the necessary file, you need to add the private key JSON file path and the impersonated email to your configuration, either in a google-ads.yaml file, YAML string, or dict, or as environment variables.
Ensure no credentials for OAuth2 desktop or web app flows are present in your configuration if you intend to use Service Account authentication.

This guide will walk you through how to set up OAuth2 for API access using your own credentials with service accounts. These steps only need to be done once, unless you revoke or delete your OAuth2 credentials.

Create OAuth2 credentials

Generate a service account ID and a *.JSON file by following the linked instructions, then come back to this page.

Add a private key JSON and an impersonated email to configuration

Set the private key JSON file path and impersonated email in your configuration. If you're using a google-ads.yaml file, YAML string, or dict, add the following:

json_key_file_path: JSON_KEY_FILE_PATH
impersonated_email: IMPERSONATED_EMAIL

If you're using environment variables, add the following to your bash configuration or environment:

export GOOGLE_ADS_JSON_KEY_FILE_PATH=JSON_KEY_FILE_PATH
export GOOGLE_ADS_IMPERSONATED_EMAIL=IMPERSONATED_EMAIL