Credentials for accessing Google's OAuth2 servers are required in order to authenticate and authorize Google Ads users. These credentials identify your app to Google, enabling you to generate OAuth tokens for managing Google Ads users. Access to Google OAuth2 credentials is managed from the Google API Console.
Watch this video for some Cloud project best practices
Google OAuth verification
Any Google Cloud app used to obtain credentials for the Google Ads API scope will need to undergo a Google OAuth verification to avoid an unverified UI screen for its users. An app, in this context, is defined as a unique OAuth 2.0 Client ID in Google Cloud.
This verification is independent and in addition to any reviews conducted as part of the developer token approval process, and is required since the Google Ads API scope is a sensitive scope.
There is no cost for the Google verification, which typically completes in 3 to 5 business days. This policy applies to all apps.
We recommend that all apps undergo the Google OAuth verification process as soon as possible to avoid any business interruptions.
Create a project
Go to the Google API Console. Click Create project, enter a name, and click Create.
Enable the Google Ads API in your project
To enable the Google Ads API for your project, follow these steps:
Open the API Library in the Google API Console. If prompted, select your project or create a new one. The API Library lists all available APIs, grouped by product family and popularity.
Use search to find the Google Ads API if it isn't visible in the list.
Select the Google Ads API, then click the Enable button.
Choose a user type and publishing status
After enabling the API, you must then specify your project's User type and Publishing status. The following table highlights some key attributes and limitations of each combination of these settings. For more details, refer to the Google Cloud Platform documentation.
| User type | Publishing status | Limitations |
|---|---|---|
| Internal | Testing |
|
| External | Testing |
|
| Internal | In production |
|
| External | In production |
|
Not completing the Google OAuth verification results in the following, regardless of the User type or Publishing status of your project:
During the authorization process, users are presented with an unverified UI screen.
You are limited to authorizing only 100 users.
Configure the OAuth consent screen
Open the Consent Screen page, and select your project in the dropdown menu at the top of the page.
Select the User Type and click CREATE.
Fill out the consent screen form. You can edit this later if needed. Click SAVE AND CONTINUE when done.
On the next page, click ADD OR REMOVE SCOPES.
Scroll down and enter the following in the field under Manually add scopes:
https://www.googleapis.com/auth/adwordsClick ADD TO TABLE.
Add any other scopes your project will request, then click UPDATE.
Click SAVE AND CONTINUE.
If you don't plan to publish your project immediately, add the email address of each user account you'll use for testing, then click SAVE AND CONTINUE.
Review the summary page and click BACK TO DASHBOARD.
Once you've tested your application and the authorization process, you can return to the dashboard and click PUBLISH APP to change its Publishing status from Testing to In production.
Select an app type
There are two app type options for the Google Ads API: Desktop or Web. Refer to the following table to determine which type is most appropriate for the app you want to build:
| Choose this app type | If ... |
|---|---|
| Desktop app |
|
| Web app |
|
For more details, refer to the Google Identity Platform OAuth documentation for desktop apps or web apps.
Create a client ID and client secret
Once you've determined your app type, follow the instructions below to generate the OAuth2 client ID and client secret:
Open the Credentials page. Select a previously created project or create a new one.
On the Credentials screen, click CREATE CREDENTIALS, then select OAuth client ID.
If you hadn't configured an OAuth consent screen for this project previously, you'll be directed to do so now. Click CONFIGURE CONSENT SCREEN.
Select the user type and click CREATE.
Fill out the initial form. You can edit this later if needed. Click Save when done.
Navigate back to Credentials > CREATE CREDENTIALS > OAuth client ID to continue.
Select either Desktop app or Web application as the app type, depending on your use case.
Give it a name, then click Create.
If your client type is Web application, add at least one authorized redirect URI.
For local testing that's compatible with the default configuration in our client library examples, use
http://127.0.0.1.For Desktop app clients, you will still use a loopback IP redirect, but the URI is not explicitly configured in the Cloud console.
On the confirmation page, copy Your Client ID and Your Client Secret to your clipboard, as you will need them when you configure your client library. You can also return to the credentials page later to retrieve these details.
