Service Accounts

This section discusses how to access the Google Ads API with service accounts.

A service account is an account that belongs to your app instead of to an individual end user. Service accounts allow server-to-server interactions between a web app and a Google service. Your app calls Google APIs on behalf of the service account, so users aren't directly involved.

The Google Ads API allows service account access through Google Workspace.

Service accounts employ an OAuth2 flow that doesn't require human authorization, using instead, a key file that only your app can access.

Using service accounts provides two key benefits:

• Authorization for Google API access is done as a configuration step, thus avoiding the complications associated with other OAuth2 flows that require user interactions.
• OAuth2 assertion flow allows your app to impersonate other users if necessary.

Prerequisites

• A Google Workspace domain that you own such as mydomain.com or mybusiness.com.
• A Google Ads API developer token and optionally a test account.
• The client library for the language you're using.
• A Google API Console project that has been configured for the Google Ads API.
• A Google Ads user with permissions on the Google Ads account you want to access. Google Ads does not support using service accounts without impersonation.

Setting up service account access

1. Start by creating a service account and credentials. Download the service account key in JSON format. Also, note the service account ID.
2. Share the service account ID and the Google Ads API scope (https://www.googleapis.com/auth/adwords) with your domain administrator. Request the domain administrator to delegate domain-wide authority to your service account.
3. If you are the domain administrator, follow the instructions in the help center guide to complete this step.

You can now use the service account to access your Google Ads account with the OAuth2 assertion flow.

Configuring your client library

Select your language below for instructions to configure your client library.

Security concerns

Since the service account has domain-level delegation control for your Google Workspace domain, it's important to protect the key file that allows a service account to access the Google services for which it's authorized. This is especially true since that service account will have the ability to impersonate any user in the domain.

Another good practice is to allow service accounts to access only the minimum required set of APIs. This is a preemptive measure to limit the amount of data an attacker can access if the service account's key file is compromised.