Last year, the OAuth scopes used by the following Ads APIs were classified as sensitive, requiring developers to complete the OAuth verification process for their Google Cloud projects:

• Google Ads API & AdWords API
  • https://www.googleapis.com/auth/adwords
• Content API for Shopping
  • https://www.googleapis.com/auth/content
• DoubleClick Bid Manager API
  • https://www.googleapis.com/auth/doubleclickbidmanager

Any remaining OAuth clients using the above scopes that remain unverified may have their existing credentials revoked and lose access to the above APIs if they do not complete the OAuth verification process as soon as possible.

Certain apps may qualify for one of the exceptions for app verification. If your application meets any one of those exceptions, follow the steps listed for the appropriate use case. If not, you must complete OAuth verification to continue using these Ads APIs.

If you have any questions or need additional help, contact us using any of the following support options:

• Google Ads API & AdWords API: googleadsapi-support@google.com
• Content API for Shopping: support forum
• DoubleClick Bid Manager API: support contact form

Adam Ohren, Google Ads API Team

As of October 1, 2020, any Google Cloud app used to obtain credentials for the Google Ads API or AdWords API scope (https://www.googleapis.com/auth/adwords) in its projects (i.e. any new AdWords API or Google Ads API developers) will need to undergo a Google OAuth verification to avoid an unverified app screen for its users. An app, in this context, is defined as a unique OAuth 2.0 Client ID in Google Cloud. This verification is independent and in addition to any reviews conducted as part of the developer token approval process.

There is no cost for the Google verification, which typically completes in 3 to 5 business days. Information on how this process fits in the larger task of authorizing requests can be found in our guide. The verification status of a given app can be viewed at the OAuth consent screen of a Google Cloud Project.

Apps already using the Google Ads API or AdWords API scope prior to October 1, 2020 are not currently affected by this policy. However, this policy will be applied to all apps at a later date in 2021, and it is recommended that all apps undergo the Google OAuth verification process at their earliest convenience to avoid any business interruptions.

If you have any questions or need additional help, contact us via the forum or at googleadsapi-support@google.com.
- Devin Chasanoff, on behalf of the Google Ads API Team

Beginning October 1, 2020, any new Google Cloud app with a unique OAuth 2.0 Client ID used to obtain credentials for the Google Content API scope (https://www.googleapis.com/auth/content) in its projects will need to undergo a Google OAuth verification to avoid an unverified app screen for its users. Users of unverified apps that access the Content API will see warnings and the apps will have limited functionality.

There is no cost for app verification and the process typically takes 3 to 5 business days. For more information about how app verification fits into the broader process of authorizing requests, see our Using OAuth guide.

Apps already using the Content API scope prior to October 1, 2020 are not currently affected by this policy. However, this policy will be applied to all apps at a later date in 2021, and we recommend that all apps undergo the Google OAuth verification process at their earliest convenience to avoid any business interruptions.

For more information about app verification, see OAuth API verification FAQs. If you have any questions or need additional help, please reach out to us on the forum.
Benji Rothman, Content API for Shopping Team

On October 1, 2020, we are upgrading the classification of the authorization scope used for the DoubleClick Bid Manager API ( https://www.googleapis.com/auth/doubleclickbidmanager ) to “sensitive”. This upgrade is taking place to better secure the DBM API and the data retrieved from it.

Starting on October 1st, all unverified apps that are using the DBM API for the first time will encounter an “unverified app screen” upon attempted authentication. This screen can be removed by submitting your app to our verification process. This process usually takes about 3 to 5 business days. Information on how this process fits in the larger task of authorizing requests can be found in our guide.

Existing apps that began using the DBM API scope before October 1st will not see the “unverified app screen” and will not immediately need to go through the verification process. However, all apps accessing sensitive scopes will require explicit verification before the end of 2021. In anticipation of this requirement, it is recommended that existing apps complete the verification process at their earliest convenience.

If you run into issues or need help with this process, please contact us using our support contact form.

- Trevor Mulchay, Display & Video 360 API Team

We have heard from users that correctly configuring a client library and provisioning OAuth2 credentials can be challenging, so today we are introducing Google Ads API Doctor, a new tool that will analyze your client library environment. The program will:

• Verify that your OAuth2 credentials are correctly configured and ready to make API calls.
• Guide you through fixing any OAuth2 problems it detects and verify the corrected configuration.

The initial version of this tool will help you analyze and fix issues related to OAuth2 configuration, including the following common issues:

• Invalid refresh token: The program will identify this and guide you through the process to obtain a valid token, back up your configuration file, and write the new value to your active configuration file.
• Permission denied: There are several OAuth errors that sound similar, such as user permission denied and permission denied. The program identifies that in the first case it is caused by an invalid refresh token and in the second it’s because the Google Ads API is disabled in the Google API Console.

If you want to send the output to support, you can run your scenario with the PII flag to hide your Personally Identifiable Information (PII) and copy the screen output. To gather even more information, you can use the verbose flag to see the low-level JSON that is returned.

We are releasing this project as open source per Google’s open source initiative, and we encourage contributions. See contributing to Google open source to learn more about how to contribute to this project. As always, share your feedback on the Google Ads API forum.

Bob Hancock and Poki Chui, Google Ads API Team

Today, we are rolling out a feature that allows the administrative users of Google Ads accounts to set a required multi-factor authentication policy, including 2-Step Verification. When this new authentication policy is enabled on a particular Google Ads account, all users who want to access that account must have their Google accounts enrolled in 2-Step Verification.

Note: The Google account users can alternately fulfill this requirement by enrolling their accounts in Advanced Protection.

What will happen to your API access?
If 2-Step Verification is required for a particular Google Ads account, then 2-Step Verification also needs to be set up for the Google account used to generate the OAuth2 refresh token accessing the Google Ads account. Follow this link to opt in to 2-Step Verification. Failing to do so will result in the AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED error when you try to access the Google Ads account.

Access to the Google Ads account will be restored once you opt in to the 2-Step Verification. The multi-factor authentication policy does not affect the way you access the AdWords API or the Google Ads API Beta in any other aspects--you can still use an OAuth2 refresh token and a developer token to access the AdWords API and the Google Ads API Beta as usual.

2-Step Verification ensures only strongly verified users have access to your Google accounts. Opt in now to avoid hitting the AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED error in advance.

As always, if you have any questions or concerns, please post on our forum.
 - Thanet Praneenararat, AdWords API Team

In July we announced that starting in August 2016, all versions of the DFP API would return HTTP 401 errors instead of SOAP AUTHENTICATION_FAILED errors. We have learned that some developers have been relying on catching an AUTHENTICATION_FAILED error to know when to refresh an access token. This is not the recommended way to determine when your access token needs refreshing and is not supported.

The change described above will break code that relies on catching an AUTHENTICATION_FAILED error. We have temporarily rolled back the change to give developers who haven’t migrated more time to update their code and will roll this change out again on November 30, 2016 and ask that you update your code before then.

Note: If you’re taking advantage of our client libraries, no change is required; our client libraries handle refreshing an access token with our recommended approach.

Instead of relying on an AUTHENTICATION_FAILED error, the recommended way is to calculate how soon the access token is going to expire before making an API call, and refresh it if it’s about to expire soon.

• Whenever you obtain a new access token, calculate the token’s expiration time by adding the expires_in time returned with the access token to the current time.
  • For example, if you received an access token on Oct 21, 16:05 EDT and the access token lasts for 3600 seconds, the token would expire on Oct 21, 17:05 EDT.
• Then, before every DFP API call, check when the access token will expire before using it: if it is going to expire within a certain time window (say, in the next 60 seconds), you should refresh it before making the API call.
  • To calculate this, subtract the current time from the token’s expiration time that you calculated above.

You can see an example of how this is done in our Java client library and use it as a reference to help you implement the above.

As always, if you have any questions, feel free to drop us a line on the DFP API forums or the Ads Developer Google+ page.
 - Vincent Tsao, DFP API Team

Authentication with the DFP API is probably something you had to set up once and then never thought about again. Well, that may be true until there's a scope change, or your credentials suddenly stop working, or the developer who created the credentials leaves to open their own yoga studio in the Andes.

Understanding some of the finer details of DFP's OAuth2 flows can come in handy when the unexpected happens.

Access tokens

When using the DFP API, you can authenticate on behalf of a user in your network or as an application. For the DFP API we call these two choices Web Application flow and Service account flow (server-to-server), respectively. Each choice has a different set-up, but both are used to generate access tokens.

All DFP API requests are authenticated using access tokens. You can think of these as short-lived (about one hour) passwords. When making a request, you include the access token in the HTTP header:

  Authorization: Bearer ACCESS_TOKEN

Every access token is tied to a specific user and one or more API scopes. The scopes control which Google APIs the access token is valid for. The scope for DFP is:

  https://www.googleapis.com/auth/dfp

Access Control

Because every access token is associated with a user, the DFP API enforces the same exact access controls as the DFP UI. This means that all the teams, roles, and permissions that restrict the user are in effect.

When authenticating as a dedicated API user like a service account, make sure that user is configured with your desired teams and role in DFP. There's no requirement that API users have administrator access.

Troubleshooting

If you ever need to verify the scope or who the access token was issued to, you can easily do so using the OAuth2 API explorer. Enter the access token you're using, and the API will provide a JSON response with the details:

  POST https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=MY_ACCESS_TOKEN
  {
    "issued_to": "1234567890-aabbccddgh123.apps.googleusercontent.com",
    "audience": "1234567890-aabbccddgh123.apps.googleusercontent.com",
    "scope": "https://www.googleapis.com/auth/dfp",
    "expires_in": 3496,
    "access_type": "offline"
  }

Refresh Tokens

Although we now recommend using service accounts for server-to-server flow, many integrations still use an installed application flow. This flow uses a refresh token to generate access tokens.

If your refresh token stops working, there are a few possible causes:

• The user you're authenticating as no longer has access to the DFP network.
• Too many refresh tokens were generated for the OAuth2 client.
• The user you're authenticating as has revoked access for your application.

The simplest solution to all of these is to create a new client and generate a new refresh token for a current DFP user. Remember that the refresh token is tied to the account that authorizes the application, and not the user who created the OAuth2 client. When accepting the OAuth2 authorization prompt, verify that the user in the top right corner that is logged in is correct:

If OAuth2 still gives you a headache, we're happy to troubleshoot with you. Just reach out to us on our developer forum.

 - Chris Seeley, DFP API Team

The Content API for Shopping documentation now includes a guide for using OAuth 2.0 service accounts with Content API for Shopping. This guide will be of particular interest to in-house developers, whose applications do not need access to third-party information. In such cases, requiring the application to get user approval and to keep track of refresh tokens may be unnecessary overhead. Instead, service accounts provide a private key that the application can use to authenticate when using the Content API.

For developers that work with third-party information, you should still use the OAuth2 three-legged authentication flow as described in the Authorize Requests guide to request permission from users for access to their information.

If you have questions about which flow is more appropriate for your project, or any other questions or feedback concerning the Content API for Shopping, please let us know on the forum.
 - Stevie Strickland, Content API for Shopping Team

In the past, we’ve thrown AUTHENTICATION_FAILED errors as API exceptions whenever an OAuth2 access token was invalid, expired, or missing. Starting on the release date of v201608, the DFP API will reject these requests as HTTP 401 errors (unauthorized access) instead of as API exceptions for all versions.

If you really break it down, this is a win-win for everyone involved. You don’t waste application quota on authentication requests that are already going to fail, and we can focus on doing what we do best, responding to valid API requests.

What does this mean for you? That’s a bit trickier. If you’re catching the old authentication errors raised by our client libraries, then you’re going to want to shift your integration to catching HTTP errors instead. Since our client libraries are implemented with language-specific practices in mind, you’d be looking for these new occurrences to show up as either errors raised by the underlying HTTP or SOAP libraries or wrapped HTTP errors in the libraries themselves. These failures are generally deterministic and require user action - either to generate a new refresh token, to add a new API user, or to create a valid client - so this is mostly a shift in where to catch the exception rather than wrapping with retry logic.

As usual, if you have any questions or just want to talk about API things, let us know on the developer forum.

 - Nicholas Chen, DFP API Team

The old DFP API OAuth2 scope has been deprecated. Any API requests using this scope after December 31, 2016 will fail authentication. OAuth2 requests must use the current DFP API scope (https://www.googleapis.com/auth/dfp) after that time.

How can I tell if this impacts me?

If you generated your OAuth2 refresh token after the release of v201408, no action is required. If you're a long-time API user who hasn't updated their refresh token in the last year, you need to generate a refresh token using the current DFP API scope.

If you use a service account to authenticate instead of a refresh token, verify that the scope you use to create credentials is: https://www.googleapis.com/auth/dfp.

If you're still unsure if this affects you, you can follow the steps below anyway with no negative impact.

What action do I need to take?

You have two options to ensure uninterrupted API use:

1. Use a service account for authentication and set the current DFP API scope. Service accounts simplify the OAuth2 flow by using a public/private key pair instead of a refresh token.
2. Use the utility provided by your client library to generate a new refresh token using your current client ID and secret. These utilities will use the current scope:
   • Java
   • PHP
   • Python
   • Ruby
   • .NET
   After running the utility, update your credentials with the newly generated refresh token.

If you're using a different OAuth2 authentication flow, consult the documentation for your scenario and identify where the scope is being set. If you need clarification, reach out on our developer forum for additional assistance.

Why is this happening?

The OAuth2 scope for DFP was changed in v201408 to better align with the naming conventions of other Google APIs. All versions of the API that were released with the old scope have now been sunset, so the scope is now being sunset. If you have any questions, don't hesitate to post on our DFP API forum.

 - Chris Seeley, DFP API Team

Today we’re announcing the deprecation of v1 and v1.1 of the DoubleClick Ad Exchange Buyer REST API, both of which are scheduled to be sunset on December 1st, 2014. These versions are becoming increasingly less relevant as we expand on the latest and greatest version of the API—currently v1.3. We recommend that you migrate to v1.3 before this date in order to take advantage of the newest functionality and also to continue having uninterrupted access to the API. If you have not migrated from these deprecated versions by December 1st, calls against the API will return an error response.

The vast majority of users have already migrated to newer versions of the API, but if you’re among the few who haven’t, we expect it to be an easy upgrade because newer versions still support all of the resources you’re familiar with. The only changes that could cause a code break when migrating from v1 to v1.3 are in the Creatives resource; the adgroup_id field was removed and the disapprovalReasons field is no longer a list of strings. You can use the following resources to help you with your migration:

• Release Notes: A listing of all changes between versions of the API.
• Code Examples: Examples demonstrating how to use the client libraries with the most recent version of the API.
• Developer Guides: Guides covering the most recent version of the API.

Of course, if you have any questions or need help with the migration, feel free to reach out to us via the forum or the Ads Developers G+ page.

 - Mark Saniscalchi, DoubleClick Ad Exchange Team

Until now, the DFP API only supported the OAuth 2.0 native/installed application flow. The OAuth 2.0 service account flow was only supported it you had a Google Apps for Business Account. Today, we’re unveiling the new OAuth 2.0 service account flow for DFP. This authorization flow has been simplified to no longer require a Google Apps domain. We’ve also updated the DFP web UI to allow service accounts to be added to be a DFP network.

Why should I use service accounts?

Service accounts allow access to Google APIs without the need for user interaction by authenticating solely with server-to-server interactions. Other OAuth 2.0 flows require user interaction or having an application cache a refresh token.

How do I use service accounts?

1. Generate a service account key from the Google Developers Console.
2. Add the service account to your DFP network by going to the Admin tab and clicking the Add a service account user button.

3. Fill in the form with your Name, Email, Teams (if applicable), and Role. Then, click Save.

4. View existing service account users by going to the Users tab and then clicking the Service Account filter.

With the *.p12 key generated from the Google Developers Console and the service account added to the DFP network, you can now generate an OAuth 2.0 token. For example, using the Java client library:

    GoogleCredential credential = new GoogleCredential.Builder()
        .setTransport(new NetHttpTransport())
        .setJsonFactory(new GsonFactory())
        .setServiceAccountId("****@developer.gserviceaccount.com")
        .setServiceAccountScopes("https://www.googleapis.com/auth/dfp")
        .setServiceAccountPrivateKeyFromP12File(new File("/path/to/key.p12"))
        .build();

For more information, see our updated guide on using service accounts with DFP.

 - Vincent Tsao, DFP API Team

A new OAuth 2.0 scope for the AdWords API was introduced along with the v201406 client library release. The OAuth 2.0 scope identifies the service that your application can access during the authorization process.

The new scope is: https://www.googleapis.com/auth/adwords. This new scope better aligns with the naming conventions of many of the other Google APIs.

Starting today, use the new scope when authorizing access for the AdWords API regardless of the AdWords API version. All our current AdWords API client libraries use this new scope.

But I have refresh tokens from the deprecated scope...

Don’t worry if your client code is using refresh tokens authorized with the deprecated scope - they will still work. However, new authorizations should specify the new scope.

As always, if you have any questions, drop us a line on the AdWords API forum or Ads Developers Google+ page.

- Ray Tsang, AdWords API Team

ClientLogin authentication support for the AdWords API and the DoubleClick Ad Exchange API will sunset along with v201309 on July 21st, 2014. You only have 3 weeks left to migrate!

We have plenty of resources to help you migrate. It might take longer than you expect to migrate to OAuth 2.0, especially if you don't already use a single top-level MCC to manage your AdWords accounts or if you are a DoubleClick Ad Exchange customer.

Start your migration as soon as possible and reach out to us early on the AdWords API Forum or the DoubleClick Ad Exchange API Forum with any questions.

- Ray Tsang, AdWords API Team

Whether you’re just starting out with the DoubleClick Ad Exchange Buyer REST API or are working with an unfamiliar client library, our examples will help you get started! Our examples are now on GitHub and have been expanded to cover the following languages:

• C#
• Java
• PHP
• Python
• Ruby

Each of these include documentation to help you get started with the corresponding client library and demonstrate how you can use the Service Account authorization flow with the DoubleClick Ad Exchange Buyer REST API.

If you have any feedback or feature requests for these examples, we’d definitely be interested in hearing about it! Feel free to contact us via the forum or our Google+ page.

 - Mark Saniscalchi, Ad Exchange Team

ClientLogin authentication support for the AdWords API and the DoubleClick Ad Exchange SOAP API will sunset along with v201309 on July 21st, 2014. You only have two months left to migrate - don’t wait until the last minute!

We have plenty of resources to help you migrate. It might take longer than expected to migrate to OAuth2, especially if you don't already use a single top-level MCC to manage your AdWords accounts or if you are a DoubleClick Ad Exchange customer.

Start your migration as soon as possible and reach out to us early on the AdWords API Forum or the DoubleClick Ad Exchange API Forum with any questions.

- Ray Tsang, AdWords API Team

ClientLogin authentication support for the AdWords API will sunset along with v201309 on July 21st, 2014. But it doesn’t mean you should wait till the last minute to migrate!

We have plenty of resources to help you migrate. It might take longer than expected to migrate to OAuth2, especially if you don't already use a single top-level MCC to manage your AdWords accounts.

Start your migration as soon as possible and reach out to us early on the AdWords API Forum with any questions.

- Ray Tsang, AdWords API Team

Is your AdWords API client application still using ClientLogin? If so, you should start your migration from ClientLogin to OAuth 2.0 as soon as possible.

Your AdWords API client applications must be fully migrated to OAuth 2.0 before ClientLogin is sunset in June 2014, as previously announced. If you don't migrate by then, your client applications will fail -- they won't be able to access your MCC account or any AdWords account via the API.

How do I get started?

We have prepared a ClientLogin to OAuth 2.0 migration guide which includes:

• Detailed migration strategies based on use cases
• Code samples to automate parts of the migration
• Client library-specific migration videos, code, and pertinent OAuth 2.0 documentation

You don't want to worry about your applications failing, so get started now. For most developers with a single top level MCC, this migration will involve only a few configuration and code changes. But if you run into any issues with your particular application or AdWords accounts, you'll be glad you left plenty of time before the sunset to work things out.

We are here to help

If you run into any issues, or if you have any questions, please reach out to us on the AdWords API Forum.

- Ray Tsang, AdWords API Team

ClientLogin support has been deprecated across Google in favor of the security enhanced OAuth2 authentication mechanism.

AdWords and DFP will be sunsetting ClientLogin support in all API versions to be released, starting in 2014. To ensure uniform, and high, standards of privacy and security for our advertisers and publishers, we will support only OAuth2 in the future.

All current AdWords and DFP API versions, and those released during rest of year in 2013 will continue to support ClientLogin. The client libraries will retain support for ClientLogin authentication until 2013 API versions are sunset.

2013 AdWords API versions are expected to be sunset in June 2014. We will have a follow up announcement for DFP APIs.

For uninterrupted use of the APIs, please migrate to OAuth2 as soon as possible. To help you migrate, we’ve put together a comprehensive set of OAuth2 information including a video overview, links to documentation and a full list of client library resources.

With so many users already migrated, most questions have been answered in either the AdWords API forum or the DFP API forum. To get face-to-face assistance, attend one of our upcoming Office Hours sessions focusing on ClientLogin to OAuth2 migration.

- Paul Matthews, AdWords API Team