Google Ads API - restrict permissions for one ad account
I'm developing an application for a client that needs to be hosted in one of their systems.
I already have a developer token and a functioning API but it has access to every ad account I own under my MCC.
I would like to have a token that only has access to a restricted subset of ad accounts, as I obviously cannot share my full token with the client.
I have already tried the service account authentication but it doesn't anwswer my needs.
edit: any tips on sharing secrets is welcome if the functionality is not natively supported by the API
There's a distinction between the developer token and the OAuth2 access token required to interact with the Ads API.
The developer token identifies your ownership of and responsibility for the application making the API calls. It is used to enforce your quota limits, for example. The developer token itself does not give permission to access any Google Ads accounts, it just proves that you have signed up successfully to the Ads API. As far as I know you are not supposed to share it with any other party. The OAuth2 access token is a grant given by a specific Google account. It determines the permissions to read or mutate a given Google Ads account, depending on the access level that the granting user itself possesses.To summarize: it's the access token that determines which Google Ads account you can access with an API call, not the developer token.
So to answer your question: you can create a new Google account and give it access rights to those Ads accounts that you want your client to be able to see. The OAuth2 credentials that you create using this Google account will then only be valid for API calls to the restricted set of Ads accounts.