I am working on a project to let a client authorize their google ads account, and then use those authorized credentials to download data on their behalf. I have a webapp that successfully Authorizes the app to do things on the clients behalf. This generates an access code that I then trade for two credentials, an access token and a refresh token. This refresh token then gets passed to a database, where a separate app attempts to query the googleAds API. It is my understanding that the Google Oauth engine only needs the refresh token.

I am trying to authorize by use of load_from_dict() or load_from_env() methods of the GoogleAdsClient class. Both yield the same error: google.auth.exceptions.RefreshError: ('invalid_client: Unauthorized', {'error': 'invalid_client', 'error_description': 'Unauthorized'})

I have verified the developer_token, client_id, and client_secret are all accurate to what is in the API console. I have also verified the refresh_token is being passed correctly to the credential dict.

I am really at a loss on where to go from here. I have read many stack overflow threads with similar titles, and yet I am still stuck at the same place.

Here are some relevant links.

Google Ads API configuration

Google Identity and Server side web apps

Google's example of an API call

Relevant code

class GoogleAds: def __init__(self):     self.scope = ['https://www.googleapis.com/auth/adwords']     self.client_id = os.getenv('GOOGLE_ADS_CLIENT_ID')     self.client_secret = os.getenv('GOOGLE_ADS_CLIENT_SECRET')     self.developer_token = os.getenv('GOOGLE_ADS_DEVELOPER_TOKEN')     self.refresh_token = os.getenv('GOOGLE_ADS_REFRESH_TOKEN') def authorize(self):     credentials = {         "developer_token": self.developer_token,         "refresh_token": self.refresh_token,         "client_id": self.client_id,         "client_secret": self.client_secret,         "use_proto_plus":"True",         "grant_type": "refresh_token",     }     print(credentials)     googleads_client = GoogleAdsClient.load_from_dict(credentials)     service = googleads_client.get_service("GoogleAdsService")     request = googleads_client.get_type("SearchGoogleAdsRequest")     return service, request 

I've been using 2 REST API calls to batch upload google offline click conversions. One generates the Access Token. The other is the API call to upload the offline click conversions.

All was well for a few weeks until suddenly we started getting invalid_grant messages in the JSON when trying to generate the Access Token. No clue why -- and we received no email or anything from Google on this. It just stopped working and the invalid_grant error was cryptic and the online help didn't explain much.

I resolved this issue by following this video to generate a new Refresh Token in the Google oAuth Playground:

https://youtu.be/KFICa7Ngzng

So, my question is -- can we automate this somehow? I can trap the invalid_grant JSON response and then would like to do some series of REST API calls to generate a new Refresh Token. Or, would I need to switch from a Web Application Type to a Service Account Type on the oAuth?

I also researched what might have caused the Refresh Token to expire. I looked at the following page and none of those bullet items applied to my situation:

https://developers.google.com/identity/protocols/oauth2#expiration

I have multiple Google ads account(multiple google ads account associated with one email account) . If I give access of my google ads account to third party app will they have access to all the google ads account?

If the third party app can access all of my google ads account how do I restrict them to access only 1 account that I want.

I want to develop a console application that pulls all campaigns under adwords accounts using Google Ads Api. But I could not pass the authentication step.

I do not fully understand whether I should use the Service Account or Desktop Application Flow for this process.

GoogleAdsConfig config = new GoogleAdsConfig()             {                 DeveloperToken = "Dev_token",                 OAuth2Mode = Google.Ads.GoogleAds.Config.OAuth2Flow.APPLICATION,                 OAuth2ClientId = "client_Id",                 OAuth2ClientSecret = "secrret",                 OAuth2RefreshToken = " refresh_token",              }; GoogleAdsClient client = new GoogleAdsClient(config); GoogleAdsServiceClient googleAdsService = client.GetService(Google.Ads.GoogleAds.Services.V10.GoogleAdsService); googleAdsService.SearchStream(AdwordsClientId, query,                 delegate (SearchGoogleAdsStreamResponse resp)                 {                     foreach (GoogleAdsRow adsRow in resp.Results)                     {                      }                 }             ); 

When I try as above, I get the following error

Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Unauthorized", Uri:""

What paths should i follow? Thank you.

I am looking for a way to run a simple R script using the "rgoogleads" library to fetch Google Ads data on a debian VM and send to database. Unfortunately, I cannot use the browser that is needed to perform the authorization. Is there a way around?