Resetting Developer Token and Client Secrets

[Peter Lanser]

Hi,

we would like to reset our developer token and certain OAuth client secrets.

Does a reset invalidate existing tokens / secrets immediately or is there a chance to keep them valid for a certain amount of time for example?

Ánd will existing OAuth refresh tokens be affected by a change of an OAuth secret?

Regards,

Peter

[Vincent Racaza (AdWords API Team)]

Hi Peter,

You cannot reset on your end the developer token as the token is generated when you completed the sign-up for an MCC account (all the 3 steps in the guide). However, do you have any reasons (e.g. is it compromised or have you accidentally shared it to somebody?) on why you want to reset your developer token? If you wish to have your developer token be reset, I can notify the AdWords Compliance Team to confirm if this is possible.

In terms of OAuth2 credentials (client ID, client secret, refresh token), you can create a new client ID and secret in the Google API Console Credentials page. When you create a new client ID in the credentials page, it won't invalidate other existing client IDs unless you manually delete them in the credential page. When you delete a client ID, you cannot use it in your API requests as this will generate an error.

As for your refreshToken, since it is dependent of your clientId and clientSecret, then once you delete the two, this will invalidate all the refresh tokens associated to it. However, if your goal is to generate a new refresh token only for a specific client ID, then the old refresh token won't be invalidated unless you manually revoked its access or you have reached the limit of 50 refresh tokens (e.g. your 51st generation of refresh token will invalidate the first/oldest refresh token for a given client ID) per user/email account. You can check this guide for more information on this.

Furthermore, you can check this guide for more information on how to authenticate in the AdWords API.

Let me know if you have further clarifications.

Thanks,

Vincent

AdWords API Team

[Peter Lanser]

Hi Vincent,

actually you can reset the developer token: https://developers.google.com/adwords/api/docs/guides/reset-devtoken

Maybe my question was not clear enough. We had to reset our developer token and secrets of existing OAuth2 client configurations. My question would have been if these changes take effect immediately and if these changes have any effects on existing refresh tokens (of the reset OAuth2 configurations).

However, in the meantime we did these changes with the following outcomes:

- After reset the previous developer token is invalidated immediately.

- The same is true for resetting the secret of an existing OAuth2 credential. After the reset the previous secret is invalidated immediately.

- The existing refresh tokens (of the reset OAuth2 configuration) have not been invalidated by these changes. They are still valid.

Regards,

Peter

However, neither the reset of the developer token nor the reset of of an existing OAuth2 secret had any effects on existing refresh tokens of this (reset) OAuth credential.

[Vincent Racaza (AdWords API Team)]

Hi Peter,

My apologies for the confusion in regards to the developer token. Based on the guide, yes, you can always reset your developer token if you feel that this is compromised. In regards to the impact of resetting your developer token with your OAuth2 credentials, this does not have an impact. You can still use your current OAuth2 credentials (client ID, client secret, refresh token) with your new value of your developer token immediately. When you reset your developer token, the old developer token is also invalidated immediately.

For resetting your client secret in the Google API Console Credentials page, it will also invalidate immediately the old client secret for a given client ID. However, as you have tested (I have also tested this on my test account), this does not have any effect to the refresh token as generally, refresh token is tied up to your client ID. So if your client ID is still existing, and you did not delete it, then the refresh token will still be valid not unless you have reached the limit of 50 refresh tokens. If you really want to manually invalidate the refresh token, then you need to revoke it.

Let me know if my explanation is clear or if you have further clarifications.

[Peter Lanser]

Hi Vincent,

everything is clear now. Thanks four your answer.

Regards,

Peter