Google Ads API v21 – Cannot create Performance Max campaign in test account (MCC + OAuth)

[alisson blaas]

https://www.googleapis.com/auth/adwords
After login, I store in my database:

access_token

refresh_token

customer_id (from listAccessibleCustomers)

The user that logs in has admin role in the MCC.

3. API Requests (REST v21)
All requests are made with headers:

json
Copy
Edit
{
  "Authorization": "Bearer <user_access_token>",
  "developer-token": "<mcc_dev_token>",
  "login-customer-id": "<MCC ID or client account ID>",
  "Content-Type": "application/json"
}
Example endpoint:

bash
Copy
Edit
POST https://googleads.googleapis.com/v21/customers/{client_customer_id}/campaignBudgets:mutate
4. Current Flow
Refresh token → Works fine, I get valid access tokens.

Create budget → Works fine, I get a valid budgetResourceName.

Create campaign (Performance Max) → Always fails.

Payload example:

json
Copy
Edit
{
  "operations": [{
    "create": {
      "name": "my-test-campaign",
      "status": "PAUSED",
      "advertisingChannelType": "PERFORMANCE_MAX",
      "campaignBudget": "customers/{customerId}/campaignBudgets/123",
      "maximizeConversions": {},
      "startDate": "2025-08-22",
      "endDate": "2025-12-31",
      "containsEuPoliticalAdvertising": "DOES_NOT_CONTAIN_EU_POLITICAL_ADVERTISING"
    }
  }]
}
5. Errors
Case A: login-customer-id = MCC ID

vbnet
Copy
Edit
403 PERMISSION_DENIED
User doesn't have permission to access customer.
Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header.
Case B: login-customer-id = Client Account ID

bash
Copy
Edit
403 PERMISSION_DENIED
errorCode: USER_PERMISSION_DENIED
The caller does not have permission
In both cases, I cannot create the campaign.

6. My Question
My developer token is linked to the MCC.

The OAuth’d user has admin access in the MCC.

I tried both with login-customer-id = MCC ID and client account ID.

Budgets can be created, but campaigns always fail.

What is the correct setup so I can successfully create a Performance Max campaign in a client account under my MCC in sandbox/test mode?

Do I need to grant the OAuth user explicit admin access inside each client account individually (not only in the MCC)?

Or is there another required step for test campaigns with red-label accounts + test developer tokens?

[Google Ads API Forum Advisor]

Hi,

Thank you for contacting the Google Ads API support team.

Upon reviewing your concern, I understand that you are getting the USER_PERMISSION_DENIED error. This error indicates the user doesn't have permission to access the customer. In order to resolve this error, you need to ensure the following points:

• The email Id that you're using to generate OAuth credentials is added to your Google Ads account with 'Admin' or 'Standard' access to perform mutate operations. You can refer to the access level Help Center article for more information on access levels. 
• If you're accessing the customer account, you need to specify the ‘login-customer-id’ as the manager account ID without hyphens (-). Client libraries have built in support for this. You can refer to the API documentation for more information. Please note that login-customer-id should be the MCC Id of the manager account under which the customer account (which you are trying to access) is present. So, we will only take into consideration case A.

Following the above suggestions should resolve the USER_PERMISSION_DENIED error. If you are still facing any issues, then in order to investigate the issue further, kindly provide the following details to us:

• The email Id used to generate OAuth credentials.
• Execute List Accessible Customers and provide us complete API request and response logs, you may also check this API documentation for more information.
• Complete API logs (request and response with request-id and request header) generated on your end for the provided error without redacting any information. If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guides Java, .Net, PHP, Python, Ruby or Perl to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.

With regard to the creation of the Performance Max campaign, I would recommend you to refer to the Getting Started with Performance Max guide in order to know the requirements for creating a PMax campaign. For example, the budget being used for PMax campaign should satisfy the following 2 conditions:

• The budget must have a DAILY budget period (learn more).
• The budget cannot be shared.

Additionally, it seems that you are trying to create a non retail PMax campaign. Please note that in a non-retail Performance Max campaign, you must create an AssetGroup along with all associated AssetGroupAsset objects containing the minimum required assets in a single bulk mutate request. You can follow this guide to understand how to structure the bulk mutate request and the necessary order of operations for setting up an asset group. For more detailed information, you can refer to the documentation.

When a Performance Max campaign is linked to a Google Merchant Center account, it is classified as a retail campaign. In such cases, the system automatically generates the minimum required set of assets. This is why you can create AssetGroup objects in retail campaigns without manually meeting the minimum asset requirements. However, asset requirements may still apply to retail campaigns under certain conditions.

You can send the details via Reply privately to the author option, or direct private reply to this email.

Thanks,
 

Google Ads API Team

Feedback
How was our support today?

               
[2025-08-22 03:27:15Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01u4w6w:ref" (ADR-00330679)