Confused by the Refresh and Access tokens when making API calls
157 views
Skip to first unread message
Alessandro
Jan 4, 2016, 8:30:59 AM1/4/16
to AdWords API Forum
For simplicity’s sake, here is my use case: I’m making a website that’s essentially a wrapper around Keyword Planner’s ability to see the monthly search volume of a keyword.
My question is around the OAuth2 authentication. I’m having a hard time wrapping my head around what needs to happen regarding authentication each time a user of the site makes a keyword request against the API.
I’m building it in Ruby on Rails. I’ve got my test/sandbox AdWords account all set up, I’ve got my oauth2 client id, secret, developer token, and customer id in the config file. Running the code in this example, I am able to get a verification code, which is then exchanged for a Refresh token, and Access token (which I guess expires in 60 minutes).
So, all is nice and good, I am able to run this code against the TargetingIdeaService and get results.
The part that confounds me is the Refresh token and Access token expiring. I just need any user to be able to come to the site and make an API call, and it be transparent to them what’s going on with authentication. The sample setup_oauth2.rb Ruby code writes to the adwords_api.yml file (in the console, it prompts me if I want to do so).
If this was code not run from the console, how would I make sure my tokens are valid/up to date with each request?
My question is around the OAuth2 authentication. I’m having a hard time wrapping my head around what needs to happen regarding authentication each time a user of the site makes a keyword request against the API.
I’m building it in Ruby on Rails. I’ve got my test/sandbox AdWords account all set up, I’ve got my oauth2 client id, secret, developer token, and customer id in the config file. Running the code in this example, I am able to get a verification code, which is then exchanged for a Refresh token, and Access token (which I guess expires in 60 minutes).
So, all is nice and good, I am able to run this code against the TargetingIdeaService and get results.
The part that confounds me is the Refresh token and Access token expiring. I just need any user to be able to come to the site and make an API call, and it be transparent to them what’s going on with authentication. The sample setup_oauth2.rb Ruby code writes to the adwords_api.yml file (in the console, it prompts me if I want to do so).
If this was code not run from the console, how would I make sure my tokens are valid/up to date with each request?
Michael Cloonan (AdWords API Team)
Jan 4, 2016, 12:56:06 PM1/4/16
to AdWords API Forum
Hello,
Once you set up a refresh token, that token does not expire under normal use and can be used repeatedly to make API calls. Fetching the refresh token, therefore, only has to be done once during development and subsequently stored for use during end user operation. When a user comes to your app to make an API request, the code will use the stored refresh token to generate a new valid access token, then use that access token for the actual API request.
If you are using the Ruby library, store the refresh token in the adwords_api.yml file as prompted, and the library will take care of fetching access tokens automatically when you use it to access the API services. If you would rather fetch access tokens from your stored refresh token manually, please see this guide, which describes exactly how to format the request.
Regards,
Mike, AdWords API Team
Reply all
Reply to author
Forward
0 new messages