authorization error
N Y
I have a question about connecting to the API using the Google Ads API Client Library for PHP.
The following error occurs when running the API with an account that has basic access to the Google Ads API.
Request with ID 'xxxx' has failed.
Google Ads failure details: authorization_error: User doesn't have permission to access customer.
Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header.
See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid
I have two Google Ads accounts.
Account A: MCC Account
Account B: Google Ads account created from Account A
- Got a refresh token in account A.
- Account A has been set as the login customer ID.
- Account B has been set as the customer ID.
What should I do to resolve the error?
Thank you.
N Y
I will give you additional information.
The authorization error occurs when trying to create a keyword plan with the mutateKeywordPlans method.
Also, account A has administrative privileges for account B.
Please give me an answer.
Thnak you.
Google Ads API Forum Advisor
Hi there,
Thanks for reaching out to the Google Ads API Forum.
It appears that you have encountered an error USER_PERMISSION_DENIED. It usually indicates that the user / email address you used to generate your OAuth2 credentials does not have access to the customer ID you specified in your request. When a manager account that is higher in the account hierarchy. For example, let's say you have Manager Account M1, Manager Account M2, Client Account C1, and Client Account C2. The tree could look like this.
M1
/ \
M2 C1
|
C2
In this case, M1 would be the highest manager account, and you could use a refresh token from this account to make requests to M2, C1, and C2.
You may double check if the user / email address you used to generate your OAuth2 credentials indeed has access to the specified "login-customer-id" as MCC / manager account. That said, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated to the MCC / manager account, you will need to specify the said MCC / manager account's ID as the value of the login-customer-id field.
Also, you may check the MCC ID that used as "login-customer-id" in your request on Ads UI , and your email address used to generate OAuth credentials is listed under the Users or Users In Manager Accounts tabs in the Access and Security page, which lists all users that have permission to make changes to the Ads account and its children.
If the issue still persists, you may provide us the email address used to generate OAuth credentials, and complete logs in the format of the request and response logs along with the request-id, as seen in their respective links via reply privately to author option. For you to enable complete logs on your end for the client library, logging can be enabled by navigating to the Client libraries > Your client library (select PHP) > Logging documentation, which you can access from this link.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2g1oOr:ref
N Y
I have double checked the account relationship.
- The e-mail address for OAuth2 authentication is the e-mail address of the MCC account.
- I prepared an ad account that the MCC account has administrative privileges for and set it to customer-id.
- I set the MCC account to login-customer-id.
I would like to provide the email address used to generate the OAuth credentials, and the complete logs.
Thank you.
Google Ads API Forum Advisor
Hi there,
Thanks for getting back to us.
I’m assuming that you already configured your PHP client library, and enabled logging on your end. For you to send complete logs ( request, response and request-id ) along with email address used to generated OAuth credentials to our team, you may use "reply privately to author" option on the right hand side of the page by clicking 3 vertical dots. You may also send the details via email support alias googleadsa...@google.com by referring to this forum thread.
Regards,