Link between Developer Token and OAuth2

[Thomas Leclaire]

Hello! 

I'm currently reviewing some permissions in my company and I don't understand how the ads api was configured. 

In particular i'm trying to understand where is defined the link between oauth2 and the developer token. Is there some mapping only visible on Google side? 

In my case, the oauth identification is defined on a standard google project owned by an user who has no link with the MCC, therefore I don't understand how it can work. 

Moreover, my developer token is created on one MCC. but with the api we act on another MCC (which is not a child of the first one). How is it possible? 

Everything works today but it's pretty obscure why.

thanks for any explanation!

Thomas

[Google Ads API Forum Advisor Prod]

Hi Thomas,

Thank you for reaching out. The developer token itself is just a key used to access the API. It could be used for different accounts even if those accounts might not be in the hierarchy of the MCC account which holds the developer token. The OAuth2 credentials are created using the user email login of the manager account of the target client customer accounts and these OAuth2 credentials(clientId and clientSecret) are configured in a project in Google API Console. All these work together to ensure the API call is successful.

Thanks and regards,
Xiaoming, Google Ads API Team
 

Xiaoming Google Ads API Team

ref:_00D1U1174p._5004Q28lIIu:ref

[Zweitze]

Let me offer an alternative explanation.

Both OAuth2 client and MCC developertoken are intended to identify the developer. To understand this you've got to consider history. The MCC developertoken was first. At that time (we're talking 2005 here, OAuth2 did not exist) you had to pay for API usage, and the MCC has possibilities to store credit cards, show invoices, etc. Plus it offered some user management - Developertokens were never lost, they were always visible in the MCC.

Apart from invoicing and user management, a compliance team in Google wants to know in advance what you intend to do with the API. They may consider your monthly spending. You have to submit your plans, and a few weeks or months later you get your developertoken. But: your plans can also be rejected.

Around 2011 OAuth2 was introduced, its main feature is that it was much faster - and it was much safer too. OAuth2 intends to do the same - identify developers. AdWords API was one of the last Google APIs to move to OAuth2 - others like GMail, Analytics etc. were migrated years before. So, by then OAuth2 came with an infrastructure ("Developer Console") that was taylored to the wishes of other APIs, and did not completely match the wishes of Google Ads. The lacking features are solved by keeping the developertoken alive.

There you have it. They are essentially the same but some minor details lead to this situation.

What are the differences? Like I said, security and speed. OAuth2 is the way to go. Further:

• In Developer Console, you can only add an API or remove it, and before usage you may have to agree with extra Terms and Conditions. But Developer Console has no system to allow a manual review before granting access, as is the case with MCC.
• MCC links a developer to the advertising amount being spent. This doesn't always say much -some applications are created for mainly external users- but you can imagine that the compliance team allows more from companies spending a lot on Google ads. It works the other way around too, if you apply and state that the software will only be used internally, and you don't spend any money inside your MCC, you probably won't get approved.
  
• There is an issue with definitions. In OAuth2 you are supposed to create a client for every piece of software (communicating with the API) you make.  In the MCC this is different: the MCC web interface allows only one developertoken. You can work around this limitation by having sub-MCCs which can get their own developertokens. But this is legally not allowed, see Terms & Conditions.

Note: as I've been around for a while, some information may be outdated. But I think I got the essence right.

I hope this offers some additional understanding.

[Google Ads API Forum Advisor Prod]

Hi Zweitze,

Thanks for providing useful information to other people in the forum. We appreciate your efforts and hope you could keep up the good work. 

Thanks and regards,
Xiaoming, Google Ads API Team

[Zweitze]

You made me blush!

I'm glad to help out every now and then.

[Thomas]

Thx to both of you!

It's really more explicit now!

@Xiaoming, I really think the doc could be improved to be a few more explicit on these points. https://developers.google.com/google-ads/api/docs/first-call/dev-token

[Google Ads API Forum Advisor Prod]

Hi Thomas,

Thank you for your suggestion and our team will improve the documentation to provide more explicit information on this topic. We really appreciate it! 

Thanks and regards,
Xiaoming, Google Ads API Team