User Type External VS Internal and Publishing status
Kirankumar Yenugutala
Google Ads API Forum Advisor
Hi Kirankumar,
Thank you for reaching out to us.
You may see my responses below for each question:
1) Should we create a Project in Google Console platform to fetch data from the Google Ads API? If no, what other steps must be taken?
- Yes, you need to configure a Google API Console Project for the Google Ads API, as credentials for accessing Google's OAuth2 servers are required in order to authenticate and authorize Google Ads users. You may check this documentation for more information : https://developers.google.com/google-ads/api/docs/first-call/oauth-cloud-project
2) Most internet sources instruct us that after obtaining the Developer token, we must create a client app in GCP console and collect clientid, client,secret, and refresh token. In addition, we must specify the userType to external or internal.
What if we set the user type to Internal, which means that only those with access to Google Cloud Platform can view the app? Can they access the app without authorization
Similarly, if it is an external user type, can anyone with a Gmail account access the data without authorization? Or, once we approve the authorization, only they will be able to access the data?
- To answer you in general, could you confirm if the one you are looking for is for the users to not be directly involved? If yes then you may check this documentation (https://developers.google.com/google-ads/api/docs/oauth/service-accounts) for more information on how to access the Google Ads API with service accounts.
- Kindly note that A service account is an account that belongs to your app instead of to an individual end user. Service accounts enable server-to-server interactions between a web app and a Google service. Your app calls Google APIs on behalf of the service account, so users aren't directly involved.
- However, A service account can only impersonate users (email addresses) in the same Google Workspace.
- On the other hand, We strongly recommend using OAuth2 desktop app or web app flow instead of service accounts unless you need a domain-specific feature (for example, impersonation). OAuth2 desktop app and web app flows do require an initial user interaction for granting access to the account, but are much simpler to set up.
- For the OAuth2 desktop app flow, you can persist a refresh token (which never expires) to obtain a new access token whenever necessary. When using one of our client libraries, you can authorize your app by filling out a configuration file.
3) I see that we may also set the Publishing status to Testing. So testing means it will provide test data? And if we want to utilize it in production, should we only use it in production?
- Kindly note that publishing status to In production is for instructions to avoid the refresh token expiring in 7 days.
Since these concerns are indeed also related to authorization and the API console, I would also suggest you reach out to their team via the links below, as they are also equipped to provide guidance on this matter.
- https://support.google.com/googleapi/answer/7014572?hl=en&ref_topic=7014869
- https://cloud.google.com/support-hub
Best regards,
 |
Google Ads API Team |
ref:_00D1U1174p._5004Q2l9ygd:ref
Kirankumar Yenugutala
Thank you so much for responding on this.
kindly provide me an explanation from the standpoint of APP security.
Google Ads API Forum Advisor
Hi Kirankumar,
Thanks for getting back with us.
With regards to your concern, you may refer to this documentation (link below) for more information about the User Type and Publishing status. This shows highlights to some key attributes and limitations of each combination of these settings.
Let me know if this clarifies your concerns.
Links included in this email:
- Documentation - https://developers.google.com/google-ads/api/docs/oauth/cloud-project#choose_a_user_type_and_publishing_status
Regards,