unable to retrieve data from adwords REST API USER_PERMISSION_DENIED

360 views
Skip to first unread message

Brian Maynard

unread,
Sep 23, 2021, 4:40:46 AM9/23/21
to AdWords API and Google Ads API Forum
Hi,

I have been trying to figure this out now for about 3 weeks. Who would have thought that a REST API can be complicated. So I have tried many things to get this to work. In fact I can't even remember half the things I've tried.

But here goes.
I have a product manager account under which I have created a dev token. It is currently under level: Test account.

I then go the the OAuth 2.0 Playground
Step 1 - Select  https://www.googleapis.com/auth/adwords Then Authorize API's
            - I then select a manager account. The one used to create the dev token and           allow  access using this account
Step 2 - Exchange authorization code for token
Step 4 - In the headers I add developer-token and add the dev token. I also add login-customer-id = to the product managers Client ID

For the request URI I put: https://googleads.googleapis.com/v8/customers/{Test client ID}
It then returns. (I can even replace the Test client ID with the manager ID. It makes no differance) 

HTTP/1.1 403 Forbidden Content-length: 732 X-xss-protection: 0 X-content-type-options: nosniff Transfer-encoding: chunked Request-id: -eaa2Fc5qZjn0EGFVEJkaA Vary: Origin, X-Origin, Referer Server: ESF -content-encoding: gzip Cache-control: private Date: Thu, 23 Sep 2021 08:28:33 GMT X-frame-options: SAMEORIGIN Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Content-type: application/json; charset=UTF-8{
  "error": {
    "status": "PERMISSION_DENIED",
    "message": "The caller does not have permission",
    "code": 403,
    "details": [
      {
        "errors": [
          {
            "errorCode": {
              "authorizationError": "USER_PERMISSION_DENIED"
            },
            "message": "User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"
          }
        ],
        "@type": "type.googleapis.com/google.ads.googleads.v8.errors.GoogleAdsFailure",
        "requestId": "-eaa2Fc5qZjn0EGFVEJkaA"
      }
    ]
  }
}

If I replace the Test client ID with a production Client ID. I get
HTTP/1.1 403 Forbidden Content-length: 593 X-xss-protection: 0 X-content-type-options: nosniff Transfer-encoding: chunked Request-id: vFtxYPFFlbkPLYz9dD4cBQ Vary: Origin, X-Origin, Referer Server: ESF -content-encoding: gzip Cache-control: private Date: Thu, 23 Sep 2021 08:32:20 GMT X-frame-options: SAMEORIGIN Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Content-type: application/json; charset=UTF-8{
  "error": {
    "status": "PERMISSION_DENIED",
    "message": "The caller does not have permission",
    "code": 403,
    "details": [
      {
        "errors": [
          {
            "errorCode": {
              "authorizationError": "DEVELOPER_TOKEN_NOT_APPROVED"
            },
            "message": "The developer token is not approved. Non-approved developer tokens can only be used with test accounts."
          }
        ],
        "@type": "type.googleapis.com/google.ads.googleads.v8.errors.GoogleAdsFailure",
        "requestId": "vFtxYPFFlbkPLYz9dD4cBQ"
      }
    ]
  }
}

Which is expected.

What would be the url end point for getallcustomer? I want to send a request to see which customer ID's are linked to the test account. I'n this way I could try work out which text accounts I can access.

Any assistance with this would be greatly appreciated.

Just on a side note. Why does the OAuth 2.0 Playground not return any info if the "List possible operations" button is pressed  








Google Ads API Forum Advisor

unread,
Sep 23, 2021, 12:29:30 PM9/23/21
to brian.m...@gmail.com, adwor...@googlegroups.com

Hi Brian,

Thanks for posting your concern to us.

Upon checking logs, it appears that you’ve encountered ‘USER_PERMISSION_DENIED' error. The ‘USER_PERMISSION_DENIED’ usually occurs due to incorrectly setting the 'login-customer-id’ in the request or not specifying login-customer-id in the request. Note that when a user doesn't have permission to access a customer and you’re accessing a client customer then the manager's customer ID must be set in the 'login-customer-id’ in the header request.

To resolve this, you will need to ensure that your OAuth2 credentials were generated while logged in as the user / email address that has access to the customer ID in your request. Also, if the said user / email address is one that has access to the MCC / manager of the customer account, then you may specify the MCC / manager account's ID as the login-customer-id.

Furthermore, note that you received the DEVELOPER_TOKEN_NOT_APPROVED error when you tried to access the production accounts with the test developer access. It is intended to get the error DEVELOPER_TOKEN_NOT_APPROVED, since you would need to request for at least a basic access level for developer token if you would be making calls to your production Google Ads accounts, by filling up and submitting this application form.

For your question “What would be the url end point for getallcustomer?“, you may use the method: customers.listAccessibleCustomers in order to return resource names of customers directly accessible by the user authenticating the call.

Could you share the documentation you were referring to when you mentioned "OAuth 2.0 Playground not return any info if the "List possible operations" button is pressed"?

Regards,

Google Logo
Yasar
Google Ads API Team
 


ref:_00D1U1174p._5004Q2OTOP6:ref

Brian Maynard

unread,
Sep 28, 2021, 5:46:46 AM9/28/21
to AdWords API and Google Ads API Forum
Hi Yasar,

Thanks for the info. But I still can't get this to work.

Where are you checking the logs?

I set the following in the header:
login-customer-id: <  manager ID found in the top right-hand corner of the screen when logged in>
developer-token: < This is the token I created using the manager ID set above>

I then send the following:

The response is:
{
  "error": {
    "status": "PERMISSION_DENIED",
    "message": "The caller does not have permission",
    "code": 403,
    "details": [
      {
        "errors": [
          {
            "errorCode": {
              "authorizationError": "DEVELOPER_TOKEN_PROHIBITED"
            },
            "message": "Developer token is not allowed with project '407408718192'."
          }
        ],
        "@type": "type.googleapis.com/google.ads.googleads.v8.errors.GoogleAdsFailure",
        "requestId": "EB6r90sXKfuernRX9e1yJA"
      }
    ]
  }
}

Google Ads API Forum Advisor

unread,
Sep 28, 2021, 3:00:20 PM9/28/21
to brian.m...@gmail.com, adwor...@googlegroups.com
Hi Brian,

Yasar is talking about the logs that were attached in previous interaction. Please refer to the common error documentation for more information regarding the error in latest interaction and how to prevent this error:
https://developers.google.com/google-ads/api/docs/best-practices/common-errors?hl=en#developer_token_prohibited

Thanks,
Google Logo
Lakshmi Prathipati
Google Ads API Team
 


ref:_00D1U1174p._5004Q2OTOP6:ref
Reply all
Reply to author
Forward
0 new messages