Persistent PERMISSION_DENIED on Test Account Despite Correct Admin Access (Token Refresh is Successful)

6 views
Skip to first unread message

peacock Analytics

unread,
12:56 AM (13 hours ago) 12:56 AM
to Google Ads API and AdWords API Forum

Hi,

I'm blocked by a persistent PERMISSION_DENIED error when trying to make a simple, read-only query to a Google Ads Test Account.

I can get a new refresh token, and I can successfully use that refresh token to get a new access token. However, when I use those same credentials to make an API call, I get PERMISSION_DENIED, even though the UI confirms my user has "Admin" access on both the Manager and the Test account.

Failing Request Details:

  • Target Customer ID: [TEST_ACCOUNT_ID]

  • Manager Account (for login-customer-id header): [MANAGER_ACCOUNT_ID]

  • GAQL Query: SELECT campaign.id, campaign.name FROM campaign

Exact Error Message:

Error: PERMISSION_DENIED Message: User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header.

Summary of Troubleshooting Already Performed:

  • GCP Project: Confirmed OAuth Consent Screen is "In Production" and the Google Ads API is enabled.

  • Ads Account Hierarchy: Confirmed a simple hierarchy (1 Manager, 1 Test Account) and that my user has "Admin" access to both accounts in the UI. The Test Account is active and has a sample campaign.

  • Token Validity: Confirmed via a standalone script that a fresh token (obtained after revoking app access on myaccount.google.com/permissions) can be successfully refreshed.

  • Code/Config: Confirmed the correct [MANAGER_ACCOUNT_ID] is used for the login-customer-id and the correct Developer Token is used.

Given that the token refresh is successful and the user permissions appear correct in the UI, what could be the remaining cause for a PERMISSION_DENIED error? Are there known issues with permission propagation or other settings not visible in the "Access and security" screen?

Thank you.

Google Ads API Forum Advisor

unread,
3:19 AM (10 hours ago) 3:19 AM
to peacock...@gmail.com, adwor...@googlegroups.com

Hi,

Thank you for contacting the Google Ads API support team.

Upon reviewing your concern, I understand that you are getting the USER_PERMISSION_DENIED error. This error indicates the user doesn't have permission to access the customer. In order to resolve this error, you need to ensure the following points:

  • The email Id that you're using to generate OAuth credentials is added to your Google Ads account with 'Admin' or 'Standard' access to perform mutate operations. You can refer to the access level help center article for more information on access levels. I understand that you have already ensured that you are having ‘Admin access’ to the account. 
  • If you're accessing the customer account, you need to specify the ‘login-customer-id’ as the manager account ID without hyphens (-). Client libraries have built in support for this. You can refer to the API documentation for more information. Please note that login-customer-id should be the MCC Id of the manager account under which the customer account (which you are trying to access) is present. Based on the provided description, I understand that you have mentioned ‘login-customer-id’ correctly. 

As per the provided description, it seems that you have satisfied both the above conditions. Therefore, in order to investigate the issue further and to check why you are getting the error, please provide the following details to us:

  • Your Google Ads customer Id and MCC Id.
  • The email Id used to generate OAuth credentials and make API calls.
  • Execute List Accessible Customers and provide us the complete API request and response logs, you may also check this API documentation for more information.
  • Complete API logs (request and response with request-id and request header) generated at your end for the specified error without redacting any information. If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guides Java, .Net, PHP, Python, Ruby or Perl to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.

You can send the details via Reply privately to the author option, or direct private reply to this email.

Thanks,
 
Google Logo Google Ads API Team

Feedback
How was our support today?

rating1    rating2    rating3    rating4    rating5
[2025-10-15 07:18:37Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01vQqvI:ref" (ADR-00335554)



Reply all
Reply to author
Forward
0 new messages