Google Ads API Problem

[Leo Nanami]

Hi Google Support,

We’ve successfully connected to the Google Ads API and obtained an access token at the MCC level.

In theory, this token should let us pull data for every account under that MCC, but we’re seeing inconsistent behavior—some accounts return data while others don’t.

Here is the example about the accounts that dont return data:

authorization_error: USER_PERMISSION_DENIED

message: "User doesn\'t have permission to access customer. Note: If you\'re accessing a client customer, the manager\'s customer id must be set in the \'login-customer-id\' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"

Status: Status{code=PERMISSION_DENIED, description=The caller does not have permission, cause=null}.

What are the most likely causes, and how can we fix them?

Thank you!

[Google Ads API Forum Advisor]

Hi,

Thank you for contacting the Google Ads API support team. 

Upon reviewing your concern, I understand that you are encountering a USER_PERMISSION_DENIED authorization error. This error indicates the user doesn't have permission to access the customer. In order to resolve this error, you need to ensure the following points:

• The email Id that you're using to generate OAuth credentials is added to your Google Ads account with 'Admin' or 'Standard' access to perform API operations. You can refer to the access level help center article for more information on access levels. 
• If you're accessing the customer account, you need to specify the ‘login-customer-id’ as the manager account ID without hyphens (-). Client libraries have built in support for this. You can refer to the API documentation for more information. 

Following the above provided points should resolve the USER_PERMISSION_DENIED error. If you are still facing any issues, then in order to investigate the issue further, kindly provide the following details to us:

• Google Ads customer Id used, login-customer-id provided (in case if you're accessing the customer account) and the email Id used to generate OAuth credentials.
• Note that this email ID should be present in your account with 'Admin' or 'Standard' access level.
• To check this from your end, I would suggest you to navigate to your Google Ads account > Admin > Access and Security > Users > Email ID with 'Admin' or 'Standard' access level should be present. I would recommend you to refer to this help center article 'Manage access to your Google Ads account' for more detailed information on how to add the access levels. 
• Execute List Accessible Customers and provide us complete API request and response logs, you may also check this API documentation for more information.
• Complete API logs (request and response with request-id and request header) generated on your end for the provided error without redacting any information. 

If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guides Java, .Net, PHP, Python, Ruby or Perl to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.

You can send the details via Reply privately to the author option, or direct private reply to this email.

 

Thanks,
 

Google Ads API Team

Feedback
How was our support today?

               
[2025-09-19 12:29:53Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01u73zl:ref" (ADR-00333218)