PERMISSION_DENIED -> ACCESS_TOKEN_SCOPE_INSUFFICIENT
Jorge Sauri
We have a Google Cloud Project setup with API access for Google Ads. We have a website where we have a Google Sign In page and consent screens setup. The project is in a Publishing Status of "Testing" and User Type of "External". We have two test users added to the project. One is within our own organization and has a Google Ads Test Account. The other is outside the organization with a live Google Ads account.
When we attempt to pull a ListAccessibleCustomers via the PHP library, using the refresh token with offline access granted and scopes for /auth/Adwords it works correctly for the user with a Google Ads Test Account. It fails for the user with a live Google Ads account with the error:
PERMISSION_DENIED -> ACCESS_TOKEN_SCOPE_INSUFFICIENT
We have verified the refresh token is correct by having the user clear cache, delete our application from the third party applications list under their Google Account page, and then login to our application and generate a new refresh token. This refresh token is the one used by the PHP library to make the Google Ads call.
The developer token for Google Ads associated with this project has Basic Access.
The question is can projects in External - Testing access Google Ads LIVE accounts outside the organization?
Google Ads API Forum Advisor
Thank you for reaching out to the Google Ads API support team.
By reviewing your query, I understand that you are getting the error "PERMISSION_DENIED". It means a user doesn't have permission to access a customer and you’re accessing a client customer using 'login-customer-id’ in the request. To address the above error, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated with the MCC / manager account, you will need to specify the said MCC / manager account ID as the value of the login-customer-id field.
However, If you are still facing the issue, please provide us with the (request and response with request-id and request header) and uncropped UI screenshots to further investigate this issue.
If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guide PHP to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.
Thanks,
 |
Google Ads API Team |
Google Ads API Forum Advisor
Thank you for reaching out to the Google Ads API support team.
By reviewing your concern, I understand that you are getting the error "PERMISSION_DENIED". It means a user doesn't have permission to access a customer and you’re accessing a client customer using 'login-customer-id’ in the request. To address the above error, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated with the MCC / manager account, you will need to specify the said MCC / manager account ID as the value of the login-customer-id field.
However, If you are still facing the issue, please provide us with the (request and response with request-id and request header) and uncropped UI screenshots to further investigate this issue.
If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guide PHP to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.