Cannot Access Directly Managed Client Accounts via Google Ads API (Permission Denied Despite Proper Header)

44 views
Skip to first unread message

Laurean Callander

unread,
Aug 1, 2025, 10:32:35 AMAug 1
to Google Ads API and AdWords API Forum
Hey guys, can any of you help shed light here?

I'm experiencing a persistent "USER_PERMISSION_DENIED" error when trying to access my directly managed client accounts via the Google Ads API, even though all credentials and login-customer-id headers are correctly configured.

Details:
- MCC Login (OAuth): have
- Affected Client Accounts: three
- Developer Token: Basic Access
- Request ID: have
- The API Center is enabled in the MCC
- Client ccounts are visible in `list_accessible_customers()` via API and are managed directly by this MCC
- Attempts to set `login-customer-id` at both client and request levels still result in permission denied
- These accounts are not accessible via the Google Ads API, and there's no way for them to accept API terms

My Console service account has also been added to these accounts as a fail safe and using it's JSON in my yaml.

I believe these accounts are API-ineligible due to missing backend flags.

What am I missing?

Thanks!

Google Ads API Forum Advisor

unread,
Aug 1, 2025, 3:48:18 PMAug 1
to pinellascreat...@gmail.com, adwor...@googlegroups.com

Hi,

Thank you for reaching out to the Google Ads API support team.

The USER_PERMISSION_DENIED error, which is a type of authorization_error, indicates that the user doesn't have permission to access the customer. According to our documentation, when accessing the customer, please specify the login-customer-id as the manager account ID without hyphens (-). Most client libraries have built-in support for this. Additionally, please verify that you have the correct access level for the Google Ads account you are trying to access.

Furthermore, ensure that the user/email address used to generate the credentials indeed has access to the account specified in your request. If the user/email address has access or is associated with the MCC/manager account, specify the MCC/manager account's ID without hyphens (-) as the value of the login-customer-id field.

If the error persists despite these steps, could you please provide us with the latest complete API logs (including (request and response with request-id and request header) generated from your end along with the email address used to generate the OAuth2 credentials?

If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guides for Java, .Net, PHP, Python, Ruby, or Perl to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.

You can send the details via the Reply privately to the author option or direct private reply to this email.

Thanks,
 
Google Logo Google Ads API Team

Feedback
How was our support today?

rating1    rating2    rating3    rating4    rating5
[2025-08-01 19:47:01Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01sxkfL:ref" (ADR-00324398)



Reply all
Reply to author
Forward
0 new messages