Google Ads API Developer Token Protection in Desktop App Environment

[Yao Kou]

Dear Google Ads API Team,

I am currently developing an application that utilizes the Google Ads API for our customers. I want to seek clarification and guidance on a matter regarding the security of our own developer token.

Our application is being designed both for cloud and desktop app environment, and the desktop environment means the app would be deployed directly onto the customers' machines. This raises a considerable security concern, as there is a potential risk of our developer token being leaked or compromised.

Therefore, I would appreciate some advice or answers on the following:

1. Is our use case scenario, where the application with our developer token is deployed on the customer's machine, supported or suggested by the Google Ads API?
2. If it is, what measures or protections can we take or what best practices can we follow to ensure the maximum security of our developer token?

Thanks,

Yao

[Google Ads API Forum Advisor]

Hi Yao,

Thank you for contacting the Google Ads API support team.

The Google Ads API does support deploying your application on customers' machines. It is important to take appropriate security measures to protect your developer token and ensure compliance with our policies. To mitigate the risk of your developer token being leaked or compromised, consider using OAuth 2.0 authorization. OAuth allows you to access user data without storing their credentials on your server. OAuth allows users to grant your application access to their Google Ads account without sharing their credentials. This reduces the risk of your developer token being compromised. Let us know if you have any further queries.
 
This message is in relation to case "ref:!00D1U01174p.!5004Q02tJ3PA:ref" (ADR-00235956)

Thanks,
 

Google Ads API Team

[Yao Kou]

Dear Team,

Thank you for your response. We are indeed already utilizing OAuth in our application. However, my primary concern still remains on the protection of our developer token on the customers' machine, which is mandatory to use per the API requirements.

Could you kindly elaborate on any specific measures or mechanisms that Google Ads API provides and I can leverage to further safeguard the developer token? Any best practices, guidelines, or recommendations in this regard would be immensely appreciated.

Thanks,

Yao

[Google Ads API Forum Advisor]

Hi Yao,

Currently to make an API call, a developer token is a mandatory input to provide in the request. As announced in the blog, we are accepting early sign-ups for a Google Ads API pilot program that lets you make API calls without requiring a developer token. Your API access levels will instead be identified by your Google Cloud project IDs and Google Cloud organizations. You may check this guide for more information. Hope this helps.

[Yao Kou]

Dear team,

Thanks for your answer. It looks like there is no better way to protect the developer token than using Developer Token-less Pilot, otherwise we have to face the risk of the developer token being leaked. But it seems that this feature is still pre-release, do you know when it will be GA?

Thanks,

Yao

[Google Ads API Forum Advisor]

Hi Yao,

Yes, you are correct, this feature is not yet released. We cannot comment on the timeline when it will be available. Hence, I would suggest you to follow our blog post and Release notes to get any updates about the Google Ads API.