AdWords Developer Tokens for Desktop Applications?
110 views
Skip to first unread message
Drew Loika
Dec 28, 2016, 2:44:41 PM12/28/16
to AdWords API Forum
What is the recommendation for desktop applications consuming the AdWords API? As per the docs:
- What is a developer token?
A developer token is a unique combination of letters, numbers, and characters that identifies your AdWords API activity. It is your key to talking to the AdWords server and your clients' AdWords accounts. In order for us to identify your activity, you should include the developer token in the header of all your API requests.
To protect yourself from fraud, do not share your developer token with others. You can find your developer token through your AdWords API Center—accessible from your manager account's My Account tab.
A developer token is considered a secret, and is required in every message header. Normally an OAuth client ID/secret is used to negotiate refresh/access tokens and only those tokens are required for resource requests. This means the initial secret can be persisted securely in a service but user tokens can be managed by a desktop application.
How am I supposed to develop a desktop application yet keep my developer token secret without proxying EVERY request on behalf of EVERY one of my customers?
Vishal Vinayak (Adwords API Team)
Dec 28, 2016, 4:44:17 PM12/28/16
to AdWords API Forum
Hi Drew,
To access an AdWords account's data via the API, you need two things: a developer token (associated with a manager account) and valid OAuth credentials (associated with the target AdWords account or the manager account of the target AdWords account).
Access levels related to a developer token define the limits on your account (such as test vs production accounts and the number of operations that you can perform with your token). You are required to set your developer token in the SOAP header of your request, when trying to make an API call. OAuth credentials, however, can be used to control data access to a user on a particular account. The access token generated using the OAuth credentials should be set in the HTTP header of your request, when making an API call. This implementation is a part of all of our client libraries, which can be used to make API calls without having to go through the hassle of constructing the SOAP request manually (client libraries can be used to develop both Web and Desktop based applications).
Hope this helps. If you have additional questions, please feel free to revert.
To access an AdWords account's data via the API, you need two things: a developer token (associated with a manager account) and valid OAuth credentials (associated with the target AdWords account or the manager account of the target AdWords account).
Access levels related to a developer token define the limits on your account (such as test vs production accounts and the number of operations that you can perform with your token). You are required to set your developer token in the SOAP header of your request, when trying to make an API call. OAuth credentials, however, can be used to control data access to a user on a particular account. The access token generated using the OAuth credentials should be set in the HTTP header of your request, when making an API call. This implementation is a part of all of our client libraries, which can be used to make API calls without having to go through the hassle of constructing the SOAP request manually (client libraries can be used to develop both Web and Desktop based applications).
Hope this helps. If you have additional questions, please feel free to revert.
Regards,
Vishal, AdWords API Team
Drew Loika
Dec 28, 2016, 4:56:57 PM12/28/16
to AdWords API Forum
Thanks for the help Vishal. My question is regarding how Google expects my desktop product used by my customers to issue API requests while maintaining the secrecy of my developer token. Obviously this isn't possible as described, so does Google expect me to embed the token in the application and not maintain the secrecy of my developer token? Or are desktop applications just not supported for the AdWords API? Or...?
Zweitze
Dec 29, 2016, 5:47:23 AM12/29/16
to AdWords API Forum
Hardcode your developertoken in your software, do not put it in any (human readable) configuration file. Do not ship debugging files etc. with your software.
Note that when someone does retrieve your developertoken, say by extensive debugging or monitoring, you have to change your developertoken. That will be a tough decision because doing so will invalidate the software of all your users.
One way to get around that is to set up a service yourself that sends out the developertoken, and have your software retrieve the developertoken every 30 minutes or so.
Note that when someone does retrieve your developertoken, say by extensive debugging or monitoring, you have to change your developertoken. That will be a tough decision because doing so will invalidate the software of all your users.
One way to get around that is to set up a service yourself that sends out the developertoken, and have your software retrieve the developertoken every 30 minutes or so.
Anash P. Oommen (AdWords API Team)
Dec 29, 2016, 10:41:03 AM12/29/16
to AdWords API Forum
Hi Drew,
Pretty much what Zweitze mentioned. Another thought that comes to mind is to reset the developer token on a regular basis and then have your desktop application download a binary module (e.g. dll) from a licensed server. You'd probably want to shield against an HTTPs proxy like Fiddler too. Some discussion on this topic is here.
I would also recommend reaching out to the compliance team using this form: https://services.google.com/fb/forms/apicontact/. In addition to checking whether your technical approach is compliant with AdWords API T&Cs, you can also flag users who might be misusing your application to capture the devtokens.
I would also recommend reaching out to the compliance team using this form: https://services.google.com/fb/forms/apicontact/. In addition to checking whether your technical approach is compliant with AdWords API T&Cs, you can also flag users who might be misusing your application to capture the devtokens.
Cheers,
Anash P. Oommen,
AdWords API Advisor.
Drew Loika
Jan 12, 2017, 6:00:36 PM1/12/17
to AdWords API Forum
Thanks for the replies guys. But won't the approaches you outline increase the time needed to steal my token from seconds to minutes at most? Unless I'm Netflix or Microsoft and I tightly control the factory where my unique secret is burned into my smart TV or Xbox, there is no such thing as a secret on a client device. (And actually, neither of those companies consider that approach safe, and are in a constant arms race.)
Best,
Drew Loika
Best,
Drew Loika
Reply all
Reply to author
Forward
0 new messages