User in the cookie is not an Ads User Error.

126 views
Skip to first unread message

Jorge Martinez

unread,
Jan 31, 2023, 5:14:10 PM1/31/23
to Google Ads API and AdWords API Forum
Hello, I am trying to hit the endpoint https://googleads.googleapis.com/v12/customers/{{customerId}}:uploadClickConversions to upload some events.

I use a JWT to hit the Google Authorization Server, which seems to format correctly as I get an access token back. 

This is my scope of my JWT after decoding and info. 

{
  "iss": "xxxxxx...@static-drive-cms.iam.gserviceaccount.com",
  "scope": "https://www.googleapis.com/auth/adwords",
  "aud": "https://oauth2.googleapis.com/token",
  "exp": 1675204050,
  "iat": 1675200450,
  "sub": "xxxxxxx...@static-drive-cms.iam.gserviceaccount.com"
}

I send my JWT to the endpoint https://oauth2.googleapis.com/token with grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer and assertion: {{insertJWT}}.

I get this response which I use the access_token in my Google Ads API Call .

{
"access_token": "ya29.c.b0Aaekm1Ktg5WmcpXyLcU0lFMJcaXg2t8BkANds3O7UeV2uadd-JSBOToMiEQhjsXXNk........................",
"expires_in": 3599,
"token_type": "Bearer"
}

When I get the access_token back and try to use it in the Authorization: "Bearer {{access_token}}" Request Header along with my Developer-Token:""{{developer-token}}. I get this error: User in the cookie is not a valid Ads user

{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.ads.googleads.v12.errors.GoogleAdsFailure",
        "errors": [
          {
            "errorCode": {
              "authenticationError": "NOT_ADS_USER"
            },
            "message": "User in the cookie is not a valid Ads user."
          }
        ],
        "requestId": "DwvWVpR4cs3A9_RsKjhIlw"
      }
    ]
  }
}


What seems to be the error that I'm doing? 

Thanks!
Message has been deleted

Google Ads API and AdWords API Forum

unread,
Feb 1, 2023, 12:04:30 PM2/1/23
to Google Ads API and AdWords API Forum
Re-posting the last inquiry (https://groups.google.com/g/adwords-api/c/ppmdz1ChPNI) from the forum as it wasn't routed to our support queue.

Regards,
Carmela
Google Ads API Team

Google Ads API Forum Advisor

unread,
Feb 1, 2023, 5:28:17 PM2/1/23
to adwor...@googlegroups.com

Hi there,

Thanks for reaching out to the Google Ads API Forum.

I can see that you are trying to use service account authentication to access Google Ads API and encountered an NOT_ADS_USER error. The NOT_ADS_USER error is encountered when the service account has not been correctly linked to the Google Ads account via the OAuth2 assertion flow. Please take note that the email address you may have used to generate the credentials should have access or be associated with Google Ads accounts. 

In order to connect to Google Ads API using a Google service account, you will need a Google Workspace domain since it is a prerequisite for using service accounts. Also, you may double check if you already followed all the mentioned requirements:

  1. The service account that you created needs to be granted domain wide delegation access by a super administrator for the domain.
  2. Using a Google Ads user with permissions on the Google Ads account you want to access. 
  3. Make sure that you have your own domain registered with Google Workspace.
  4. Service account will have the ability to impersonate any user in the domain

 

You may refer to this API documentation that discusses how to access the Google Ads API with service accounts. 

However, kindly note that, we strongly recommend using OAuth2 installed app or web flows instead of service accounts unless you need domain-specific features (for example, impersonation). OAuth2 installed application and web flows require user interaction only once, when access to the account is granted. You need to implement the code set up on your end to make calls using service accounts. 

In addition, you can refer to this guide for generating a refresh token using the client library. And the OAuth 2.0 Playground to generate refresh token and access token using REST. This Youtube video is very useful in understanding the process. For more information, you may refer to this page.

Regards,

Google Logo
Yasar
Google Ads API Team
 


ref:_00D1U1174p._5004Q2iUcQg:ref
Reply all
Reply to author
Forward
0 new messages