Authentication
Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to authenticate to the Ad Manager API. How you
authenticate depends on the interface you use and the environment where your
code is running, but all API requests must include an access token with the
Ad Manager API scope.
The Ad Manager client libraries use Application Default Credentials
to generate access tokens with the Ad Manager API scope. This guide shows
how to configure Application Default Credentials.
If you aren't using a client library, you still need to create credentials
and use them to authorize your requests.
For more information about authentication and authorization, see the
Using OAuth 2.0 guide.
Determine your authentication type
| Authentication type |
Description |
| Service Account
|
Choose this if you want to authenticate as dedicated
account rather than a particular person.
Learn more. |
| Web application
|
Choose this if you want to authenticate as any user
who grants permission to your application to access
their Ad Manager data.
Learn more |
| Local development
|
Choose this if you want to authenticate as your own
Google Account or a Service Account from your local
development environment. |
Enable the Ad Manager API
Enable the Ad Manager API in your
Google API Console Cloud Project.
If prompted, select a project, or create a new one.
Create credentials
Click the tab for your authentication type and follow the instructions to
create your credentials:
Service Account
On Google Cloud
To authenticate a workload running on Google Cloud, you use the credentials of
the service account attached to the compute resource where your code is
running.
For example, you can attach a service account to a Compute Engine virtual
machine (VM) instance, a Cloud Run service, or a Dataflow job. This approach
is the preferred authentication method for code running on a Google Cloud
compute resource.
For information about which resources you can attach a service account to,
and help with attaching the service account to the resource, see the
documentation on attaching a service account.
On-premises or on a different cloud provider
The preferred method to set up authentication from outside of Google Cloud is
to use workload identity federation; you create a
credential configuration file and set the GOOGLE_APPLICATION_CREDENTIALS
environment variable to point to it. This approach is more secure than
creating a service account key.
If you are not able to configure workload identity federation, then you must
create a service account and create a key for the service account:
Open the Google API Console Credentials page.
On the Credentials page, select Create credentials, then
select Service Account.
Click the email address of the service account that you want to create
a key for.
Click the Keys tab.
Click the Add key drop-down menu, then select Create new key.
Select JSON as the Key type and click Create.
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path
of the JSON file.
Linux or macOS
export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILE_PATH
Windows
set GOOGLE_APPLICATION_CREDENTIALS=KEY_FILE_PATH
Web application
Open the Google API Console Credentials page.
If prompted, select the project where you enabled the Ad Manager API.
On the Credentials page, select Create credentials, then
select OAuth client ID.
Select the Web application application type.
Fill in the form and click Create. Applications that use languages and
frameworks like PHP, Java, Python, Ruby, and .NET must specify authorized
redirect URIs. The redirect URIs are the endpoints to which the OAuth 2.0
server can send responses. These endpoints must adhere to Google's
validation rules.
After creating your credentials, download the client_secret.json file. Securely store the file in a location that only your application can access.
From here, follow the steps to obtain OAuth 2.0 access tokens
Local development
Set up Application Default Credentials (ADC) in your local environment.
Install the Google Cloud CLI, then initialize it by running the following
command:
gcloud init
Create local authentication credentials for your Google Account and set
the project ID to a project where the Ad Manager API is enabled:
gcloud auth application-default login --scopes="https://www.googleapis.com/auth/admanager"
gcloud auth application-default set-quota-project PROJECT_ID
Alternatively, authenticate as a Service Account setting the environment
variable GOOGLE_APPLICATION_CREDENTIALS to the path of your key file.
Linux or macOS
export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILE_PATH
Windows
set GOOGLE_APPLICATION_CREDENTIALS=KEY_FILE_PATH
Service Account
- Go to your Ad Manager network.
- Click the Admin tab.
- Ensure that API access is enabled.
- Click the Add a service account user button.
- Fill in the form using the service account email. The
service account user must be added to appropriate roles and teams
for your API integration.
- Click the Save button. A message should appear, confirming
the addition of your service account.
- View existing service account users by going to the Users tab and then
clicking the Service Account filter.
Web application
- Go to your Ad Manager network.
- Click the Admin tab.
- Ensure that API access is enabled.
Local Development
- Go to your Ad Manager network.
- Click the Admin tab.
- Ensure that API access is enabled.
Without a client library
If you are not using a client library, we still strongly recommend using
an OAuth2 library for authentication.
For detailed instructions on obtaining access tokens, see
Using OAuth2 with Google APIs.
Access tokens
Include your access token in a request to the API by including either an
access_token query parameter or an Authorization HTTP header Bearer value.
When possible, the HTTP header is preferable, because query strings tend to be
visible in server logs.
For example:
GET /v1/networks/1234
Host: admanager.googleapis.com
Authorization: Bearer ya29.a0Ad52N3_shYLX
GET https://admanager.googleapis.com/v1/networks/1234?access_token=1/fFAGRNJru1FTz70BzhT3Zg
Scope
Each access token is associated with one or more scopes. A scope controls the
set of resources and operations that an access token permits. The Ad Manager
API has only one scope. Authorization should be performed at the user
level within the product.
| Scope |
Permissions |
https://www.googleapis.com/auth/admanager
|
View and manage your campaigns
on Google Ad Manager. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eGoogle Ad Manager API authentication depends on the interface and environment but always requires an access token.\u003c/p\u003e\n"],["\u003cp\u003eChoose between service account, web application, or local development authentication based on your needs.\u003c/p\u003e\n"],["\u003cp\u003eEnable the Ad Manager API in your Google API Console and create the necessary credentials for your chosen authentication type.\u003c/p\u003e\n"],["\u003cp\u003eConfigure your Ad Manager network settings and add the service account user or enable API access depending on authentication type.\u003c/p\u003e\n"],["\u003cp\u003eInclude your access token in API requests using either a query parameter or an HTTP header.\u003c/p\u003e\n"]]],["To access the Ad Manager API, you need an access token, generated using Application Default Credentials (ADC) or custom credentials. First, enable the Ad Manager API in your Google Cloud project. Then, choose an authentication type: Service Account, Web application, or Local development. Create credentials via the Google API Console, selecting the appropriate method. If not using a client library, use an OAuth2 library. Finally, include the access token in API requests, preferably in the `Authorization` HTTP header. Each access token should be associated with the `https://www.googleapis.com/auth/admanager` scope.\n"],null,["# Authentication\n\nThis document describes how to authenticate to the Ad Manager API. How you\nauthenticate depends on the interface you use and the environment where your\ncode is running, but all API requests must include an access token with the\nAd Manager API [scope](#scope).\n\nThe Ad Manager client libraries use [Application Default Credentials](//cloud.google.com/docs/authentication/application-default-credentials)\nto generate access tokens with the Ad Manager API scope. This guide shows\nhow to configure Application Default Credentials.\n\nIf you aren't using a client library, you still need to create credentials\nand use them to authorize your requests.\n\nFor more information about authentication and authorization, see the\n[Using OAuth 2.0](/identity/protocols/oauth2) guide.\n\nDetermine your authentication type\n----------------------------------\n\n| Authentication type | Description |\n|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Service Account | Choose this if you want to authenticate as dedicated account rather than a particular person. [Learn more](//cloud.google.com/iam/docs/service-account-overview). |\n| Web application | Choose this if you want to authenticate as any user who grants permission to your application to access their Ad Manager data. [Learn more](/identity/oauth2/web/guides/overview) |\n| Local development | Choose this if you want to authenticate as your own Google Account or a Service Account from your local development environment. |\n\nEnable the Ad Manager API\n-------------------------\n\n1. Enable the [Ad Manager API](https://console.cloud.google.com/apis/library/admanager.googleapis.com) in your\n Google API Console Cloud Project.\n\n2. If prompted, select a project, or create a new one.\n\nCreate credentials\n------------------\n\nClick the tab for your authentication type and follow the instructions to\ncreate your credentials: \n\n### Service Account\n\n### On Google Cloud\n\nTo authenticate a workload running on Google Cloud, you use the credentials of\nthe service account attached to the compute resource where your code is\nrunning.\n\nFor example, you can attach a service account to a Compute Engine virtual\nmachine (VM) instance, a Cloud Run service, or a Dataflow job. This approach\nis the preferred authentication method for code running on a Google Cloud\ncompute resource.\n\nFor information about which resources you can attach a service account to,\nand help with attaching the service account to the resource, see the\n[documentation on attaching a service account](//cloud.google.com/iam/docs/attach-service-accounts).\n\n### On-premises or on a different cloud provider\n\nThe preferred method to set up authentication from outside of Google Cloud is\nto use [workload identity federation](//cloud.google.com/iam/docs/workload-identity-federation); you create a\ncredential configuration file and set the `GOOGLE_APPLICATION_CREDENTIALS`\nenvironment variable to point to it. This approach is more secure than\ncreating a service account key.\n\nIf you are not able to configure workload identity federation, then you must\ncreate a service account and create a key for the service account:\n\n1. Open the [Google API Console Credentials page](https://console.cloud.google.com/apis/credentials).\n\n2. On the Credentials page, select **Create credentials** , then\n select **Service Account**.\n\n3. Click the email address of the service account that you want to create\n a key for.\n\n4. Click the **Keys** tab.\n\n5. Click the **Add key** drop-down menu, then select **Create new key**.\n\n6. Select **JSON** as the **Key type** and click **Create**.\n\n7. Set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to the path\n of the JSON file.\n\n#### Linux or macOS\n\n export GOOGLE_APPLICATION_CREDENTIALS=\u003cvar label=\"key file\" translate=\"no\"\u003eKEY_FILE_PATH\u003c/var\u003e\n\n#### Windows\n\n set GOOGLE_APPLICATION_CREDENTIALS=\u003cvar label=\"key file\" translate=\"no\"\u003eKEY_FILE_PATH\u003c/var\u003e\n\n### Web application\n\n1. Open the [Google API Console Credentials page](https://console.cloud.google.com/apis/credentials).\n\n2. If prompted, select the project where you enabled the Ad Manager API.\n\n3. On the Credentials page, select **Create credentials** , then\n select **OAuth client ID**.\n\n4. Select the **Web application** application type.\n\n5. Fill in the form and click **Create** . Applications that use languages and\n frameworks like PHP, Java, Python, Ruby, and .NET must specify authorized\n **redirect URIs** . The redirect URIs are the endpoints to which the OAuth 2.0\n server can send responses. These endpoints must adhere to [Google's\n validation rules](/identity/protocols/oauth2/web-server#uri-validation).\n\n6. After creating your credentials, download the **client_secret.json** file. Securely store the file in a location that only your application can access.\n\nFrom here, follow the steps to [obtain OAuth 2.0 access tokens](/identity/protocols/oauth2/web-server#obtainingaccesstokens)\n\n### Local development\n\nSet up Application Default Credentials (ADC) in your local environment.\n\nInstall the Google Cloud CLI, then initialize it by running the following\ncommand: \n\n gcloud init\n\nCreate local authentication credentials for your Google Account and set\nthe project ID to a project where the Ad Manager API is enabled: \n\n gcloud auth application-default login --scopes=\"https://www.googleapis.com/auth/admanager\"\n gcloud auth application-default set-quota-project \u003cvar label=\"project id\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\nAlternatively, authenticate as a Service Account setting the environment\nvariable `GOOGLE_APPLICATION_CREDENTIALS` to the path of your key file.\n\n#### Linux or macOS\n\n export GOOGLE_APPLICATION_CREDENTIALS=\u003cvar label=\"key file\" translate=\"no\"\u003eKEY_FILE_PATH\u003c/var\u003e\n\n#### Windows\n\n set GOOGLE_APPLICATION_CREDENTIALS=\u003cvar label=\"key file\" translate=\"no\"\u003eKEY_FILE_PATH\u003c/var\u003e\n\nConfigure your Ad Manager network\n---------------------------------\n\n**Tip:** If you are a third-party developer, ask your client to complete this step for you. Send them to [Add a service account user for API access](//support.google.com/admanager/answer/6078734) and provide the email address of your service account. \n\n### Service Account\n\n1. Go to your [Ad Manager network](//admanager.google.com).\n2. Click the **Admin** tab.\n3. Ensure that **API access** is enabled.\n4. Click the **Add a service account user** button.\n5. Fill in the form using the service account email. The service account user must be added to appropriate roles and teams for your API integration.\n6. Click the **Save** button. A message should appear, confirming the addition of your service account.\n7. View existing service account users by going to the Users tab and then clicking the **Service Account** filter.\n\n### Web application\n\n1. Go to your [Ad Manager network](//admanager.google.com).\n2. Click the **Admin** tab.\n3. Ensure that **API access** is enabled.\n\n### Local Development\n\n1. Go to your [Ad Manager network](//admanager.google.com).\n2. Click the **Admin** tab.\n3. Ensure that **API access** is enabled.\n\nWithout a client library\n------------------------\n\nIf you are not using a client library, we still strongly recommend using\nan OAuth2 library for authentication.\n\nFor detailed instructions on obtaining access tokens, see\n[Using OAuth2 with Google APIs](/identity/protocols/oauth2).\n\n### Access tokens\n\nInclude your access token in a request to the API by including either an\n`access_token` query parameter or an `Authorization` HTTP header `Bearer` value.\nWhen possible, the HTTP header is preferable, because query strings tend to be\nvisible in server logs.\n\nFor example: \n\n GET /v1/networks/1234\n Host: admanager.googleapis.com\n Authorization: Bearer ya29.a0Ad52N3_shYLX\n\n GET https://admanager.googleapis.com/v1/networks/1234?access_token=1/fFAGRNJru1FTz70BzhT3Zg\n\n### Scope\n\nEach access token is associated with one or more scopes. A scope controls the\nset of resources and operations that an access token permits. The Ad Manager\nAPI has only one scope. Authorization should be performed at the user\nlevel within the product.\n\n| Scope | Permissions |\n|---------------------------------------------|------------------------------------------------------|\n| `https://www.googleapis.com/auth/admanager` | View and manage your campaigns on Google Ad Manager. |"]]
