Well, there is another limitation I am now running into and I don't think this was considered in our conversation.
It's been awhile, so here's the recap/update: - My company used a gmail to create our accounts for google applications, like Google Ads. We've also verified ownership of our domains with this gmail. Lets call it mycomp...@gmail.com - My company has made itself dependent on the accounts created via mycomp...@gmail.com; now utilized for Google Ads, GA4, Firebase, and several other services - Because my company decided to set everything up on mycomp...@gmail.com, we are not eligible for using a Google Workspace. This is because Google Workspace requires a private email domain to sign-up. - *I need to access Google Ads programmatically for automatic daily data retrieval and custom reporting.* - Google Ads doesn't allow service accounts to be added to it, thereby requiring impersonation [of a human user] to utilize service accounts in Google Ads - Because we can't utilize Google Workspace, we are thus required to utilize OAUTH2 instead of service accounts to authorize my API calls to Google Ads Now, to set up OAUTH, we need to navigate here <https://console.cloud.google.com/apis/credentials/consent> and set up the consent screen for the "initial" authorization. After that, we can retrieve a refresh token and be on our way toward automation. Though, here's the caveat; *creating an "internal" app also requires Google Workspace.* [image: screen.png] So, this means we must create the app as "external" even though it is technically for internal use only. It's custom reporting. >From what I understand, and according to the docs <https://developers.google.com/identity/protocols/oauth2#5.-refresh-the-access-token,-if-necessary.> ; *"A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days" * I am currently dealing with this problem. The refresh token automatically expires after 7 days. I can not "publish"/"verify" the app to get would this, as that would make the app publicly available. This would be a security concern. This makes me feel as though we are back at square one. Is my only option to migrate all existing applications to a new google account, all over the email used to create the account? This would likely be very messy, and I'd hope there's a solution to avoid needing this. I was able to create a Google Workspace with an internal email, but it requires that I verify the domain to "unlock" the features I need. If I understand correctly though, verifying the domain would be a takeover, right? Thereby likely breaking applications on the mycomp...@gmail.com account. This is no good as well. What can I do here? On Sunday, October 9, 2022 at 10:09:01 PM UTC-7 adsapi wrote: > Hi Chad, > > Hope you are doing fine. This is Carmela from the Google Ads API team as > well. Thank you for getting back to us. > > With regards to your concerns, you may see the below items: > > - "*They were able to establish all of these environments and build > atop of them without being required comply with the workspace requirement > that emails are internal. They're all using myco...@gmail.com with no > 'governing body,' so to speak.*" - As for this, there is a chance that > you do,'t need to use the Google workspace and that is the Oauth flows > > <https://developers.google.com/google-ads/api/docs/oauth/cloud-project#choose_an_application_type> > instead > of service accounts unless you need a domain-specific feature (for > example, > impersonation), then Google workspace is needed. OAuth2 desktop app and > web > app flows do require an initial user interaction for granting access to > the > account, but are much simpler to set up. > - "*So now we have all of these different tools under the email > address myco...@gmail.com.* *If I want to link all of these under a > governing body, like a workspace, and utilize the benefits of a workspace > -- how can we do that without rebuilding everything over this email issue?* > *I can't add myco...@gmail.com to the newly created workspace because > its not an @**mycompany.com* <https://mycompany.com/>* email.*" - > Could you confirm if what you mean by this is you want Firebase, Google > Analytics, and Google Tag Manager account to use a workspace as well? If > yes, then kindly note that our team can't comment on this as we can only > provide the insights in the Google Ads API perspective. That said, I would > suggest reaching out to their support team instead as they are the ones > who > can confirm if these accounts can also utilize a workspace. > - "*-- Are you perhaps suggesting that I make some kind of manager > account, say goo...@mycompany.com and link myco...@gmail.com to it? That's > exactly what I tried doing with the workspace, but it would not allow > this.*" > - Since this is more related to the workspace, then I would suggest > reaching out to the Google Workspace Support team via this link > <https://workspace.google.com/support/> as they are better equipped to > provide guidance to you. There is an icon on the lower-left part of the UI > where you will redirected saying "*Hi there 👋 What brings you to > Google Workspace today?*". > > > Regards, > [image: Google Logo] > Carmela > Google Ads API Team > > > ref:_00D1U1174p._5004Q2ewsYl:ref > -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog: https://googleadsdeveloper.blogspot.com/ =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API and Google Ads API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "Google Ads API and AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/ddf40f54-8a8b-4cb6-b5a0-a0bbcd77f7b2n%40googlegroups.com.