https://www.googleapis.com/auth/adwords
After login, I store in my database:
access_token
refresh_token
customer_id (from listAccessibleCustomers)
The user that logs in has admin role in the MCC.
3. API Requests (REST v21)
All requests are made with headers:
json
Copy
Edit
{
"Authorization": "Bearer <user_access_token>",
"developer-token": "<mcc_dev_token>",
"login-customer-id": "<MCC ID or client account ID>",
"Content-Type": "application/json"
}
Example endpoint:
bash
Copy
Edit
POST
https://googleads.googleapis.com/v21/customers/{client_customer_id}/campaignBudgets:mutate
4. Current Flow
Refresh token → Works fine, I get valid access tokens.
Create budget → Works fine, I get a valid budgetResourceName.
Create campaign (Performance Max) → Always fails.
Payload example:
json
Copy
Edit
{
"operations": [{
"create": {
"name": "my-test-campaign",
"status": "PAUSED",
"advertisingChannelType": "PERFORMANCE_MAX",
"campaignBudget": "customers/{customerId}/campaignBudgets/123",
"maximizeConversions": {},
"startDate": "2025-08-22",
"endDate": "2025-12-31",
"containsEuPoliticalAdvertising":
"DOES_NOT_CONTAIN_EU_POLITICAL_ADVERTISING"
}
}]
}
5. Errors
Case A: login-customer-id = MCC ID
vbnet
Copy
Edit
403 PERMISSION_DENIED
User doesn't have permission to access customer.
Note: If you're accessing a client customer, the manager's customer id must
be set in the 'login-customer-id' header.
Case B: login-customer-id = Client Account ID
bash
Copy
Edit
403 PERMISSION_DENIED
errorCode: USER_PERMISSION_DENIED
The caller does not have permission
In both cases, I cannot create the campaign.
6. My Question
My developer token is linked to the MCC.
The OAuth’d user has admin access in the MCC.
I tried both with login-customer-id = MCC ID and client account ID.
Budgets can be created, but campaigns always fail.
What is the correct setup so I can successfully create a Performance Max
campaign in a client account under my MCC in sandbox/test mode?
Do I need to grant the OAuth user explicit admin access inside each client
account individually (not only in the MCC)?
Or is there another required step for test campaigns with red-label
accounts + test developer tokens?
--
--
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Also find us on our blog:
https://googleadsdeveloper.blogspot.com/
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
You received this message because you are subscribed to the Google
Groups "AdWords API and Google Ads API Forum" group.
To post to this group, send email to adwords-api@googlegroups.com
To unsubscribe from this group, send email to
adwords-api+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/adwords-api?hl=en
---
You received this message because you are subscribed to the Google Groups
"Google Ads API and AdWords API Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to adwords-api+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/adwords-api/a416e3ed-5f77-4253-8938-4ea333065168n%40googlegroups.com.
