[MUSIC PLAYING] MATTIA TOMASONI: Hello, and
welcome to another episode in our series on getting
started with client libraries for the Google Ads API. I'm Mattia Tomasoni, a
developer relations engineer working on the Google Ads API. And today, we will walk
through the required steps to generate the OAuth
credentials that you will need to authenticate
your Google Ads API requests. First of all, here
is a partial recap of how authentication works
with the Google Ads API. The credentials involved
in the OAuth flow are the access token, the
client ID, the client secret, and the refresh token. The access token needs
to be provided along with every authenticated
request to the Google Ads API, but access tokens
are short-lived. Our client libraries
can generate access tokens as
needed, but they need long-lived
credentials to do so. These long-lived credentials
are the client ID and the client secret, which identify
your application, and the refresh token,
which identifies a user of your application
and corresponds to a user on a
Google Ads account. Long-lived means that you
need to generate a client ID and a client secret
just once, which is what we will do in this
video, and in general, generate a refresh
token once for each end user of your application. We have a detailed video
series on authentication and authorization
if you want to dive deeper into the meaning
of these credentials, and some best practices
for managing them. Keep in mind that there are a
few slightly different OAuth flows that you can follow,
depending on the nature of your application. The one we will follow today is
the desktop application flow. And there is a different
flow for web applications. We have instructions for
the other OAuth flows as well on our dev site. I will leave you the link
to these instructions in the video description below. So here are the steps that
we will take together today to create a client ID
and a client secret. First of all, we will
create a Cloud project. Then we will enable the
Google Ads API for it. Then we will configure
the OAuth consent screen. And then finally, we will be
able to generate the client ID and the client secret, and
download them on our computer. So let's get started then. The first step we need to
take to create a client ID and a client secret is to
create a Google Cloud project. To do so, we can access
the Google Cloud Console at cloud.google.com/console. Then click on the
project's dropdown, and then on New Project. Note that you may already
have an existing Google Cloud project. If so, you can skip this
step and proceed directly to enable the Google
Ads API for it. Then in the following
form, we need to specify a name
for our application. And I'm going to use
Getting Started Ads API. Then we have to add a billing
account, an organization, and a location for our project. These depend on how you
or your organization are already using Google Cloud. So please edit them
as you need, and then click on the Create button. Once we've done that, the
actual project creation will take a few seconds. And when the
project is ready, we will be able to click
on Select Project. And the project name will be
shown in the project dropdown that we used earlier. What we want to do now is
to enable the Google Ads API for our project. To do so, we need to go
to the APIs and Services section of our
project, which we can access either from the home page
or from the menu on the left. And then click on the
Enable APIs and Services button at the top. This will take us
to the API library, where we can search for ads
to find the Google Ads API. We can click on it, and
then on the Enable button. Once we've done
that, our project is enabled to use
the Google Ads API. Please note that if you
want to use this project's OAuth credentials with
other Google APIs, such as the Content
API for Shopping, you will have to enable
each of these as well. Now, there is still
a missing piece before we can proceed to
the actual OAuth credentials creation. We need to configure the
OAuth consent screen. This is the screen
that's displayed when your application asks users
to grant access to their Google Ads account so it can
manage their campaigns through the Google Ads API. To configure the
OAuth consent screen, we need to click the
Configure Consent Screen button, which will take us
to the configuration wizard. First, we need to specify
if our application is meant to be used by internal or
external users of your Google Cloud organization. Unless you are developing an
internal tool, for most cases, you will want to set
the user type here to external to make sure
that all users can use your application
and not just the ones that belong to
your organization. In the following page, we have
to specify the application name being displayed in
the OAuth consent screen. Here, I'm using Getting
Started Ads API as the name, and providing emails for user
support and developer contact information. You can also specify values for
the other fields in this page now, or you can do it later. Note, though, that
some of these, such as the link to
the privacy policy, will be required to make
sure your application can be switched from testing
mode to production mode. I will leave you a
link on the details about the steps required to set
your application's publishing status to production in the
video description below. Once we've filled all
the required fields and clicked the Save
and Continue button, we need to configure the
OAuth scopes that we want our users to be able to access. We want our users to be able
to access Google Ads data. So we need to add the Ads
scope to our application. To do so, we are going to click
on the Add or Remove Scopes button and then search for
Ads in the filter field. This will show the
Google Ads API scope. So we can select it and
then click on Update to up the scope to our
OAuth consent screen. This will make it
so that users will be notified that they are
allowing your application to access their Google
Ads account when they are shown the OAuth consent screen. Note that Google Ads API
is a sensitive scope, which means that in most cases,
your application will need to be verified by Google
when you set the publishing status to production. There are some
exceptions to this, such as internal applications,
which can be accessed only by users in your
Google Workspace or in your Cloud
Identity organization. I will leave you a link to the
details about these exceptions in the usual place-- the video description below. So now, I can click
Save and Continue. And in the final
step of this wizard, I can add some test
users for my application if I want to try
out my authorization flow before my
application is published. I'm not doing this
now, so I can just click Save and Continue again. And my OAuth consent
screen is now configured. However, by default,
my application is in testing mode, which means
that it's still accessible only by test users, and that
its authorizations will expire after seven days. To make sure it can be
accessed by external users and that it can maintain access
longer than seven days after it was granted, I need to
publish my app to production by clicking the
Publish App button. As I mentioned, since my
application uses the Google Ads API scope, which is
a sensitive scope, it will need to
undergo verification from Google, which will
make sure my application is legitimate. To complete
verification, I will have to provide the
information displayed here in my OAuth consent screen
configuration section. However, I'm going to
save this for later. So I'll just click the
Confirm button for now. If I want to provide all the
data required for application verification later, I can
just click on the Prepare for Verification button here. Now, we are finally ready to
create the OAuth credentials that we will use
in the next videos. We can go to the
Credentials section and click the Create
Credentials button. And then select OAuth client ID. As I mentioned
earlier, we are going to use the desktop
application flow, so we select Desktop App from
the application type dropdown. And then we click Create. My OAuth client ID and client
secret have now been created. And I can note them and
store them in a safe place. Note that these are to be kept
with the same level of security that you would use for
an application password. So they should not be
shared with anyone else. You can download these
credentials in a JSON file. And they are always available
from the Credentials page of the APIs and Services
section of your Cloud project. So now that we have our client
ID and our client secret, we can move on to
the next step-- creating refresh tokens-- which
will allow your application to manage your user's campaigns
through the Google Ads API. You can learn about
that in our next video. I'll see you there. [MUSIC PLAYING]
