Authentication
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
所有 Google Ad Manager API 调用都必须通过 OAuth2 授权。OAuth2 是一种开放式标准,
让用户能够向第三方应用授予权限,因此
应用可以代表用户与网络服务进行交互。OAuth2 可启用
通过您的 Ad Manager API 客户端应用访问用户的 Ad Manager 账号
而无需处理或存储用户的用户名或密码。
生成 OAuth2 凭据
如需生成 OAuth2 凭据,请执行以下步骤。
1. 确定身份验证类型
请查看下表,了解最适合的身份验证类型
Ad Manager API 应用:
选择您的 OAuth2 身份验证类型 |
服务账号 |
如果您只需访问自己的 Ad Manager 数据,请选择此选项。
了解详情。
|
Web 应用 |
如果您想以任何授予
向您的应用授予访问其 Ad Manager 数据的权限。
了解详情。
|
2. 创建 OAuth2 凭据
确定身份验证类型后,请点击相应的标签页
并按照说明生成 OAuth2 凭据:
<ph type="x-smartling-placeholder">
</ph>
<ph type="x-smartling-placeholder"></ph>
- 打开
Google API 控制台的“凭据”页面。
- 从项目下拉菜单中,选择创建新项目,然后输入名称
(可选)修改所提供的项目 ID。点击
创建。
- 在“凭据”页面上,选择创建凭据,然后
选择服务账号密钥。
- 选择新的服务账号,然后选择 JSON。
- 点击创建以下载包含私钥的文件。
。
<ph type="x-smartling-placeholder"></ph>
- 打开
Google API 控制台的“凭据”页面。
- 从项目下拉菜单中,选择创建新项目,然后输入名称
(并根据需要修改提供的项目 ID),然后点击
创建。
- 在“凭据”页面上,选择创建凭据,然后
选择 OAuth 客户端 ID。
- 系统可能会提示您在
同意屏幕页面;如果有,请点击配置同意屏幕。
提供所需信息,然后点击保存以返回
“凭据”页面。
- 选择 Web 应用作为应用类型。按照
指令以输入 JavaScript 来源和/或重定向 URI。
- 点击创建。
- 在随即显示的页面上,复制客户端 ID 和客户端密钥
复制到剪贴板,因为在配置客户端时将会用到
库。
如果您是第三方开发者,则可能需要让您的客户执行此操作
这一步。
<ph type="x-smartling-placeholder">
</ph>
<ph type="x-smartling-placeholder"></ph>
- 前往您的 Ad Manager 广告资源网。
- 点击管理标签。
- 确保已启用 API 访问权限。
- 点击添加服务账号用户按钮。
- 在表单中填写服务账号电子邮件地址。通过
必须为服务账号用户授予
实体就像该服务账号用户将访问该网站上的实体一样
界面
- 点击保存按钮。此时应显示一条消息,
以及添加服务账号
- 查看现有的服务账号用户,方法是转到“用户”标签页,然后
点击服务账号过滤条件。
。
<ph type="x-smartling-placeholder"></ph>
- 前往您的 Ad Manager 广告资源网。
- 点击管理标签。
- 确保已启用 API 访问权限。
请按照下面的相应指南在您的客户端库中使用凭据:
如果您选择不使用我们的任何客户端库,则需要使用
OAuth2 服务账号或网络
应用流程。
幕后花絮
我们的客户端库会自动处理下述细节
如果你对幕后花絮感兴趣,请继续阅读。
本部分面向已熟悉
符合 OAuth2 规范并
了解如何结合使用 OAuth2 和 Google API。
向 Ad Manager API 发送的每个请求中的 HTTP 标头都必须包含访问权限
以下形式的令牌:
Authorization: Bearer ACCESS_TOKEN
例如:
POST … HTTP/1.1
Host: …
Authorization: Bearer 1/fFAGRNJru1FTz70BzhT3Zg
Content-Type: text/xml;charset=UTF-8
Content-Length: …
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope">
…
</soap:Envelope>
范围
一个访问令牌可授予对多个 API 的不同级别的访问权限。答
名为 scope
的变量参数用于控制资源集和
访问令牌允许的操作。在请求访问令牌期间,您的
应用在 scope
参数中发送一个或多个值。
Ad Manager 只有一个范围(如下所示)。应执行授权
在产品内的用户级别设置
范围 |
权限 |
https://www.googleapis.com/auth/dfp |
在 Ad Manager 上查看和管理您的广告系列。 |
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-31。
[null,null,["最后更新时间 (UTC):2025-08-31。"],[[["\u003cp\u003eAll Google Ad Manager API calls require OAuth2 authorization for secure access to user data without storing sensitive login information.\u003c/p\u003e\n"],["\u003cp\u003eChoose between Service Account or Web Application authentication type based on your application's needs.\u003c/p\u003e\n"],["\u003cp\u003eGenerate OAuth2 credentials by following instructions for your chosen authentication type via the Google API Console.\u003c/p\u003e\n"],["\u003cp\u003eConfigure your Ad Manager network settings and client library according to provided guidelines for the specific authentication method and programming language.\u003c/p\u003e\n"],["\u003cp\u003eClient libraries handle most OAuth2 complexities but you can delve into the background details concerning HTTP headers and scopes if needed.\u003c/p\u003e\n"]]],["Google Ad Manager API access requires OAuth2 authorization. First, choose between \"Service account\" for personal data or \"Web application\" for user-authorized access. Then, create OAuth2 credentials via the Google API Console, either generating a JSON key for service accounts or a client ID and secret for web applications. Next, configure the Ad Manager network to allow API access, adding the service account email if applicable. Lastly, configure and use a client library, or implement the OAuth2 flow directly, including the access token in the HTTP header.\n"],null,["# Authentication\n\nAll Google Ad Manager API calls must be authorized through [OAuth2](http://oauth.net/2/) an open standard that\nallows users to grant permissions to third-party applications, so the\napplication can interact with web services on the user's behalf. OAuth2 enables\nyour Ad Manager API client application to access a user's Ad Manager account\nwithout having to handle or store the user's username or password.\n\nGenerate OAuth2 credentials\n---------------------------\n\nPerform the following steps to generate the OAuth2 credentials.\n\n### 1. Determine your authentication type\n\nCheck the table below to see which **authentication type** is most appropriate\nfor your Ad Manager API application:\n\n| Choose your OAuth2 authentication type ||\n|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| **Service account** | Choose this if you only need access to your own Ad Manager data. [Learn more.](/identity/protocols/OAuth2ServiceAccount) |\n| **Web application** | Choose this if you want to authenticate as any user who grants permission to your application to access their Ad Manager data. [Learn more.](/identity/protocols/OAuth2WebServer) |\n\n### 2. Create OAuth2 credentials\n\nOnce you've determined your authentication type, click the corresponding tab\nbelow and follow the instructions to generate the OAuth2 credentials:\nService Account\n\n1. Open the [Google API Console Credentials page](https://console.cloud.google.com/apis/credentials).\n2. From the project drop-down, choose **Create a new project** , enter a name for the project, and optionally, edit the provided Project ID. Click **Create**.\n3. On the Credentials page, select **Create credentials** , then select **Service account key**.\n4. Select [New service account](//console.developers.google.com/apis/credentials/serviceaccountkey), and select **JSON**.\n5. Click **Create** to download a file containing a private key.\nWeb application\n\n1. Open the [Google API Console Credentials page](https://console.cloud.google.com/apis/credentials).\n2. From the project drop-down, choose **Create a new project** , enter a name for the project (and optionally, edit the provided Project ID), and click **Create**.\n3. On the Credentials page, select **Create credentials** , then select **OAuth client ID**.\n4. You may be prompted to set a product name on the Consent Screen page; if so, click **Configure consent screen** , supply the requested information, and click **Save** to return to the Credentials page.\n5. Select **Web Application** for the **Application Type**. Follow the instructions to enter JavaScript origins, redirect URIs, or both.\n6. Click **Create**.\n7. On the page that appears, copy the **client ID** and **client secret** to your clipboard, as you will need them when you configure your client library.\n\n### 3. Configure your Ad Manager network\n\nIf you are a third-party developer, you may need to have your client do this\nstep for you.\nService Account\n\n1. Go to your [Ad Manager network](//admanager.google.com).\n2. Click the **Admin** tab.\n3. Ensure that **API access** is enabled.\n4. Click the **Add a service account user** button.\n5. Fill in the form using the service account email. The service account user must be granted with permissions to access the entities as if that service account user would access the entities on the UI.\n6. Click on the **Save** button. A message should appear, confirming the addition of your service account.\n7. View existing service account users by going to the Users tab and then clicking the **Service Account** filter.\nWeb application\n\n1. Go to your [Ad Manager network](//admanager.google.com).\n2. Click the **Admin** tab.\n3. Ensure that **API access** is enabled.\n\n### 4. Configure and use a client library\n\nFollow the appropriate guide below to use the credentials in your client library: \n\n### Java\n\n- [Service account flow](//github.com/googleads/googleads-java-lib/wiki/API-access-using-own-credentials-(server-to-server-flow)#step-2---setting-up-the-client-library)\n- [Web app flow](//github.com/googleads/googleads-java-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)#step-2---setting-up-the-client-library)\n\n### .NET\n\n- [Service account flow](//github.com/googleads/googleads-dotnet-lib/wiki/API-access-using-own-credentials-(server-to-server-flow)#step-2---setting-up-the-client-library)\n- [Web app flow](//github.com/googleads/googleads-dotnet-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)#step-2---setting-up-the-client-library)\n\n### Python\n\n- [Service account flow](//github.com/googleads/googleads-python-lib/wiki/API-access-using-own-credentials-(server-to-server-flow)#step-2---setting-up-the-client-library)\n- [Web app flow](//github.com/googleads/googleads-python-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)#step-2---setting-up-the-client-library)\n\n### PHP\n\n- [Service account flow](https://github.com/googleads/googleads-php-lib/wiki/API-access-using-own-credentials-(server-to-server-flow))\n- [Web app flow](https://github.com/googleads/googleads-php-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow))\n\n### Ruby\n\n- [Service account flow](//github.com/googleads/google-api-ads-ruby/wiki/API-access-using-own-credentials-(server-to-server-flow)#step-2---setting-up-the-client-library)\n- [Web app flow](//github.com/googleads/google-api-ads-ruby/wiki/API-access-on-behalf-of-your-clients-(web-flow)#step-2---setting-up-the-client-library)\n\n\u003cbr /\u003e\n\nIf you choose not to use one of our client libraries, you'll need to implement\nthe OAuth2 [service account](/identity/protocols/OAuth2ServiceAccount) or [web\napp](/identity/protocols/OAuth2WebServer) flow yourself.\n\nBehind the scenes\n-----------------\n\nOur client libraries automatically take care of the details covered below so\nonly read on if you're interested in what's happening behind the scenes.\nThis section is intended for advanced users who are already familiar\nwith the [OAuth2 specification](http://tools.ietf.org/html/rfc6749) and\nknow how to [use OAuth2 with Google APIs](/accounts/docs/OAuth2).\n\n#### HTTP request header\n\nThe HTTP header in every request to the Ad Manager API must include an access\ntoken in this form: \n\n```actionscript-3\nAuthorization: Bearer ACCESS_TOKEN\n```\n\nFor example: \n\n```http\nPOST ... HTTP/1.1\nHost: ...\nAuthorization: Bearer 1/fFAGRNJru1FTz70BzhT3Zg\nContent-Type: text/xml;charset=UTF-8\nContent-Length: ...\n\n\u003c?xml version=\"1.0\"?\u003e\n\u003csoap:Envelope xmlns:soap=\"http://www.w3.org/2001/12/soap-envelope\"\u003e\n…\n\u003c/soap:Envelope\u003e\n```\n\n#### Scope\n\nA single access token can grant varying degrees of access to multiple APIs. A\nvariable parameter called `scope` controls the set of resources and\noperations that an access token permits. During the access token request, your\napplication sends one or more values in the `scope` parameter.\n\nAd Manager has only one scope, shown below. Authorization should be performed\nat the user level within the product.\n\n| Scope | Permissions |\n|---------------------------------------|-----------------------------------------------|\n| `https://www.googleapis.com/auth/dfp` | View and manage your campaigns on Ad Manager. |"]]