Share your feedback about the Google Ads (AdWords) API. Take the 2021 AdWords API and Google Ads API Annual Survey.

OAuth2 and 2-step verification

Google lets you to enable 2-step verification on your account. There are three possible scenarios for enabling 2-step verification, and the Google Ads API behavior varies in each case.

Case 1: A user turns on 2-step verification on their own Google account

A user may decide on their own to turn on 2-step verification for their Google account. This affects the OAuth2 interaction as follows:

New OAuth2 authentication

During the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. Once issued, the refresh token can be used to issue access tokens. The API calls made using this access token will work as usual.

Existing refresh token

A refresh token that was issued before the user enabled 2-step verification remains unaffected after the user enables 2-step verification. It can be used to issue access tokens as usual. The API calls made using this access token will work as usual.

Case 2: An administrator requires all users of a Google Ads account to enable 2-step verification

Account administrators can require all users of a Google Ads account to enable 2-Step Verification in order to access the Google Ads account. This affects the OAuth2 interaction as follows:

New OAuth2 authentication

If the user enabled 2-step verification, then during the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. If they didn't enable 2-step verification, then they won't see the 2-step verification prompt. This experience is independent of the setting that the administrator enabled for the Google Ads account.

Once issued, the refresh token can be used to issue access tokens. However, the API calls made using this access token will fail with an AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED error in the AdWords API and AuthenticationError.TWO_STEP_VERIFICATION_NOT_ENROLLED in the Google Ads API until the user enables 2-step verification in their Google account.

Existing refresh token

A refresh token that was issued before the user enabled 2-step verification remains unaffected after the user enables 2-step verification. It can be used to issue access tokens as usual. However, the API calls made using this access token will continue to fail with an AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED error in the AdWords API and AuthenticationError.TWO_STEP_VERIFICATION_NOT_ENROLLED in the Google Ads API until the user enables 2-step verification in their Google account.

Case 3: Google opts in and requires all users of a Google Ads account to enable 2-step verification

In some cases, Google may opt in and require all users of a Google Ads account to enable 2-step verification. This affects the OAuth2 interaction as follows:

New OAuth2 authentication

If the user enabled 2-step verification, then during the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. If they didn't enable 2-step verification, then they won't see the 2-step verification prompt. This experience is independent of whether Google opted in the Google Ads account to require all its users to enable 2-factor verification.

Once issued, the refresh token can be used to issue access tokens. The API calls made using this access token will work as usual. No TWO_STEP_VERIFICATION_NOT_ENROLLED error is thrown, since the 2-step verification opt-in was initiated by Google and not by the Google Ads account administrator.

Existing refresh token

A refresh token that was issued before the user enabled 2-step verification remains unaffected after the user enables 2-step verification. It can be used to issue access tokens as usual. The API calls made using this access token will work as usual. No TWO_STEP_VERIFICATION_NOT_ENROLLED error is thrown, since the 2-step verification opt-in was initiated by Google and not by the Google Ads account administrator.