10+ years · 3x UK Search Awards

Blog

Google API Access for PPC Agencies: Complete Setup Guide [2026]

Blog |Automation|2026-07-11|13 min

Automation · 2026-07-11 · 13 min

In short

One Google Cloud project covers Google Ads, GA4, Search Console, Tag Manager, Merchant Center, and Data Manager — you don't need a separate application per tool. The mistake I've seen most (and made myself): leaving the OAuth consent screen in Testing mode, which kills your refresh token after exactly 7 days.

1

Cloud project for every API

7 days

Before a Testing-mode token dies

6

APIs covered in this guide

$0

Cost of setting any of this up

Quick answer

A PPC agency running more than a handful of accounts needs access to six services: Google Ads API (reporting and campaign management), GA4 Data and Admin API (reporting and account configuration), Search Console API (search performance and indexing), Tag Manager API (tag auditing and editing), Merchant Center API (feed status and product issues), and the newer Data Manager API (server-side audience data). All six authenticate through the same Google Cloud project — create it once, enable the APIs you need, and generate OAuth credentials for each.

By the time I finished applying for Google Ads API Basic Access, it was clear the developer token was only one piece of a bigger picture. The same agency automating Google Ads reporting also needs GA4 data for attribution, Search Console data for the SEO side, Tag Manager for tracking audits, and Merchant Center for Shopping feed diagnostics. Each of those tools has its own API, its own scope, and its own rules — but they all sit under one roof: a Google Cloud project you set up once and then keep adding services to.

This guide covers that whole roof, starting from zero. We go through the foundation (the Cloud project and OAuth consent screen, including a mistake that once killed one of my tokens), then through each of the six APIs individually, with the scope you need and where to enable it. Google Ads API developer tokens and the brand verification pilot get their own dedicated guide, linked in the relevant section below — here I just place it in the wider context.


Why an agency needs API access

With a handful of accounts, the browser interface is plenty. Open Google Ads, check performance, open GA4, cross-check the numbers, done. The problem shows up once the account count climbs into double digits while the hours in your day stay fixed. Opening every account by hand each morning stops being sustainable, and that's the point where API access stops being a nice-to-have and becomes the only realistic way the work fits into a day.

Concretely, API access enables four things the interface doesn't give you on its own: automated reporting that generates itself without you triggering it, dashboards that pull data from multiple accounts into one place, bulk operations (changing budgets across ten accounts at once, for example), and increasingly, agentic automation where an AI agent reads data through the API and proposes or executes actions against rules you've defined in advance.

All of that requires your agency to have programmatic access to data, not just browser access. Which brings up the first, and probably most important, insight: you don't need a separate "application" per tool.

One Google Cloud project is your only "application" as far as Google is concerned. Enable Google Ads API, GA4 API, Search Console API, Tag Manager API, and the rest inside it — every additional API is just an Enable click in the same project, not a new project and not a new registration.


The foundation: Cloud project and OAuth consent screen

Before you touch any individual API, two things need to be set up once, at the project level. The first is the Google Cloud project itself — free, created in a couple of minutes through Google Cloud Console, and it acts as the container you'll enable APIs inside. The second, and far more important for long-term stability, is the OAuth consent screen.

The OAuth consent screen is what a user sees when your application (meaning you, as the developer) requests permission to access their Google data — an Ads account, a GA4 property, Search Console. Every OAuth flow goes through it, regardless of which of the six APIs in this guide you're calling. And that's exactly where a mistake hides that looks harmless until it isn't.

The key lesson

If the OAuth consent screen stays in Testing status, the refresh token you get expires after 7 days — regardless of how well everything else is configured. Any script relying on that token stops working exactly a week later, usually with no obvious error explaining why. This happened to me on a Merchant Center token: the project sat in Testing mode, everything worked flawlessly for a few days, and then the refresh simply stopped. The fix is straightforward once you know to do it deliberately: in Cloud Console, under OAuth consent screen (or Google Auth Platform → Audience), switch the publishing status from Testing to In production.

Switching to Production doesn't mean your app has to be public or reviewed by a human before it works — for internal tools using standard scopes, this is largely a self-service action with no waiting involved. Google only requires human verification for certain "sensitive" or "restricted" scopes (broad Gmail access, for instance), and for what an agency typically uses — Ads, Analytics, Search Console, Tag Manager, Merchant Center — you can set the status to In production yourself, immediately.

From my experience

The first time you set up a Cloud project, do this step immediately, before you even generate your first OAuth credential. Testing mode only makes sense while you're literally testing authentication in the first hour or two — the moment a script is expected to run for more than a week, the status needs to be Production. It's a cheap step to get right up front, and an expensive one to discover you skipped through a dead automation.


The Google Ads API is probably the first API an agency reaches for, since it lifts reporting and campaign management to a level manual work simply can't match. Access sits at the manager (MCC) account level through a developer token, and that token moves through three tiers: Explorer access (the default, up to 2,880 operations a day against production accounts), Basic Access (up to 15,000 operations a day plus the planning services), and Standard Access (no daily cap, built for high-volume tools).

Explorer level is enough to pull reports and make basic changes on your own accounts, but it comes with two constraints you feel quickly: the 2,880 daily operations cap and fully blocked planning services. Calls to the Keyword Planner portion of the API — keyword ideas, search volume estimates — return a DEVELOPER_TOKEN_NOT_APPROVED error until you're approved for Basic Access. That's the main practical reason to submit the application before the limits actually start to hurt.

Dedicated guide

The full Basic Access application process, including the newer brand verification pilot that cuts review from days or weeks down to a few hours, is covered step by step in a separate guide: Google Ads API Basic Access: Step-by-Step Guide. Here I'll just note the OAuth scope you need is https://www.googleapis.com/auth/adwords, and it all runs through the same Cloud project you set up in the previous section.


Google Analytics 4: Data and Admin API

GA4 exposes two separate APIs that do different jobs. The Data API is what you call for the actual reports — metrics and dimensions, essentially everything you see under Reports in the GA4 interface, just programmatically. The Admin API manages account structure: properties, streams, custom dimensions and metrics, user access. For a typical dashboard or nightly report, the Data API is what you're actually using; the Admin API comes into play when you're automating account setup itself, not pulling data out of it.

Both are enabled from the same place: Cloud Console → APIs & Services → Library, search "Google Analytics Data API" and "Google Analytics Admin API," then Enable on each. For pure data reads, which covers roughly 95% of agency use, the https://www.googleapis.com/auth/analytics.readonly scope is all you need. If you also plan to write — creating custom dimensions via the API, for instance — you need a broader analytics.edit or analytics.manage.users scope, depending on the operation.

The OAuth flow is the same as every other API in this guide: credentials from your Cloud project, the user (the GA4 account owner, or you, if you've been added as a user on the property) grants access, and you get a refresh token you store and reuse for future calls without prompting for login again.


Google Search Console API

The Search Console API covers three things that matter to an agency running the SEO side, or even one just tracking organic traffic as context for Ads performance: Search Analytics (queries, clicks, impressions, position — the base layer of any SEO report or dashboard), URL Inspection (indexing status for individual URLs), and Sitemaps (submitting and checking sitemap status).

The scope you need for reading is https://www.googleapis.com/auth/webmasters.readonly; for actions like submitting a sitemap, you need the broader webmasters scope without the ".readonly" suffix.

A note on granularity

Having the right OAuth scope isn't enough on its own. Search Console access is granted per property (a domain or URL-prefix), not globally for the account calling the API. If you haven't been added as a user (owner or full user) on a specific property inside Search Console itself, an API call for that site will come back empty or with an error, no matter how correctly your Cloud project is configured. For an agency with ten clients, that means ten separate access grants — one per domain.


Google Tag Manager API

The Tag Manager API earns its keep when auditing or editing tags, triggers, and variables spans multiple accounts, instead of clicking through each container's interface one at a time. A practical example: a script that runs weekly across every client's GTM container and checks whether the Conversion Linker tag is present and active, or one that adds the same trigger to several containers at once.

The API splits access into several scopes depending on what you're doing: tagmanager.readonly for reading structure, tagmanager.edit.containers for editing tags/triggers/variables in a workspace, tagmanager.edit.containerversions for creating versions, and tagmanager.publish for publishing. A readonly scope is enough for a pure audit; the moment you're editing and publishing, you need all four.

Watch the rate limits

Tag Manager API has notably more conservative rate limits (requests per minute) than, say, the Google Ads API. If you're writing a script that walks through a large number of tags or several containers at once, break it into smaller batches with pauses between calls — otherwise you'll hit 429 (too many requests) errors mid-run, usually on the exact container where you needed the change to land cleanly.


Merchant Center: Content API and Merchant API

For anyone running Shopping campaigns, the Merchant Center API solves one specific problem: feed status and product issues normally get checked manually, product by product, through an interface that wasn't built for a quick scan across tens of thousands of items. Programmatic access gives you feed status, diagnostics data, and a list of product issues (disapproved, warning, missing attributes) in a structured form you can filter, sort, and drop straight into a dashboard.

There are two versions in play: the older Content API for Shopping v2.1, still functional and used by most existing integrations, and the newer, more unified Merchant API, which Google is gradually steering new development toward. If you're starting fresh, it's worth checking the official documentation for the current status of both before committing, since the line between them keeps shifting. The scope for either is the same: https://www.googleapis.com/auth/content.

For the full Merchant Center account setup (verification, feed attributes, feed delivery methods), I have a dedicated guide I won't repeat here: Google Merchant Center for Serbia: Complete Setup Guide.


Data Manager API (server-side Customer Match)

This is the newest addition covered here, live from 2025 onward. The Data Manager API solves a problem that used to require manual work: sending audience and conversion data (Customer Match lists, for example) directly from a server, without manually exporting a CSV and uploading it through the Google Ads interface. For an agency running a CRM integration into Google Ads, that means a new or updated customer list can sync automatically instead of someone uploading a file once a month.

The scope you need is https://www.googleapis.com/auth/datamanager. If you're already running offline conversion import for B2B clients, this is a natural next step — server-side audience data follows a similar pattern to server-side conversion data, just carrying a different kind of signal.


Overview: which API for what

The seven rows below are a reference to come back to whenever you're setting up a new Cloud project or adding an API to an existing one.

APIWhat it's forBase scopeWhere to enable it
Google Ads APIReporting, campaign management, bulk changes.../auth/adwordsAPI Center (MCC) + Cloud Console
GA4 Data APIReports, metrics, dimensions programmatically.../auth/analytics.readonlyCloud Console → API Library
GA4 Admin APIAccounts, properties, custom dimensions.../auth/analytics.editCloud Console → API Library
Search Console APISearch Analytics, URL Inspection, sitemaps.../auth/webmasters.readonlyCloud Console → API Library
Tag Manager APIAuditing and editing tags/triggers, publishingtagmanager.readonly / edit.containers / publishCloud Console → API Library
Merchant Center (Content/Merchant API)Feed status, diagnostics, product issues.../auth/contentCloud Console → API Library
Data Manager APIServer-side audience/conversion data.../auth/datamanagerCloud Console → API Library

Checklist: setup from zero

If you're starting from a completely clean slate, the order of operations looks like this. The same sequence applies no matter which of the six APIs is your priority.

1
Create a Google Cloud project — free, through Cloud Console, a couple of minutes. This is the single container for every API in this guide.
2
Set up the OAuth consent screen and switch it to Production immediately — don't leave the status on Testing, since the refresh token expires after 7 days. This is the step that gets skipped most often, and it's the most expensive one to skip.
3
Enable the APIs you need — Cloud Console → APIs & Services → Library, search by name, Enable each one individually.
4
Generate OAuth2 credentials — client ID and client secret (or a service account, depending on the flow you use), through the Credentials section of the same project.
5
Run the first OAuth flow and store the refresh token securely — the user (you, or the account owner) grants access once, and you store the refresh token somewhere safe (an env variable, a secret manager), not in code that gets pushed to Git.
6
For the Google Ads API — apply for a developer token — this is the only step with a review wait; the other five APIs work immediately once enabled and authenticated.

Frequently asked questions

Do I need a separate Cloud project for each API?
No. One Google Cloud project covers every API described in this guide. You enable them individually through the API Library inside that same project, while the OAuth consent screen and credentials stay shared. Separate projects only make sense if you want hard access separation by client or team, not because any single API requires it.
What happens if I forget to switch the OAuth consent screen to Production?
The refresh token you generate while the status is Testing stops working after 7 days, regardless of how correctly the underlying API call is set up. Any automation relying on it simply stops running exactly a week later. The fix is to switch the status to In production before a script is meant to run long-term, not after.
Does API access cost anything?
No, creating a Cloud project, enabling APIs, and generating OAuth credentials are all free. The Google Ads API developer token is also free to apply for and use. Cost only shows up if you exceed the free quotas on individual APIs through very high call volume, which is rare for a typical agency managing a dozen accounts.
Which API should I set up first?
If you manage Google Ads accounts, start with the Google Ads API since it delivers the fastest, most measurable payoff — automated reporting and alerts. The GA4 Data API is a natural next step since it's almost always used alongside Ads data for attribution and reporting.
What's the difference between Content API for Shopping and the new Merchant API?
Content API for Shopping v2.1 is the older, still-functional API that most existing Merchant Center integrations use. Merchant API is the newer, more unified successor Google is steering new development toward. For new integrations, it's worth checking the current status of both in the official documentation before committing, since the line between them keeps shifting.
Do I need a developer to build any of this?
A basic understanding helps, but you don't need to be a developer in the traditional sense. Google publishes official client libraries in multiple languages for nearly every API in this guide, and AI coding assistants can now write and maintain most of the reporting and automation scripts an agency needs, given a clear description of what should happen.
Does one refresh token cover multiple client accounts?
It depends on the API. For the Google Ads API, a developer token at the MCC level automatically covers every client account linked underneath it, with a single token. For GA4, Search Console, and Merchant Center, access is granted per account or property, so you need to be added as a user for each new client property or account, even if your OAuth credentials stay the same.

Need a complete API setup for your agency?

I set up the Cloud project, OAuth access, and API integrations (Ads, GA4, Search Console, Tag Manager, Merchant Center) plus nightly automation for agencies and teams managing multiple accounts.

Schedule a free consultation
Last updated: July 11, 2026

Free video audit

Get a Personalised Video Audit of Your Google Ads Account

I'll record a 15-minute walkthrough of your campaigns showing exactly where you're losing money and what to fix first.

Book a free consultation

Free personalised video audit

Want a video walkthrough of your Google Ads account?

I'll personally record a 15-minute video walking through your campaigns, showing you where you're losing money and giving you 3 specific things to fix immediately. No sales pitch — just value.

What you get:

  • 15-min personalised video analysis
  • 3 specific quick wins to implement
  • Budget & bidding recommendations

Requirements:

  • Ad spend: €1,500+/month (or £1,500+)
  • Active account for 3+ months
  • eCommerce or Lead Gen business

Limited to 5 audits per month. Response within 48 hours.