Authentication plays a crucial role in fetching real data from Google platforms like Gmail, Google Ads, Google Analytics, etc. When you try to authenticate your account to fetch data via API, you need to follow some steps. But there are two methods you can use. Both methods do the same job in authentication.
In this guide, we’ll see about two methods and how to generate an access token using them.
Tow methods
OAuth client 2.0
Service account
| Feature | Client 2.0 | Service Account |
|---|---|---|
| Acts as | Behalf of a user | application itself |
| Requires user login? | Yes ✔ | No ❌ |
| Best for | User facing apps | server to server or automation apps |
| Credentials | Clinet ID and Client secret needed | JSON key file |
| Token type | Access token and refresh token | Only access token |
| Token expiry | Expire after every hour | Don’t expire untill revoke |
Prerequesites
- Google Cloud console account with the email ID https://cloud.google.com/
- Appropriate Google product login. For example, if you are going to access Google Analytics data, then you should properly connect your site with a GA4 account.
Method 1: generate client ID and secret using client OAuth 2.0
You can use this method when your app acts on behalf of a user. Imagine it works when a user clicks ‘Connect Gmail’ and your app gets permission to read and write. These permissions based on the scopes you used while authenticating.
How it works
User clicks a button ‘Connect Google Analytics’
Google shows a consent screen page
User clicks ‘Continue’ to give permissions, and it gives an authorization code
Exchange within a minute to generate an access token and a refresh token
Using the access token, the server calls the API to get data on behalf of the user.
How to generate client ID and secret
Open the Google Cloud console project or create a new project. If you have a doubt just refer to this blog https://agentzee.ai/blogs/how-to-access-google-analytics-dashboard-data-via-api-with-an-access-token.
Search for “Google OAuth Platform,” select it, and click “Clients.”
If you created a new project, then it goes to the project configuration page. Clearly fill in all the details. If you choose an existing project, then create a new client directly
After creating a client, it shows the JSON file to download. Download it and save it somewhere.
generate an access token
Let’s see it in Python code. This uses Google’s authentication. So, it shows a consent screen with an authorization code. Here, let's see how to generate an access token for Google Analytics.
Step 1: Generate an authorization code
For this, you need some Python libraries called google-auth, google-auth-oauthlib, and google-auth-httplib2
from google_auth_oauthlib.flow import Flow
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
def get_auth_url():
flow = Flow.from_client_secrets_file(
"Google_Analytics_Cred.json",
scopes=["https://www.googleapis.com/auth/analytics.readonly"],
redirect_uri="YOUR_REDIRECT_URI"
)
auth_url, _ = flow.authorization_url(prompt="consent", access_type="offline")
return auth_url
Here, replace your redirect URI and place your downloaded JSON file path. If the JSON file is in another path, just mention the full file path. Then you will get a URL and open it in a browser. Select an account associated with Google Analytics. It will redirect to the URL you specify in the client, and you can find the code in the browser URL.
Step 2: Exchange the authorization code for an access token
Here, replace your code.
from google_auth_oauthlib.flow import Flow
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
flow = Flow.from_client_secrets_file(
"Google_Analytics_Cred.json",
scopes=["https://www.googleapis.com/auth/analytics.readonly"],
redirect_uri="YOUR_REDIRECT_URI"
)
flow.fetch_token(code=auth_code)
creds = flow.credentials
print(creds) //print(creds.token) print(creds.refresh_token)
From this, you can get your access token.
Method 2: Access token via Service account
You can use a service account when your app doesn’t need user interaction. It is actually a server-to-server, with no user involvement. It represents an application, not a user.
How it works
Open Google Cloud project (You can use the same project you created for OAuth 2.0)
Create a service account and download the JSON key file.
Google verifies the signature using your public key in the JSON file and returns an access token.
Call Google APIs directly
Generate JSON key file
Here, we use Python code to generate an access token with the JSON key file.
Open Google Cloud Console. Open an existing project or create a new one.
Search for “I AM Admin” and select “Service Account” from the side menu.
Click the “Create new Service account” button
-
Fill all the necessary fields. Your service account has been created. Then click the created account.
Click keys → Add key → Create new key → Choose JSON type for ease access → Click create.
After this, your private key file will be directly downloaded to your system. This is never expiry until you manually delete it.
Generating an access token
Store your downloaded private JSON key file in your code folder. Here’s the Python code
import google.auth
import google.auth.transport.requests
from google.oauth2 import service_account
# Path to your service account JSON key file
SERVICE_ACCOUNT_FILE = "service-account-key.json"
# Define the scopes your app needs
SCOPES = ["https://www.googleapis.com/auth/analytics.readonly"]
# Load credentials from the key file
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE,
scopes=SCOPES
)
# Request the access token
request = google.auth.transport.requests.Request()
credentials.refresh(request)
# ✅ Your access token
print("Access Token:", credentials.token)
print("Expires At:", credentials.expiry)
Replace your credential file path. From this code, you can access an access token. Using that access token you can directly pull out the data from the Google Analytics dashboard, and it never expires.
Both methods look similar, but you should understand where to use which method. It makes your way clear. Both access tokens work to fetch data. If you have any doubts or suggestions, post them in the comment section.
Top comments (0)