Thanks for the replies guys. But won't the approaches you outline increase the time needed to steal my token from seconds to minutes at most? Unless I'm Netflix or Microsoft and I tightly control the factory where my unique secret is burned into my smart TV or Xbox, there is no such thing as a secret on a client device. (And actually, neither of those companies consider that approach safe, and are in a constant arms race.)
Best, Drew Loika On Thursday, December 29, 2016 at 7:41:03 AM UTC-8, Anash P. Oommen (AdWords API Team) wrote: > > Hi Drew, > > Pretty much what Zweitze mentioned. Another thought that comes to mind is > to reset the developer token on a regular basis and then have your desktop > application download a binary module (e.g. dll) from a licensed server. > You'd probably want to shield against an HTTPs proxy like Fiddler too. Some > discussion on this topic is here > <http://stackoverflow.com/questions/20914305/best-practices-for-using-servercertificatevalidationcallback> > . > > I would also recommend reaching out to the compliance team using this > form: https://services.google.com/fb/forms/apicontact/. In addition to > checking whether your technical approach is compliant with AdWords API > T&Cs, you can also flag users who might be misusing your application to > capture the devtokens. > > Cheers, > Anash P. Oommen, > AdWords API Advisor. > > On Wednesday, December 28, 2016 at 4:56:57 PM UTC-5, Drew Loika wrote: >> >> Thanks for the help Vishal. My question is regarding how Google expects >> my desktop product used by my customers to issue API requests while >> maintaining the secrecy of my developer token. Obviously this isn't >> possible as described, so does Google expect me to embed the token in the >> application and not maintain the secrecy of my developer token? Or are >> desktop applications just not supported for the AdWords API? Or...? >> >> >> On Wednesday, December 28, 2016 at 1:44:17 PM UTC-8, Vishal Vinayak >> (Adwords API Team) wrote: >>> >>> Hi Drew, >>> >>> To access an AdWords account's data via the API, you need two things: a >>> developer >>> token >>> <https://developers.google.com/adwords/api/docs/guides/first-api-call#request_a_developer_token> >>> (associated >>> with a manager account) and valid OAuth credentials >>> <https://developers.google.com/adwords/api/docs/guides/first-api-call#set_up_oauth2_authentication> >>> (associated >>> with the target AdWords account or the manager account of the target >>> AdWords account). >>> >>> Access levels related to a developer token define the limits on your >>> account (such as test vs production accounts and the number of operations >>> that you can perform with your token). You are required to set your >>> developer token in the SOAP header of your request, when trying to make an >>> API call. OAuth credentials, however, can be used to control data access to >>> a user on a particular account. The access token generated using the OAuth >>> credentials should be set in the HTTP header of your request, when making >>> an API call. This implementation is a part of all of our client >>> libraries >>> <https://developers.google.com/adwords/api/docs/clientlibraries>, which >>> can be used to make API calls without having to go through the hassle of >>> constructing the SOAP request manually (client libraries can be used to >>> develop both Web and Desktop based applications). >>> >>> Hope this helps. If you have additional questions, please feel free to >>> revert. >>> >>> Regards, >>> Vishal, AdWords API Team >>> >> -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog and Google+: https://googleadsdeveloper.blogspot.com/ https://plus.google.com/+GoogleAdsDevelopers/posts =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/group/adwords-api. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/fcd0635d-4bb1-49b8-99ad-4f4f5927867d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
