Authentication Guide

OAuth 2.0 & API Authentication

Complete guide to authentication flows for accessing YDengGrand Ads Platform and Google Ads API.

Authentication Overview

Our platform uses industry-standard OAuth 2.0 for secure authentication.

Authentication Methods

YDengGrand Ads Platform supports two authentication methods:

🔐

Google OAuth 2.0

Recommended — Enterprise authentication via Google Workspace. Users authorize access to their Google Ads accounts through Google's secure OAuth flow.

✓ Single Sign-On (SSO)
✓ Multi-Factor Authentication (MFA)
✓ No password storage required
📧

Email + Password

Traditional authentication using work email and password. Requires MFA for all accounts.

✓ Work email only (@ydenggrand.com)
✓ Mandatory MFA
✓ Session encryption

Google OAuth 2.0 Flow

Step-by-step guide to the OAuth 2.0 authorization code flow.

Flow Diagram

1
User initiates login

User clicks "Continue with Google" button

2
Redirect to Google

Platform redirects to Google's OAuth 2.0 authorization endpoint

3
User consent

Google displays consent screen requesting Ads API access

4
Authorization code

Google redirects back with temporary authorization code

5
Token exchange

Server exchanges code for access token and refresh token

6
Access granted

User is authenticated and can access the platform

OAuth Endpoints

Authorization Endpoint
https://accounts.google.com/o/oauth2/v2/auth
Token Endpoint
https://oauth2.googleapis.com/token
Scope Required
https://www.googleapis.com/auth/adwords

Token Lifecycle

Access Token
Valid for: 60 minutes Usage: API requests to Google Ads
Refresh Token
Valid for: Until revoked Usage: Obtain new access tokens
ID Token
Valid for: 60 minutes Usage: User identity verification

API Access Setup

How to authenticate API requests to YDengGrand Ads Platform.

Authentication Headers

# Include Bearer token in Authorization header curl -X GET https://api.ydenggrand.com/api/campaigns \\ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \\ -H "Content-Type: application/json"

Session Management

  • Sessions are stored in HTTP-only, Secure, SameSite cookies
  • Session duration: 30 minutes of inactivity
  • Sessions are automatically refreshed while user is active
  • Multi-device sessions supported with audit logging

Token Refresh Flow

# When access token expires, use refresh token curl -X POST https://api.ydenggrand.com/api/auth/refresh \\ -H "Content-Type: application/json" \\ -d '{"refreshToken": "YOUR_REFRESH_TOKEN"}' # Response: { "accessToken": "new_access_token", "expiresIn": 3600 }

Security Best Practices

Guidelines for secure authentication implementation.

Store tokens securely

Never store tokens in localStorage or sessionStorage. Use HTTP-only cookies.

Validate tokens server-side

Always validate tokens on the server before granting access to resources.

Use PKCE for public clients

For mobile or SPA apps, use Proof Key for Code Exchange (PKCE).

Implement token revocation

Provide a way to revoke tokens when user logs out or changes password.

Log authentication events

Monitor for suspicious login activity and implement rate limiting.

Troubleshooting

Common authentication issues and solutions.

Invalid Grant Error

Cause: Authorization code expired or already used.

Solution: Initiate a new OAuth flow to get a fresh code.

Access Denied

Cause: User lacks required permissions or scope.

Solution: Verify user has access to the requested Google Ads account.

Token Expired

Cause: Access token exceeded 60-minute validity.

Solution: Use refresh token to obtain a new access token.

Redirect URI Mismatch

Cause: Redirect URI doesn't match Google Cloud Console configuration.

Solution: Ensure exact URI match including protocol and path.

Need Authentication Help?

Our support team can assist with OAuth setup and API access issues.

Contact Support Google OAuth Docs