It seems that when I have a valid user's access token, I can call this api https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=xxx to retrieve the user info, without any API key.
I want to double check are there any limitation in getting user info via this API, instead of using the official Google API client? e.g. rate limit?
An API key is used to access public information. Holiday calendars for example or public videos on youtube. Files uploaded to Google drive set public could also be accessable with an api key.
Oauth2 is used to access private user data, you can access public data with it as well like the items listed above. But to access private user data like the data contained behind the user info end point you would need an a valid access token.
There shouldnt be any limitations to using the userinfo endpoint that i am aware of I would expect that to be out side of all quota limitations.
Related
I'm creating a server side app which is able to access (Create, edit & delete files) specific folder in my google drive. I was able to achieve it with both OAuth and service account but I wanted do it without OAuth or service account like in official docs. When I tried use API Key It gives a login required error. How I fix it?
srv, err := drive.NewService(
ctx,
option.WithAPIKey(key),
option.WithScopes(drive.DriveFileScope),
)
Error:
googleapi: Error 401: Login Required, required
The first thing you need to understand is the difference between private and public data.
Public data is data that is not owned by anyone that anyone can access. Holiday calendars on Google calendar. If a user uploads a public Videos to YouTube you also don't need permission to access. We use a Public API key to access public data.
Private data is something else. Private data is data that is owned by a user. For your application to be able to access it you need the consent of the owner of the data or someone who has access to it. A users files on Google drive and their google drive account are private user data. You do need permission to access because they are private user data.
You are getting the following error message because
googleapi: Error 401: Login Required, required
If you check Files.create you will notice that it tells you that you need permission to access it.
To answer your question you can not use a public api key to access a users private google drive account. You could read a file that they had set to public using an api key. However to read, write and create files on a users private google drive account. You are not going to be able to create and edit files. For that you would need the users permission.
Oauth2
If you are trying to access the accounts of your users then you need to switch to Oauth2 and request their consent to access their drive account. Once you have a refresh token you will be able to access their account from your server system.
service account
If you are accessing an account that you the developer control. If you are not going to be accessing the accounts of your users then what you should be doing is looking into using a service account. Have a look and open a new question if you have any issues.
Should you be using a service account
security
Authorization is not there to bother you. It is there to ensure that your data and the data of your users is secure. Don't try to find ways to circumnavigate security. Learn to work with it.
like in official docs.
There is nothing in the official docs that stats that you can access private user data with a public api key. Go (isn't going to / cant) change the underling security imposed upon us by Google to access their systems. That being you need user consent to access private user data.
Is it possible to generate a Youtube API key having admin access to the Youtube account? or is this function only possible for account owners?
Anyone can create a project on Google cloud console You do not need to be an admin on anything to create an api key.
You should understand though that Api keys are used to access public data via the YouTube api. This has nothing to do with a specific YouTube account. It will just let you access the public methods like Video.Search
All methods that require authorization For example members.list show in their documentation page that they require authorization.
The only authorization method allowed for the YouTube api is Oauth2. Someone with access to the channel will need to authorize your application and grant consent that your application access their YouTube channel on their behalf.
The documentation here does not state you can do it having admin access to the YouTube account only. But instead you need access to the actual Google Account linked to the Youtube Channel in question.
If you do have a Google Workspace subscription and the owner of the channel is one of your managed accounts, then you can access the GCP console and proceed with steps in the documentation to generate the key.
Is it possible to create an event on behalf of my own application?
I tried using API Key but that doesn't work. I want all the event to be under my app's account. I don't want to make the user login. I just want to create new google Meet links.
No you must be authorized to write to a users calendar
if you check the documentation for events.insert you will notice a section called authorization
This section tells you what authorization scopes you need in order to be able to write to a users google calendar. A user must grant your application access to their data before your application will be able to write to it.
API keys are only used for accessing public data, for example the public google calendar holiday calendars you can read from them with an api key.
However to access private user data you need to be authorized.
I need to check the uploaded videos on a YouTube Channel and then upload missing videos via a CRON JOB.
I first thing I tried was the REST API and the server response with the endpoint was moved.
The problem I ran into with the PHP Google API Client is that it requires the user to authorize the token.
I now tried using the Python Code, but it also requires a authorize session. Also when creating the OAuth 2.0 client ID we are suppose to use OTHER. And there is no OTHER.
Python quickstart
Any Ideas? This has been really frustrating as there does not seem to be a lot of examples other than the ones Google provides. I also could not find a rest equivalent. I do not care if the solution is python or Rest or PHP client. I just need a user less CRON job doing the work.
What you need to consider is that there are two types of data public data and private data.
Public data is not owned by any user. Videos on YouTube for example for the most part are publicly available and do not require authorization to access. On the other had private data is data that is owned by a user.
In order to access public data you just need an api key to identify your application, however in order to access private user data you need the permission of the user who owns the account in question.
In order to upload to a users account (yes even your own) you need to be authenticated there for you will need to use Oauth2 yes even if you are using a cron job you still need to be authenticated there is no way around this. There for you will need to create Oauth2 credentials.
What i recommend you do is. Authorize your code once your your local machine store the refresh token and use the refresh token to request a new access token when ever your cron job needs access. I recomend you give that a try and if you have any issues create a new question include your code and a description of the problem you are having.
This is your only option with the YouTube API.
I am using the Goo.gl API to shorten some links.
The calls to the POST method are working good and the short URLs are working also, but I have a question regarding the short link history.
If I create a short url from the goo.gl page it will be stored there for me to see and see all the analytics associated to it, but if I generate it via the API POST using my API Key, the link will not be added to my history and I can't see any data related to it in the Goo.gl page. Is there anyway to access that information?
This is the difference between public and private.
The Url Shortener API is technically a public API. Which means that you don't need to be Authenticated in order to use it. This is why a public API key works. However when you are using a public api key the api doesn't know who you are personally.
Solution: What you need to do is to switch to Oauth2. Authenticate your application get an access token and instead of sending the API key send the access_token. Then when links are created they should be added to your account and you will get analytics for them.