I'm trying to make any request to Google AdWords API, which would return non-error.

An error has occurred: [AuthorizationError.SERVICE_ACCESS_DENIED @ ]

I've production MCC account with developer token, additionally I've created testing MCC account and OAuth2 app in google developer console from testing account.

Addionally I've tested with different accounts (production MCC, testing MCC, user with adwords enabled, user without adwords) for auth app/user from whom request have been made

Authentication

Works flawlessly for any setup/different clients. I'm getting access_token, refresh_token and expires.

Here is example of auth url, that googleads-php-lib generates

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=XXXX&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadwords&access_type=offline

Request to API

I'm doing queries with googleads-php-lib/examples and with curl. I've tried different services as well

Here is snippet from googleads-php-lib/examples/AdWords/Auth/CreateAdWordsUserWithoutIniFile.php

$customerService = $user->GetService("CustomerService");
$customer = $customerService->get();
printf("You are logged in as customer: %s\n", $customer->customerId);

More detailed error log

[Jul 22 2015 17:58:57.000000 - ERROR] effectiveUser= service=CustomerService method=get operators={} responseTime=233 requestId=00051b757ec645820ac2a364d90c7911 operations=0 units= server=a dwords.google.com isFault=true faultMessage= [AuthorizationError.SERVICE_ACCESS_DENIED @ ]

and

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <ResponseHeader xmlns:ns2="https://adwords.google.com/api/adwords/cm/v201506" xmlns="https://adwords.google.com/api/adwords/mcm/v201506">
     <ns2:requestId>00051b848d9382a80ac219c38e02d5f3</ns2:requestId>
   <ns2:serviceName>CustomerService</ns2:serviceName>
   <ns2:methodName>get</ns2:methodName>
   <ns2:operations>0</ns2:operations>
   <ns2:responseTime>466</ns2:responseTime>
 </ResponseHeader>
 </soap:Header>
 <soap:Body>
   <soap:Fault>
     <faultcode>soap:Server</faultcode>
     <faultstring>[AuthorizationError.SERVICE_ACCESS_DENIED @ ]</faultstring>
     <detail>
       <ApiExceptionFault xmlns="https://adwords.google.com/api/adwords/mcm/v201506" xmlns:ns2="https://adwords.google.com/api/adwords/cm/v201506">
         <ns2:message>[AuthorizationError.SERVICE_ACCESS_DENIED @ ]</ns2:message>
        <ns2:ApplicationException.Type>ApiException</ns2:ApplicationException.Type>
          <ns2:errors xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:AuthorizationError">
         <ns2:fieldPath/>
         <ns2:trigger/>
         <ns2:errorString>AuthorizationError.SERVICE_ACCESS_DENIED</ns2:errorString>
         <ns2:ApiError.Type>AuthorizationError</ns2:ApiError.Type>
         <ns2:reason>SERVICE_ACCESS_DENIED</ns2:reason>
       </ns2:errors>
     </ApiExceptionFault>
   </detail>
 </soap:Fault>

Conclusion

Generally API does work, because I'm receiving different errors with deliberately bad credentials. For example

AuthenticationError.NOT_ADS_USER

or

AuthorizationError.USER_PERMISSION_DENIED

• From which account should I be logging for testing?
• From which account OAuth2 app should be created?
• Is adwords scope enough for this case? Is there more scopes for AdWords?

It feels like I'm missing some logical step, maybe google should approve it for me or do I need to swear solemnly looking to the North?

Much appreciate for any ideas.