google-analytics-api

ACCESS_TOKEN_SCOPE_INSUFFICIENT error with Google Analytics Data GA4 runReport request


We are receiving an error ACCESS_TOKEN_SCOPE_INSUFFICIENT when trying to run the runReport method with the Google Analytics Data GA4 API. As you can see in the debugging dump, have all necessary scopes in the authorization to make the request:

Request:

curl -X POST -H "User-Agent: python-requests/2.27.1" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -H "Content-Length: 399" -H "Content-Type: application/json" -d '{"dateRanges": [{"startDate": "2022-04-25", "endDate": "2022-04-25"}], "dimensions": [{"name": "date"}, {"name": "eventName"}, {"name": "sessionDefaultChannelGrouping"}, {"name": "sessionSource"}, {"name": "source"}], "metrics": [{"name": "eventCount"}, {"name": "eventValue"}, {"name": "newUsers"}, {"name": "sessions"}], "metricFilter": null, "dimensionFilter": null, "limit": 100000, "offset": 0}' 'https://analyticsdata.googleapis.com/v1beta/properties/264786259:runReport?access_token=REMOVED'

Response

{
    "error": {
        "code": 403,
        "message": "Request had insufficient authentication scopes.",
        "status": "PERMISSION_DENIED",
        "details": [
            {
                "@type": "type.googleapis.com/google.rpc.ErrorInfo",
                "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
                "domain": "googleapis.com",
                "metadata": {
                    "service": "analyticsdata.googleapis.com",
                    "method": "google.analytics.data.v1beta.BetaAnalyticsData.RunReport"
                }
            }
        ]
    }
}

further debugging dump

% curl -X POST -H 'Accept: */*' -H 'Connection: keep-alive' -H 'Content-Length: 399' -H 'Content-Type: application/json' -H 'User-Agent: python-requests/2.27.1' -d '{"dateRanges": [{"startDate": "2022-04-13", "endDate": "2022-04-13"}], "dimensions": [{"name": "date"}, {"name": "eventName"}, {"name": "sessionDefaultChannelGrouping"}, {"name": "sessionSource"}, {"name": "source"}], "metrics": [{"name": "eventCount"}, {"name": "eventValue"}, {"name": "newUsers"}, {"name": "sessions"}], "metricFilter": null, "dimensionFilter": null, "limit": 100000, "offset": 0}' 'https://analyticsdata.googleapis.com/v1beta/properties/264786259:runReport?access_token=<REMOVED>' -vv
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 2a00:1450:400d:805::200a...
* TCP_NODELAY set
* Connected to analyticsdata.googleapis.com (2a00:1450:400d:805::200a) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=upload.video.google.com
*  start date: Mar 28 02:05:27 2022 GMT
*  expire date: Jun 20 02:05:26 2022 GMT
*  subjectAltName: host "analyticsdata.googleapis.com" matched cert's "*.googleapis.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8cda80f400)
> POST /v1beta/properties/264786259:runReport?access_token=<REMOVED> HTTP/2
> Host: analyticsdata.googleapis.com
> Accept: */*
> Connection: keep-alive
> Content-Length: 399
> Content-Type: application/json
> User-Agent: python-requests/2.27.1
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 403
< www-authenticate: Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/analytics https://www.google.com/analytics/feeds https://www.google.com/analytics/feeds/data https://www.google.com/analytics/feeds/"
< vary: X-Origin
< vary: Referer
< vary: Origin,Accept-Encoding
< content-type: application/json; charset=UTF-8
< date: Thu, 21 Apr 2022 08:10:43 GMT
< server: ESF
< cache-control: private
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< accept-ranges: none
<
{
  "error": {
    "code": 403,
    "message": "Request had insufficient authentication scopes.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
        "domain": "googleapis.com",
        "metadata": {
          "method": "google.analytics.data.v1beta.BetaAnalyticsData.RunReport",
          "service": "analyticsdata.googleapis.com"
        }
      }
    ]
  }
}
* Connection #0 to host analyticsdata.googleapis.com left intact
* Closing connection 0

could you please let us know why this request fails although we have authorized all the required scopes?


Solution

  • You are sending an access token with your request.

    When you requested consent of the user in order to get that access token. You must have requested consent with one of the following scopes

    With out it your access token has insufficient authentication scopes. Request access of the user again and request the proper scopes.