Common Google Admin API Issues

“unauthorized_client” Error

If you encounter an error like this:

unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

This typically indicates that Domain-Wide Delegation is not properly configured for your service account.

Verify that you’ve completed the Domain-Wide Delegation setup as described in the Google Admin API setup guide.
Double-check the following:
- The Client ID used in Domain-Wide Delegation matches exactly with your service account’s Client ID
- All required OAuth scopes are properly added
- The admin email you’re using has Super Admin privileges in your Google Workspace
- The admin email is correctly specified in your application configuration
Common OAuth scopes needed for user operations:
- https://www.googleapis.com/auth/admin.directory.user.readonly (for reading users)
- https://www.googleapis.com/auth/admin.directory.user (for managing users)
- https://www.googleapis.com/auth/admin.directory.group.readonly (for reading groups)
- https://www.googleapis.com/auth/admin.directory.group (for managing groups)

If you’re experiencing other API access issues:

Ensure the Admin SDK API is enabled in your Google Cloud Console project
Verify that your service account has the necessary IAM roles assigned
Check that your credentials JSON file is correctly loaded in your application
Confirm that the Google Workspace admin you’re using has the necessary privileges

Google Admin API has rate limits that may affect your application:

If you’re hitting rate limits, consider implementing:

To verify your configuration is working correctly: