@aligulzar729/google-ads-mcp 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +154 -51
- package/dist/index.js +16 -17
- package/package.json +14 -15
package/README.md
CHANGED
|
@@ -10,7 +10,7 @@ Ask for a report, launch a campaign, tune bids and budgets, manage keywords, or
|
|
|
10
10
|
|
|
11
11
|
The important part: reads are free and can never spend, and every write **previews first**. The assistant shows you the exact values and asks you to type **yes** or **ok** in chat; only then does it apply with `confirmed:true` and `user_confirmation`. New campaigns start paused. You get an AI copilot for Google Ads without pretending the model is a free pass on your budget.
|
|
12
12
|
|
|
13
|
-
> **Money and residual risk:** once something is enabled or a budget goes up, Google can spend real money. Previews and yes/ok are guardrails, not a bank lock, MCP cannot force a human click, and a sloppy model could invent approval. Read the preview. If you would not hit Apply in the Google Ads UI, do not type yes here. See [
|
|
13
|
+
> **Money and residual risk:** once something is enabled or a budget goes up, Google can spend real money. Previews and yes/ok are guardrails, not a bank lock, MCP cannot force a human click, and a sloppy model could invent approval. Read the preview. If you would not hit Apply in the Google Ads UI, do not type yes here. See [Money and safety](#money-and-safety) and [SECURITY.md](SECURITY.md).
|
|
14
14
|
|
|
15
15
|
```
|
|
16
16
|
You: How did my campaigns do last month?
|
|
@@ -23,6 +23,25 @@ You: yes
|
|
|
23
23
|
AI: Created "Summer Sale" (PAUSED). It won't serve until you enable it.
|
|
24
24
|
```
|
|
25
25
|
|
|
26
|
+
## Contents
|
|
27
|
+
|
|
28
|
+
- [Quick start](#quick-start)
|
|
29
|
+
- [What it can do](#what-it-can-do)
|
|
30
|
+
- [What this is not](#what-this-is-not)
|
|
31
|
+
- [Money and safety](#money-and-safety)
|
|
32
|
+
- [Add it to your AI harness](#add-it-to-your-ai-harness)
|
|
33
|
+
- [Credentials](#credentials) (and [Getting a refresh token](#getting-a-refresh-token-oauth-playground))
|
|
34
|
+
- [Configuration](#configuration) (and [all environment variables](#all-environment-variables))
|
|
35
|
+
- [Hosted, multi-user](#hosted-multi-user) (and [LibreChat on the same host](#librechat-on-the-same-host-no-public-url))
|
|
36
|
+
- [Tools](#tools)
|
|
37
|
+
- [Big reports and pagination](#big-reports-and-pagination)
|
|
38
|
+
- [Scheduled and unattended use](#scheduled-and-unattended-use)
|
|
39
|
+
- [Troubleshooting](#troubleshooting)
|
|
40
|
+
- [Notes](#notes)
|
|
41
|
+
- [Acknowledgments](#acknowledgments)
|
|
42
|
+
- [License](#license)
|
|
43
|
+
- [Contributing](#contributing)
|
|
44
|
+
|
|
26
45
|
## Quick start
|
|
27
46
|
|
|
28
47
|
```bash
|
|
@@ -40,16 +59,27 @@ cp .env.example .env # fill in values
|
|
|
40
59
|
npm run dev:stdio # or: npm run dev:http
|
|
41
60
|
```
|
|
42
61
|
|
|
43
|
-
Node **22.5+** is required
|
|
62
|
+
Node **22.5+** is required. There is no native build step and no database to run: HTTP mode uses Node's built-in SQLite, so `npx` just works.
|
|
44
63
|
|
|
45
64
|
## What it can do
|
|
46
65
|
|
|
47
66
|
- **Reporting**: campaign performance, Search impression share, Performance Max asset groups, and raw GAQL for anything else. It looks up real field names first, so queries don't fail on guessed fields.
|
|
48
|
-
- **Campaigns**: create Search, Display, Demand Gen,
|
|
67
|
+
- **Campaigns**: create Search, Display, Demand Gen, App, Shopping, and Performance Max campaigns (use Demand Gen for YouTube; Google no longer lets the API create Video campaigns); rename, set dates and networks, pause and resume, set budgets and bidding strategies, and target by location, language, and schedule.
|
|
49
68
|
- **Ad groups and ads**: manage ad groups and build ads per channel (responsive search, responsive display, HTML5, Demand Gen, video, app, shopping).
|
|
50
69
|
- **Keywords**: list with quality score, add positive or negative keywords, change bids and status.
|
|
51
70
|
- **Performance Max**: create asset groups from text and images, update or delete them, add more images, list and remove assets.
|
|
52
|
-
- **Accounts**: check the connection
|
|
71
|
+
- **Accounts**: check the connection and list the accounts you can reach; on the hosted (HTTP) server, also switch the active account and read an audit trail of every change.
|
|
72
|
+
|
|
73
|
+
### What it can't do
|
|
74
|
+
|
|
75
|
+
- **Conversion tracking.** Creating or editing conversion actions and importing offline conversions (it reads conversion metrics, but doesn't set them up).
|
|
76
|
+
- **Audiences and bid adjustments.** Remarketing or customer-match lists, audience targeting, and device, demographic, or audience bid modifiers. Targeting here is location, language, and ad schedule only.
|
|
77
|
+
- **Search ad assets / extensions.** Sitelinks, callouts, structured snippets, call, price, and promotion assets (Performance Max text and image assets are supported).
|
|
78
|
+
- **Account structure and budgets.** Creating customer accounts, managing an MCC hierarchy, or setting up billing and account-level budget orders.
|
|
79
|
+
- **Experiments, drafts, and recommendations.** A/B experiments, campaign drafts, and applying Google's optimization-score recommendations.
|
|
80
|
+
- **Shared library and labels.** Shared budgets, negative-keyword and placement-exclusion sets, and labels.
|
|
81
|
+
- **Keyword Planner.** Keyword ideas and traffic forecasts.
|
|
82
|
+
- **External links.** Merchant Center, Analytics, and YouTube account links (Shopping and Performance Max assume these already exist).
|
|
53
83
|
|
|
54
84
|
## What this is not
|
|
55
85
|
|
|
@@ -61,9 +91,9 @@ Node **22.5+** is required (HTTP mode uses Node's built-in SQLite).
|
|
|
61
91
|
|
|
62
92
|
If you want a report in chat, a careful campaign draft, or help wiring keywords and P-Max assets with a human still holding the wheel, you are in the right place. If you want unsupervised budget AI, you are not.
|
|
63
93
|
|
|
64
|
-
##
|
|
94
|
+
## Money and safety
|
|
65
95
|
|
|
66
|
-
Reads never cost anything. Writes can.
|
|
96
|
+
Reads never cost anything. Writes can, and every write **previews first**: the model shows the exact values and asks you to type **yes** or **ok**; apply then requires `confirmed:true` and `user_confirmation` `"yes"` or `"ok"` (`REQUIRE_USER_CONFIRMATION`, default on).
|
|
67
97
|
|
|
68
98
|
| Action | Money impact |
|
|
69
99
|
|--------|----------------|
|
|
@@ -72,33 +102,18 @@ Reads never cost anything. Writes can.
|
|
|
72
102
|
| Raise daily budget, change bids, enable a campaign or ad group | Can spend as soon as Google serves. |
|
|
73
103
|
| Pause or remove | Stops or deletes serving; removes are permanent for that entity. |
|
|
74
104
|
|
|
75
|
-
|
|
105
|
+
More guardrails: new campaigns and P-Max asset groups start **paused**; deletes show a clear warning first (also gated by `REQUIRE_USER_CONFIRMATION`); every applied change lands in a durable audit log; and HTTP mode rate-limits OAuth and `/mcp` per client IP (process-local, put a reverse proxy in front for multi-replica).
|
|
106
|
+
|
|
107
|
+
Habits that save pain:
|
|
76
108
|
|
|
77
109
|
- Start on a **test or low-budget** account while you learn the tools.
|
|
78
110
|
- Treat **yes** like approving a wire: skim the preview numbers (budget, bid, status) before you type it.
|
|
79
111
|
- Prefer **PAUSED** creates, then enable only what you meant to turn on.
|
|
80
|
-
- Shared budgets are shared
|
|
81
|
-
- Disabling chat confirm (`REQUIRE_USER_CONFIRMATION=false`) is for trusted automation only. On a live account with real spend, leave it on.
|
|
82
|
-
|
|
83
|
-
You are responsible for the Google Ads account and any charges that come from it. This project is MIT software that talks to Google's API; it does not pay your media bill and it does not absorb mistakes.
|
|
84
|
-
|
|
85
|
-
## Safe by default
|
|
86
|
-
|
|
87
|
-
- Reads never cost money. Reporting, lookups, and status checks are always free.
|
|
88
|
-
- Every write **previews first**. The model must show you the values and ask you to type **yes** or **ok**. Apply requires `confirmed:true` and `user_confirmation` `"yes"` or `"ok"` (`REQUIRE_USER_CONFIRMATION`, default on).
|
|
89
|
-
- New campaigns and Performance Max asset groups are created **paused**, so they never serve or spend until you turn them on.
|
|
90
|
-
- Deletes show a clear warning before they run (gated by `REQUIRE_USER_CONFIRMATION`, default on).
|
|
91
|
-
- Every applied change is recorded in a durable audit log.
|
|
92
|
-
- HTTP mode rate-limits OAuth and `/mcp` per client IP (process-local; put a reverse proxy in front for multi-replica).
|
|
93
|
-
|
|
94
|
-
Trusted headless automation only: set `REQUIRE_USER_CONFIRMATION=false` so one-shot `confirmed:true` works without a chat yes/ok. Do that only when you already trust the caller with the account.
|
|
95
|
-
|
|
96
|
-
## Requirements
|
|
112
|
+
- Shared budgets are shared: changing one campaign's budget can hit every campaign on that budget (the tools warn when they can).
|
|
97
113
|
|
|
98
|
-
-
|
|
99
|
-
- Google Ads API credentials (see [Credentials](#credentials)).
|
|
114
|
+
`REQUIRE_USER_CONFIRMATION=false` disables the chat yes/ok so one-shot `confirmed:true` works, for trusted headless automation only. On a live account with real spend, leave it on.
|
|
100
115
|
|
|
101
|
-
|
|
116
|
+
You are responsible for the Google Ads account and any charges from it. This is MIT software that talks to Google's API; it does not pay your media bill and does not absorb mistakes.
|
|
102
117
|
|
|
103
118
|
## Add it to your AI harness
|
|
104
119
|
|
|
@@ -199,7 +214,7 @@ env = { GOOGLE_ADS_DEVELOPER_TOKEN = "...", GOOGLE_OAUTH_CLIENT_ID = "...", GOOG
|
|
|
199
214
|
|
|
200
215
|
<br>
|
|
201
216
|
|
|
202
|
-
LibreChat connects over HTTP and lets each user sign in with their own Google account, so you run the server yourself (see [Hosted, multi-user](#hosted-multi-user)) and point LibreChat at it
|
|
217
|
+
LibreChat connects over HTTP and lets each user sign in with their own Google account, so you run the server yourself (see [Hosted, multi-user](#hosted-multi-user)) and point LibreChat at it:
|
|
203
218
|
|
|
204
219
|
```yaml
|
|
205
220
|
mcpServers:
|
|
@@ -207,9 +222,15 @@ mcpServers:
|
|
|
207
222
|
type: streamable-http
|
|
208
223
|
url: "https://your-subdomain.example.com/mcp"
|
|
209
224
|
startup: false
|
|
225
|
+
requiresOAuth: true
|
|
210
226
|
```
|
|
211
227
|
|
|
212
|
-
|
|
228
|
+
Two settings matter:
|
|
229
|
+
|
|
230
|
+
- `requiresOAuth: true` declares this a per-user OAuth server. Without it, LibreChat tries to auto-detect OAuth by opening an unauthenticated connection to list tools, which always fails on an auth-walled server and fills your logs with `OAuth not supported in unauthenticated discovery` and repeated `Reinspection failed ... timeout`. The flag skips that probe and shows the sign-in prompt directly.
|
|
231
|
+
- `startup: false` connects on first use, not at boot, since there is no user to authorize at startup.
|
|
232
|
+
|
|
233
|
+
Also add the host to `mcpSettings.allowedDomains` in `librechat.yaml`. Users then click Connect in chat and approve at Google. Nothing to paste. To run LibreChat and this server on one machine with no public URL, see [LibreChat on the same host](#librechat-on-the-same-host-no-public-url).
|
|
213
234
|
</details>
|
|
214
235
|
|
|
215
236
|
<details>
|
|
@@ -259,17 +280,33 @@ Three values are always required, because they identify the app (not the user):
|
|
|
259
280
|
|
|
260
281
|
For local (stdio) use, add one account's own credentials:
|
|
261
282
|
|
|
262
|
-
- `GOOGLE_ADS_REFRESH_TOKEN`: a refresh token for a Google account with access to the ads account.
|
|
263
|
-
- `GOOGLE_ADS_CUSTOMER_ID`: the
|
|
264
|
-
- `GOOGLE_ADS_LOGIN_CUSTOMER_ID`: optional
|
|
283
|
+
- `GOOGLE_ADS_REFRESH_TOKEN`: a refresh token for a Google account with access to the ads account. See [Getting a refresh token](#getting-a-refresh-token-oauth-playground) below.
|
|
284
|
+
- `GOOGLE_ADS_CUSTOMER_ID`: the account you act on, 10 digits with no dashes. Its campaigns and reports are what you read and change.
|
|
285
|
+
- `GOOGLE_ADS_LOGIN_CUSTOMER_ID`: optional. The manager (MCC) account you reach that account *through*, if any.
|
|
286
|
+
|
|
287
|
+
These two trip everyone up, so plainly: `CUSTOMER_ID` is **which account to act on**, `LOGIN_CUSTOMER_ID` is **which manager to go through to reach it**. A manager (MCC) account holds no campaigns itself; it just grants access to the client accounts under it. So:
|
|
288
|
+
|
|
289
|
+
- Your Google user has **direct** access to the account (it shows as `[client]` in `google_ads_account list`): set `CUSTOMER_ID` to it and **leave `LOGIN_CUSTOMER_ID` empty**.
|
|
290
|
+
- You only reach the account **through a manager**: set `CUSTOMER_ID` to the client account and `LOGIN_CUSTOMER_ID` to that **manager's** id, never to the client id, and never to a manager that does not actually own the client (both cause `PERMISSION_DENIED`).
|
|
265
291
|
|
|
266
292
|
Keep the OAuth app in the **In Production** publishing status. In Testing, refresh tokens expire after 7 days.
|
|
267
293
|
|
|
268
294
|
For hosted (http) use you don't set a refresh token at all. Users authorize themselves in the browser and the server stores each token encrypted. See below.
|
|
269
295
|
|
|
296
|
+
### Getting a refresh token (OAuth Playground)
|
|
297
|
+
|
|
298
|
+
For stdio mode you supply one account's refresh token. Two settings are what everyone gets wrong, so both steps below are required:
|
|
299
|
+
|
|
300
|
+
1. **Add the Playground redirect to your OAuth client.** In Google Cloud Console, open your OAuth client (the one whose id and secret you use) under APIs & Services, then Credentials. Under **Authorized redirect URIs**, add `https://developers.google.com/oauthplayground` and save. Miss this and the Playground fails with `redirect_uri_mismatch`.
|
|
301
|
+
2. **Use your own client in the Playground.** Open the [OAuth 2.0 Playground](https://developers.google.com/oauthplayground), click the **gear** (top right), check **Use your own OAuth credentials**, and paste the same client id and secret. Miss this and the token is minted for Google's demo client, which later fails with `unauthorized_client`.
|
|
302
|
+
3. **Authorize the Ads scope.** In the left panel under "Input your own scopes", enter `https://www.googleapis.com/auth/adwords`, click **Authorize APIs**, and sign in with the Google account that can reach the ads account.
|
|
303
|
+
4. **Exchange for the token.** Click **Exchange authorization code for tokens** and copy the `refresh_token` into `GOOGLE_ADS_REFRESH_TOKEN`.
|
|
304
|
+
|
|
305
|
+
A token works only when both are true: it was minted by *your* client (step 2) and *your* client permits the Playground redirect (step 1). The Playground redirect is only needed for minting, so you can remove it from the client afterward; it is separate from the `PUBLIC_BASE_URL/auth/callback` redirect that http mode registers.
|
|
306
|
+
|
|
270
307
|
## Configuration
|
|
271
308
|
|
|
272
|
-
Everything is set through environment variables
|
|
309
|
+
Everything is set through environment variables. Every setting can also be passed as a command-line flag: the flag is the env var name, lowercased, with dashes for underscores. A bare `--flag` sets `true`, and `--no-flag` sets `false`. Flags are handy in a client's `args` or a launch command:
|
|
273
310
|
|
|
274
311
|
```bash
|
|
275
312
|
npx -y @aligulzar729/google-ads-mcp \
|
|
@@ -278,20 +315,47 @@ npx -y @aligulzar729/google-ads-mcp \
|
|
|
278
315
|
--no-require-user-confirmation # trusted automation only
|
|
279
316
|
```
|
|
280
317
|
|
|
281
|
-
In a client config, add them to `args`:
|
|
282
|
-
|
|
283
318
|
```json
|
|
284
319
|
"args": ["-y", "@aligulzar729/google-ads-mcp", "--app-name=Acme Ads"]
|
|
285
320
|
```
|
|
286
321
|
|
|
287
|
-
|
|
288
|
-
|---------|-------------------|-------|
|
|
289
|
-
| App name | `APP_NAME` / `--app-name` | shown on the OAuth consent and error pages |
|
|
290
|
-
| Log level | `LOG_LEVEL` / `--log-level` | `debug`, `info`, `warn`, `error` |
|
|
291
|
-
| Require confirmation | `REQUIRE_USER_CONFIRMATION` / `--no-require-user-confirmation` | default on; gates every write, including deletes; off only for trusted headless |
|
|
292
|
-
| HTTP port | `PORT` / `--port` | default 3001 |
|
|
322
|
+
Prefer env vars for secrets: flags can show up in the process list.
|
|
293
323
|
|
|
294
|
-
|
|
324
|
+
### All environment variables
|
|
325
|
+
|
|
326
|
+
**App identity, required in both modes.** These identify the app, not the user.
|
|
327
|
+
|
|
328
|
+
| Env var | Flag | Description |
|
|
329
|
+
|---------|------|-------------|
|
|
330
|
+
| `GOOGLE_ADS_DEVELOPER_TOKEN` | `--google-ads-developer-token` | Google Ads API developer token, from your manager account API Center. |
|
|
331
|
+
| `GOOGLE_OAUTH_CLIENT_ID` | `--google-oauth-client-id` | OAuth client id from a Google Cloud project with the Google Ads API enabled. |
|
|
332
|
+
| `GOOGLE_OAUTH_CLIENT_SECRET` | `--google-oauth-client-secret` | OAuth client secret. |
|
|
333
|
+
|
|
334
|
+
**Behavior, both modes.**
|
|
335
|
+
|
|
336
|
+
| Env var | Flag | Default | Description |
|
|
337
|
+
|---------|------|---------|-------------|
|
|
338
|
+
| `APP_NAME` | `--app-name` | `Google Ads MCP` | Name shown on the OAuth consent and error pages. |
|
|
339
|
+
| `LOG_LEVEL` | `--log-level` | `info` | `debug`, `info`, `warn`, or `error`. |
|
|
340
|
+
| `REQUIRE_USER_CONFIRMATION` | `--no-require-user-confirmation` | on | Gates every write, including deletes. Turn off only for trusted headless automation. |
|
|
341
|
+
|
|
342
|
+
**stdio mode, single user.** One account's own credentials.
|
|
343
|
+
|
|
344
|
+
| Env var | Flag | Default | Description |
|
|
345
|
+
|---------|------|---------|-------------|
|
|
346
|
+
| `GOOGLE_ADS_REFRESH_TOKEN` | `--google-ads-refresh-token` | empty | Refresh token for a Google account with access to the ads account. See [Getting a refresh token](#getting-a-refresh-token-oauth-playground). |
|
|
347
|
+
| `GOOGLE_ADS_CUSTOMER_ID` | `--google-ads-customer-id` | empty | The account to act on (10 digits, no dashes). |
|
|
348
|
+
| `GOOGLE_ADS_LOGIN_CUSTOMER_ID` | `--google-ads-login-customer-id` | empty | The manager (MCC) to reach it through; leave empty for direct access. See [Credentials](#credentials). |
|
|
349
|
+
|
|
350
|
+
**http mode, hosted and multi-user.** Per-user credentials come from each user's browser sign-in, so you do not set a refresh token here.
|
|
351
|
+
|
|
352
|
+
| Env var | Flag | Default | Description |
|
|
353
|
+
|---------|------|---------|-------------|
|
|
354
|
+
| `PORT` | `--port` | `3001` | Listen port. |
|
|
355
|
+
| `PUBLIC_BASE_URL` | `--public-base-url` | required | Public base URL of this instance. Register `PUBLIC_BASE_URL/auth/callback` as a redirect URI on the Google OAuth client. |
|
|
356
|
+
| `TOKEN_ENC_KEY` | `--token-enc-key` | required | 32-byte base64 key (`openssl rand -base64 32`) that encrypts stored refresh tokens. Keep it stable and secret. |
|
|
357
|
+
| `ALLOWED_REDIRECT_ORIGINS` | `--allowed-redirect-origins` | required | Comma-separated allowlist of client origins allowed to complete the OAuth flow, for example `https://chat.example.com`. |
|
|
358
|
+
| `AUDIT_DB_PATH` | `--audit-db-path` | `./data/audit.db` | Where the audit log and encrypted authorizations live. Mount a volume so it survives restarts. |
|
|
295
359
|
|
|
296
360
|
## Hosted, multi-user
|
|
297
361
|
|
|
@@ -303,13 +367,7 @@ Run it (behind HTTPS, on its own subdomain):
|
|
|
303
367
|
npx -y @aligulzar729/google-ads-mcp --http
|
|
304
368
|
```
|
|
305
369
|
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
- `TOKEN_ENC_KEY`: 32-byte base64 key that encrypts stored refresh tokens. Generate with `openssl rand -base64 32`. Keep it stable and secret; rotating it invalidates every stored authorization.
|
|
309
|
-
- `PUBLIC_BASE_URL`: the public HTTPS base URL of this instance, for example `https://ads.example.com`. Register `${PUBLIC_BASE_URL}/auth/callback` as a redirect URI on your Google OAuth client.
|
|
310
|
-
- `ALLOWED_REDIRECT_ORIGINS`: comma-separated allowlist of client origins allowed to complete the OAuth flow, for example `https://chat.example.com`. This is what stops a phished authorize link from delivering a code to an attacker.
|
|
311
|
-
- `PORT`: defaults to 3001.
|
|
312
|
-
- `AUDIT_DB_PATH`: where the audit log and encrypted authorizations live. Mount a volume so it survives restarts.
|
|
370
|
+
Beyond the shared app credentials, this mode needs `TOKEN_ENC_KEY`, `PUBLIC_BASE_URL`, and `ALLOWED_REDIRECT_ORIGINS`, plus optional `PORT` and `AUDIT_DB_PATH` (see [All environment variables](#all-environment-variables)). Two things worth calling out: register `PUBLIC_BASE_URL/auth/callback` as a redirect URI on your Google OAuth client, and `ALLOWED_REDIRECT_ORIGINS` is the allowlist that stops a phished authorize link from delivering a code to an attacker.
|
|
313
371
|
|
|
314
372
|
A `Dockerfile` and `docker-compose.yml` are included for a container deployment.
|
|
315
373
|
|
|
@@ -326,6 +384,47 @@ curl -sS http://127.0.0.1:3001/healthz
|
|
|
326
384
|
|
|
327
385
|
Point your reverse proxy (TLS) at `127.0.0.1:3001`. The **whole subdomain** must reach this container: OAuth discovery, `/authorize`, `/token`, and `/mcp` all live on the same host (`PUBLIC_BASE_URL`). Back up the `ads_data` volume (audit log + encrypted authorizations).
|
|
328
386
|
|
|
387
|
+
### LibreChat on the same host (no public URL)
|
|
388
|
+
|
|
389
|
+
To run LibreChat and this server on one machine over plain HTTP, with no public domain or TLS, run this server as a sidecar that shares the LibreChat api container's network namespace. That makes `http://localhost:3001` the same address for both your browser and LibreChat's backend, and Google allows `http://localhost` as the one non-HTTPS OAuth redirect, so sign-in works without a certificate.
|
|
390
|
+
|
|
391
|
+
Add to LibreChat's `docker-compose.override.yml`:
|
|
392
|
+
|
|
393
|
+
```yaml
|
|
394
|
+
services:
|
|
395
|
+
api:
|
|
396
|
+
ports:
|
|
397
|
+
- "3001:3001" # expose the sidecar to your browser
|
|
398
|
+
google-ads-mcp:
|
|
399
|
+
image: node:24-bookworm-slim
|
|
400
|
+
command: ["npx", "-y", "@aligulzar729/google-ads-mcp", "--http"]
|
|
401
|
+
network_mode: "service:api" # share the api netns: one localhost for browser and backend
|
|
402
|
+
depends_on:
|
|
403
|
+
- api
|
|
404
|
+
environment:
|
|
405
|
+
PORT: "3001"
|
|
406
|
+
PUBLIC_BASE_URL: "http://localhost:3001"
|
|
407
|
+
ALLOWED_REDIRECT_ORIGINS: "http://localhost:3080" # your LibreChat origin
|
|
408
|
+
GOOGLE_ADS_DEVELOPER_TOKEN: ${GOOGLE_ADS_DEVELOPER_TOKEN}
|
|
409
|
+
GOOGLE_OAUTH_CLIENT_ID: ${GOOGLE_OAUTH_CLIENT_ID}
|
|
410
|
+
GOOGLE_OAUTH_CLIENT_SECRET: ${GOOGLE_OAUTH_CLIENT_SECRET}
|
|
411
|
+
TOKEN_ENC_KEY: ${TOKEN_ENC_KEY}
|
|
412
|
+
AUDIT_DB_PATH: /app/data/audit.db
|
|
413
|
+
volumes:
|
|
414
|
+
- ads_data:/app/data
|
|
415
|
+
volumes:
|
|
416
|
+
ads_data:
|
|
417
|
+
```
|
|
418
|
+
|
|
419
|
+
Then:
|
|
420
|
+
|
|
421
|
+
- Point the LibreChat entry at `url: "http://localhost:3001/mcp"` with `requiresOAuth: true` (see [LibreChat](#add-it-to-your-ai-harness) above), and keep `localhost` in `mcpSettings.allowedDomains`.
|
|
422
|
+
- Register `http://localhost:3001/auth/callback` as a redirect URI on the Google OAuth client.
|
|
423
|
+
- Sign in from Chrome or Firefox: the consent cookie is `Secure`, and those treat `localhost` as a secure context. Safari may refuse it.
|
|
424
|
+
- The sidecar shares the api container's network, so recreate both together after changes: `docker compose up -d --force-recreate api google-ads-mcp`.
|
|
425
|
+
|
|
426
|
+
Publish the OAuth app to In Production so per-user tokens do not expire after 7 days.
|
|
427
|
+
|
|
329
428
|
## Tools
|
|
330
429
|
|
|
331
430
|
Seven tools, each takes an `action`:
|
|
@@ -365,12 +464,16 @@ Reporting is read-only and retried, so it's reliable for cron and scheduled jobs
|
|
|
365
464
|
| Symptom | What to try |
|
|
366
465
|
|---------|-------------|
|
|
367
466
|
| Refresh token dies after ~7 days | OAuth app is still in **Testing**. Publish it to **In Production**. |
|
|
368
|
-
| `PERMISSION_DENIED` /
|
|
467
|
+
| `PERMISSION_DENIED` / "set login-customer-id" | `GOOGLE_ADS_LOGIN_CUSTOMER_ID` is only for reaching a client *through a manager*. For an account you access directly (it shows as `[client]` in `account list`), leave it empty. Setting a manager you do not reach that client through, or setting one at all when none is needed, causes this error. If it is still denied, the login genuinely lacks access to that customer id. |
|
|
468
|
+
| `unauthorized_client` on token exchange | The refresh token was minted by a different OAuth client than `GOOGLE_OAUTH_CLIENT_ID`. Re-mint it with that exact client (in the OAuth Playground, check "Use your own OAuth credentials" first). |
|
|
369
469
|
| Quota / rate errors | Developer token may need **Standard Access**. Reads are retried with backoff. |
|
|
370
470
|
| "user_confirmation" / confirmed rejected | Call once without `confirmed` to preview, ask the user to type yes or ok, then re-call with `confirmed:true` and `user_confirmation:"yes"` (or `"ok"`). |
|
|
371
471
|
| "not connected" / reconnect message | Refresh token revoked; re-auth (HTTP) or mint a new refresh token (stdio). |
|
|
372
472
|
| HTTP container exits on boot | Missing `TOKEN_ENC_KEY`, `PUBLIC_BASE_URL`, or `ALLOWED_REDIRECT_ORIGINS`. Check logs. |
|
|
373
|
-
| OAuth works but LibreChat never connects | `startup: false` on the MCP
|
|
473
|
+
| OAuth works but LibreChat never connects | Set `requiresOAuth: true` and `startup: false` on the MCP entry, add the host to `allowedDomains`, and point `url` at the public `/mcp` path. |
|
|
474
|
+
| LibreChat logs `OAuth not supported in unauthenticated discovery` or repeated `Reinspection failed ... timeout` | Missing `requiresOAuth: true`. LibreChat is probing the server without auth to list tools, which always fails on an OAuth server. The flag silences the probe and shows the sign-in prompt directly. |
|
|
475
|
+
| Stale connection after changing the server URL under the same name | LibreChat caches OAuth tokens per server name. Reconnect, or clear its cached tokens for that server, so it registers fresh against the new backend. |
|
|
476
|
+
| Google returns `redirect_uri_mismatch` mid sign-in | `PUBLIC_BASE_URL/auth/callback` is not registered on the OAuth client. For localhost that is `http://localhost:3001/auth/callback`. |
|
|
374
477
|
|
|
375
478
|
## Notes
|
|
376
479
|
|
package/dist/index.js
CHANGED
|
@@ -39,22 +39,22 @@ var httpExtra = z.object({
|
|
|
39
39
|
try {
|
|
40
40
|
out.push(new URL(raw).origin);
|
|
41
41
|
} catch {
|
|
42
|
-
ctx.addIssue({ code:
|
|
42
|
+
ctx.addIssue({ code: "custom", message: `not a valid origin: ${raw}` });
|
|
43
43
|
}
|
|
44
44
|
} else if (hostPat.test(raw)) {
|
|
45
45
|
const labels = (raw.startsWith("*.") ? raw.slice(2) : raw).split(".");
|
|
46
46
|
const malformed = raw.startsWith(".") || raw.endsWith(".") || labels.some((l) => !l);
|
|
47
47
|
const tooBroad = labels.length < 2 && raw !== "localhost";
|
|
48
48
|
if (malformed || tooBroad) {
|
|
49
|
-
ctx.addIssue({ code:
|
|
49
|
+
ctx.addIssue({ code: "custom", message: `not a usable host/wildcard (use "apple.example.com" or "*.example.com"): ${raw}` });
|
|
50
50
|
} else {
|
|
51
51
|
out.push(raw);
|
|
52
52
|
}
|
|
53
53
|
} else {
|
|
54
|
-
ctx.addIssue({ code:
|
|
54
|
+
ctx.addIssue({ code: "custom", message: `not a valid origin or host pattern: ${raw}` });
|
|
55
55
|
}
|
|
56
56
|
}
|
|
57
|
-
if (!out.length) ctx.addIssue({ code:
|
|
57
|
+
if (!out.length) ctx.addIssue({ code: "custom", message: "at least one entry is required" });
|
|
58
58
|
return out;
|
|
59
59
|
})
|
|
60
60
|
});
|
|
@@ -393,7 +393,8 @@ function loadSqlite() {
|
|
|
393
393
|
return requireCjs("node:sqlite");
|
|
394
394
|
} catch (err) {
|
|
395
395
|
throw new Error(
|
|
396
|
-
`HTTP mode needs Node's built-in SQLite ("node:sqlite"), available in Node >= 22.5 (some 22.x builds require the --experimental-sqlite flag). This runtime does not provide it; upgrade Node to run HTTP mode. stdio mode does not use it
|
|
396
|
+
`HTTP mode needs Node's built-in SQLite ("node:sqlite"), available in Node >= 22.5 (some 22.x builds require the --experimental-sqlite flag). This runtime does not provide it; upgrade Node to run HTTP mode. stdio mode does not use it.`,
|
|
397
|
+
{ cause: err }
|
|
397
398
|
);
|
|
398
399
|
}
|
|
399
400
|
}
|
|
@@ -730,7 +731,12 @@ var PageCache = class {
|
|
|
730
731
|
while (this.entries.size >= this.MAX_ENTRIES) {
|
|
731
732
|
let oldestId = null;
|
|
732
733
|
let oldestAt = Infinity;
|
|
733
|
-
for (const [id, e] of this.entries)
|
|
734
|
+
for (const [id, e] of this.entries) {
|
|
735
|
+
if (e.createdAt < oldestAt) {
|
|
736
|
+
oldestAt = e.createdAt;
|
|
737
|
+
oldestId = id;
|
|
738
|
+
}
|
|
739
|
+
}
|
|
734
740
|
if (oldestId) this.entries.delete(oldestId);
|
|
735
741
|
else break;
|
|
736
742
|
}
|
|
@@ -1989,7 +1995,7 @@ var metadataHandler = {
|
|
|
1989
1995
|
// src/tools/orchestrators/report.ts
|
|
1990
1996
|
var reportTool = defineOrchestrator({
|
|
1991
1997
|
name: "google_ads_report",
|
|
1992
|
-
purpose:
|
|
1998
|
+
purpose: 'Read Google Ads performance. Prefer a curated action: campaign_performance for any channel, impression_share for Search visibility (the Average Position replacement), or asset_group for Performance Max. For anything else, daily or weekly trends, keyword or search-term views, custom field combinations, use gaql after calling metadata first. Resource hints for less obvious asks: "cart / basket value / cross-sell sales" -> cart_data_sales_view ; "iOS vs Android breakdown" -> add the segment segments.mobile_device_platform. Always call metadata on a resource before querying it to get its exact field names.',
|
|
1993
1999
|
limitations: "Read-only. ROAS is computed as conversion value divided by cost. Average Position does not exist; use action impression_share instead. impression_share only applies to Search campaigns; asset_group only applies to Performance Max. Curated reports already format values, but in raw gaql results, money fields are in micros (divide by 1,000,000) and rates (metrics.ctr, conversion rate, impression share) are ratios from 0 to 1. For gaql, do not guess field names: call metadata first to get the exact selectable, filterable, and sortable fields plus compatible metrics and segments, then use those names verbatim.",
|
|
1994
2000
|
examples: [
|
|
1995
2001
|
'{"action":"campaign_performance","date_range":"LAST_30_DAYS"}',
|
|
@@ -2057,7 +2063,7 @@ function langId(s) {
|
|
|
2057
2063
|
// src/tools/handlers/campaign/create.ts
|
|
2058
2064
|
var schema10 = z13.object({
|
|
2059
2065
|
name: z13.string().min(1).max(255),
|
|
2060
|
-
channel_type: z13.enum(["SEARCH", "PERFORMANCE_MAX", "DISPLAY", "DEMAND_GEN", "
|
|
2066
|
+
channel_type: z13.enum(["SEARCH", "PERFORMANCE_MAX", "DISPLAY", "DEMAND_GEN", "APP", "SHOPPING"]),
|
|
2061
2067
|
daily_budget: z13.number().positive().describe("Daily amount in account currency (e.g. 50 = 50.00/day)"),
|
|
2062
2068
|
bidding: z13.enum(BIDDING).default("MAXIMIZE_CONVERSIONS"),
|
|
2063
2069
|
target_cpa: z13.number().positive().optional().describe("Target CPA in account currency (TARGET_CPA / MAXIMIZE_CONVERSIONS)"),
|
|
@@ -2071,7 +2077,7 @@ var schema10 = z13.object({
|
|
|
2071
2077
|
});
|
|
2072
2078
|
var createHandler = {
|
|
2073
2079
|
action: "create",
|
|
2074
|
-
summary: "Create a campaign plus its daily budget, atomically. channel_type: SEARCH, DISPLAY, DEMAND_GEN
|
|
2080
|
+
summary: "Create a campaign plus its daily budget, atomically. channel_type: SEARCH, DISPLAY, DEMAND_GEN (use this for YouTube; Google no longer lets the API create Video campaigns), PERFORMANCE_MAX, APP (needs app_id + app_store, TARGET_CPA bidding), or SHOPPING (needs merchant_id from a linked Merchant Center). Created PAUSED. Preview first (omit confirmed). Then ask the user to type yes or ok in chat; only after that re-call with confirmed:true and user_confirmation yes|ok.",
|
|
2075
2081
|
readOnly: false,
|
|
2076
2082
|
category: "mutate",
|
|
2077
2083
|
schema: schema10,
|
|
@@ -2096,9 +2102,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
|
|
|
2096
2102
|
if (params.channel_type === "DEMAND_GEN" && params.bidding === "MANUAL_CPC") {
|
|
2097
2103
|
throw new Error("Demand Gen requires automated bidding (not MANUAL_CPC): use MAXIMIZE_CONVERSIONS, TARGET_CPA, MAXIMIZE_CONVERSION_VALUE, or TARGET_ROAS.");
|
|
2098
2104
|
}
|
|
2099
|
-
if (params.channel_type === "VIDEO" && params.bidding !== "MAXIMIZE_CONVERSIONS" && params.bidding !== "TARGET_CPA") {
|
|
2100
|
-
throw new Error("A Video Action campaign requires automated bidding (MAXIMIZE_CONVERSIONS or TARGET_CPA), not MANUAL_CPC.");
|
|
2101
|
-
}
|
|
2102
2105
|
if (params.channel_type === "APP") {
|
|
2103
2106
|
if (!params.app_id) throw new Error("app_id is required for an App campaign (the Android package name or numeric iOS App Store id).");
|
|
2104
2107
|
if (!params.app_store) throw new Error("app_store is required for an App campaign (GOOGLE_APP_STORE or APPLE_APP_STORE).");
|
|
@@ -2113,7 +2116,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
|
|
|
2113
2116
|
SEARCH: enums3.AdvertisingChannelType.SEARCH,
|
|
2114
2117
|
DISPLAY: enums3.AdvertisingChannelType.DISPLAY,
|
|
2115
2118
|
DEMAND_GEN: enums3.AdvertisingChannelType.DEMAND_GEN,
|
|
2116
|
-
VIDEO: enums3.AdvertisingChannelType.VIDEO,
|
|
2117
2119
|
PERFORMANCE_MAX: enums3.AdvertisingChannelType.PERFORMANCE_MAX,
|
|
2118
2120
|
SHOPPING: enums3.AdvertisingChannelType.SHOPPING,
|
|
2119
2121
|
APP: enums3.AdvertisingChannelType.MULTI_CHANNEL
|
|
@@ -2133,8 +2135,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
|
|
|
2133
2135
|
campaign.network_settings = { target_google_search: true, target_search_network: true };
|
|
2134
2136
|
} else if (params.channel_type === "DISPLAY") {
|
|
2135
2137
|
campaign.network_settings = { target_content_network: true };
|
|
2136
|
-
} else if (params.channel_type === "VIDEO") {
|
|
2137
|
-
campaign.advertising_channel_sub_type = enums3.AdvertisingChannelSubType.VIDEO_ACTION;
|
|
2138
2138
|
} else if (params.channel_type === "APP") {
|
|
2139
2139
|
campaign.advertising_channel_sub_type = enums3.AdvertisingChannelSubType.APP_CAMPAIGN;
|
|
2140
2140
|
campaign.app_campaign_setting = {
|
|
@@ -2177,7 +2177,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
|
|
|
2177
2177
|
PERFORMANCE_MAX: "\nNext: add an asset group before enabling, a P-MAX campaign needs assets to serve.",
|
|
2178
2178
|
DISPLAY: "\nNext: add an ad group, then a responsive display ad (add_ad ad_type RESPONSIVE_DISPLAY_AD) or an HTML5 ad, then enable the campaign.",
|
|
2179
2179
|
DEMAND_GEN: "\nNext: add an ad group, then a Demand Gen ad (add_ad ad_type DEMAND_GEN_MULTI_ASSET), then enable the campaign.",
|
|
2180
|
-
VIDEO: "\nNext: add an ad group, then a responsive video ad (add_ad ad_type VIDEO_RESPONSIVE with a YouTube video), then enable the campaign.",
|
|
2181
2180
|
APP: "\nNext: App campaigns auto-create an ad group, find it with ad_group list_ads (or a report), add an app ad (add_ad ad_type APP), then enable the campaign.",
|
|
2182
2181
|
SHOPPING: "\nNext: add an ad group, then a product ad (add_ad ad_type SHOPPING_PRODUCT). Products serve from the linked Merchant Center feed, make sure Merchant Center is linked.",
|
|
2183
2182
|
SEARCH: "\nNext: add an ad group and a responsive search ad, then enable the campaign."
|
|
@@ -2475,7 +2474,7 @@ var targetingHandler = {
|
|
|
2475
2474
|
var campaignTool = defineOrchestrator({
|
|
2476
2475
|
name: "google_ads_campaign",
|
|
2477
2476
|
purpose: "Create and manage campaigns. create builds a new one for Search, Display, Demand Gen, App, Shopping, or Performance Max (for YouTube, use DEMAND_GEN, not VIDEO). update renames it or changes its dates and network settings. status pauses or resumes it. budget sets the daily budget. bidding sets the bidding strategy. targeting sets location, language, and schedule.",
|
|
2478
|
-
limitations: "Every write previews first; then the user must type yes or ok in chat before confirmed:true + user_confirmation. New campaigns are created PAUSED. All edits here are in-place updates, not delete-and-recreate. Use the right action: update for name, dates, and networks; status for pause or resume; budget for the daily budget; bidding for the strategy; targeting for locations, languages, and schedule. Get campaign_id from report. Performance Max
|
|
2477
|
+
limitations: "Every write previews first; then the user must type yes or ok in chat before confirmed:true + user_confirmation. New campaigns are created PAUSED. All edits here are in-place updates, not delete-and-recreate. Use the right action: update for name, dates, and networks; status for pause or resume; budget for the daily budget; bidding for the strategy; targeting for locations, languages, and schedule. Get campaign_id from report. Performance Max and Demand Gen require automated bidding. App needs app_id, app_store, and TARGET_CPA bidding. Shopping needs a merchant_id from a linked Merchant Center account. VIDEO campaigns can no longer be created through the API (Google sunset Video Action campaigns for Demand Gen), so use DEMAND_GEN for YouTube instead. Location and language are numeric ids, so resolve names with google_ads_lookup first.",
|
|
2479
2478
|
examples: [
|
|
2480
2479
|
'{"action":"create","name":"Brand - Search","channel_type":"SEARCH","daily_budget":50,"bidding":"MAXIMIZE_CONVERSIONS"}',
|
|
2481
2480
|
'{"action":"create","name":"App - Installs","channel_type":"APP","daily_budget":50,"bidding":"TARGET_CPA","target_cpa":3,"app_id":"com.example.app","app_store":"GOOGLE_APP_STORE"}',
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aligulzar729/google-ads-mcp",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "Manage Google Ads from Claude, Codex, LibreChat, or any MCP client. Natural-language reporting plus guarded campaign, keyword, and Performance Max operations.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
"dev:stdio": "tsx src/index.ts --stdio",
|
|
19
19
|
"start": "node dist/index.js",
|
|
20
20
|
"typecheck": "tsc --noEmit",
|
|
21
|
-
"lint": "eslint
|
|
21
|
+
"lint": "eslint src",
|
|
22
22
|
"test": "vitest run",
|
|
23
23
|
"prepublishOnly": "npm run build && npm test"
|
|
24
24
|
},
|
|
@@ -51,23 +51,22 @@
|
|
|
51
51
|
"access": "public"
|
|
52
52
|
},
|
|
53
53
|
"dependencies": {
|
|
54
|
-
"@hono/node-server": "^
|
|
54
|
+
"@hono/node-server": "^2.0.8",
|
|
55
55
|
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
56
|
-
"google-ads-api": "^
|
|
56
|
+
"google-ads-api": "^24.1.0",
|
|
57
57
|
"google-auth-library": "^9.15.0",
|
|
58
|
-
"hono": "^4.12.
|
|
59
|
-
"zod": "^
|
|
58
|
+
"hono": "^4.12.28",
|
|
59
|
+
"zod": "^4.4.3"
|
|
60
60
|
},
|
|
61
61
|
"devDependencies": {
|
|
62
|
-
"@
|
|
63
|
-
"@
|
|
64
|
-
"
|
|
65
|
-
"
|
|
66
|
-
"eslint-import-resolver-typescript": "^3.7.0",
|
|
67
|
-
"eslint-plugin-import": "^2.31.0",
|
|
62
|
+
"@eslint/js": "^10.0.1",
|
|
63
|
+
"@types/node": "^26.1.1",
|
|
64
|
+
"eslint": "^10.6.0",
|
|
65
|
+
"globals": "^17.7.0",
|
|
68
66
|
"tsup": "^8.3.5",
|
|
69
|
-
"tsx": "^4.
|
|
70
|
-
"typescript": "
|
|
71
|
-
"
|
|
67
|
+
"tsx": "^4.23.0",
|
|
68
|
+
"typescript": "~6.0.3",
|
|
69
|
+
"typescript-eslint": "^8.63.0",
|
|
70
|
+
"vitest": "^4.1.10"
|
|
72
71
|
}
|
|
73
72
|
}
|