@aligulzar729/google-ads-mcp 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +154 -51
  2. package/dist/index.js +4 -11
  3. package/package.json +6 -6
package/README.md CHANGED
@@ -10,7 +10,7 @@ Ask for a report, launch a campaign, tune bids and budgets, manage keywords, or
10
10
 
11
11
  The important part: reads are free and can never spend, and every write **previews first**. The assistant shows you the exact values and asks you to type **yes** or **ok** in chat; only then does it apply with `confirmed:true` and `user_confirmation`. New campaigns start paused. You get an AI copilot for Google Ads without pretending the model is a free pass on your budget.
12
12
 
13
- > **Money and residual risk:** once something is enabled or a budget goes up, Google can spend real money. Previews and yes/ok are guardrails, not a bank lock, MCP cannot force a human click, and a sloppy model could invent approval. Read the preview. If you would not hit Apply in the Google Ads UI, do not type yes here. See [About money](#about-money) and [SECURITY.md](SECURITY.md).
13
+ > **Money and residual risk:** once something is enabled or a budget goes up, Google can spend real money. Previews and yes/ok are guardrails, not a bank lock, MCP cannot force a human click, and a sloppy model could invent approval. Read the preview. If you would not hit Apply in the Google Ads UI, do not type yes here. See [Money and safety](#money-and-safety) and [SECURITY.md](SECURITY.md).
14
14
 
15
15
  ```
16
16
  You: How did my campaigns do last month?
@@ -23,6 +23,25 @@ You: yes
23
23
  AI: Created "Summer Sale" (PAUSED). It won't serve until you enable it.
24
24
  ```
25
25
 
26
+ ## Contents
27
+
28
+ - [Quick start](#quick-start)
29
+ - [What it can do](#what-it-can-do)
30
+ - [What this is not](#what-this-is-not)
31
+ - [Money and safety](#money-and-safety)
32
+ - [Add it to your AI harness](#add-it-to-your-ai-harness)
33
+ - [Credentials](#credentials) (and [Getting a refresh token](#getting-a-refresh-token-oauth-playground))
34
+ - [Configuration](#configuration) (and [all environment variables](#all-environment-variables))
35
+ - [Hosted, multi-user](#hosted-multi-user) (and [LibreChat on the same host](#librechat-on-the-same-host-no-public-url))
36
+ - [Tools](#tools)
37
+ - [Big reports and pagination](#big-reports-and-pagination)
38
+ - [Scheduled and unattended use](#scheduled-and-unattended-use)
39
+ - [Troubleshooting](#troubleshooting)
40
+ - [Notes](#notes)
41
+ - [Acknowledgments](#acknowledgments)
42
+ - [License](#license)
43
+ - [Contributing](#contributing)
44
+
26
45
  ## Quick start
27
46
 
28
47
  ```bash
@@ -40,16 +59,27 @@ cp .env.example .env # fill in values
40
59
  npm run dev:stdio # or: npm run dev:http
41
60
  ```
42
61
 
43
- Node **22.5+** is required (HTTP mode uses Node's built-in SQLite).
62
+ Node **22.5+** is required. There is no native build step and no database to run: HTTP mode uses Node's built-in SQLite, so `npx` just works.
44
63
 
45
64
  ## What it can do
46
65
 
47
66
  - **Reporting**: campaign performance, Search impression share, Performance Max asset groups, and raw GAQL for anything else. It looks up real field names first, so queries don't fail on guessed fields.
48
- - **Campaigns**: create Search, Display, Demand Gen, Video, App, Shopping, and Performance Max campaigns; rename, set dates and networks, pause and resume, set budgets and bidding strategies, and target by location, language, and schedule.
67
+ - **Campaigns**: create Search, Display, Demand Gen, App, Shopping, and Performance Max campaigns (use Demand Gen for YouTube; Google no longer lets the API create Video campaigns); rename, set dates and networks, pause and resume, set budgets and bidding strategies, and target by location, language, and schedule.
49
68
  - **Ad groups and ads**: manage ad groups and build ads per channel (responsive search, responsive display, HTML5, Demand Gen, video, app, shopping).
50
69
  - **Keywords**: list with quality score, add positive or negative keywords, change bids and status.
51
70
  - **Performance Max**: create asset groups from text and images, update or delete them, add more images, list and remove assets.
52
- - **Accounts**: check the connection, list the accounts you can reach, switch the active one, and read an audit trail of every change.
71
+ - **Accounts**: check the connection and list the accounts you can reach; on the hosted (HTTP) server, also switch the active account and read an audit trail of every change.
72
+
73
+ ### What it can't do
74
+
75
+ - **Conversion tracking.** Creating or editing conversion actions and importing offline conversions (it reads conversion metrics, but doesn't set them up).
76
+ - **Audiences and bid adjustments.** Remarketing or customer-match lists, audience targeting, and device, demographic, or audience bid modifiers. Targeting here is location, language, and ad schedule only.
77
+ - **Search ad assets / extensions.** Sitelinks, callouts, structured snippets, call, price, and promotion assets (Performance Max text and image assets are supported).
78
+ - **Account structure and budgets.** Creating customer accounts, managing an MCC hierarchy, or setting up billing and account-level budget orders.
79
+ - **Experiments, drafts, and recommendations.** A/B experiments, campaign drafts, and applying Google's optimization-score recommendations.
80
+ - **Shared library and labels.** Shared budgets, negative-keyword and placement-exclusion sets, and labels.
81
+ - **Keyword Planner.** Keyword ideas and traffic forecasts.
82
+ - **External links.** Merchant Center, Analytics, and YouTube account links (Shopping and Performance Max assume these already exist).
53
83
 
54
84
  ## What this is not
55
85
 
@@ -61,9 +91,9 @@ Node **22.5+** is required (HTTP mode uses Node's built-in SQLite).
61
91
 
62
92
  If you want a report in chat, a careful campaign draft, or help wiring keywords and P-Max assets with a human still holding the wheel, you are in the right place. If you want unsupervised budget AI, you are not.
63
93
 
64
- ## About money
94
+ ## Money and safety
65
95
 
66
- Reads never cost anything. Writes can.
96
+ Reads never cost anything. Writes can, and every write **previews first**: the model shows the exact values and asks you to type **yes** or **ok**; apply then requires `confirmed:true` and `user_confirmation` `"yes"` or `"ok"` (`REQUIRE_USER_CONFIRMATION`, default on).
67
97
 
68
98
  | Action | Money impact |
69
99
  |--------|----------------|
@@ -72,33 +102,18 @@ Reads never cost anything. Writes can.
72
102
  | Raise daily budget, change bids, enable a campaign or ad group | Can spend as soon as Google serves. |
73
103
  | Pause or remove | Stops or deletes serving; removes are permanent for that entity. |
74
104
 
75
- A few blunt habits that save people pain:
105
+ More guardrails: new campaigns and P-Max asset groups start **paused**; deletes show a clear warning first (also gated by `REQUIRE_USER_CONFIRMATION`); every applied change lands in a durable audit log; and HTTP mode rate-limits OAuth and `/mcp` per client IP (process-local, put a reverse proxy in front for multi-replica).
106
+
107
+ Habits that save pain:
76
108
 
77
109
  - Start on a **test or low-budget** account while you learn the tools.
78
110
  - Treat **yes** like approving a wire: skim the preview numbers (budget, bid, status) before you type it.
79
111
  - Prefer **PAUSED** creates, then enable only what you meant to turn on.
80
- - Shared budgets are shared, changing one campaign's budget can hit every campaign on that budget (the tools warn when they can).
81
- - Disabling chat confirm (`REQUIRE_USER_CONFIRMATION=false`) is for trusted automation only. On a live account with real spend, leave it on.
82
-
83
- You are responsible for the Google Ads account and any charges that come from it. This project is MIT software that talks to Google's API; it does not pay your media bill and it does not absorb mistakes.
84
-
85
- ## Safe by default
86
-
87
- - Reads never cost money. Reporting, lookups, and status checks are always free.
88
- - Every write **previews first**. The model must show you the values and ask you to type **yes** or **ok**. Apply requires `confirmed:true` and `user_confirmation` `"yes"` or `"ok"` (`REQUIRE_USER_CONFIRMATION`, default on).
89
- - New campaigns and Performance Max asset groups are created **paused**, so they never serve or spend until you turn them on.
90
- - Deletes show a clear warning before they run (gated by `REQUIRE_USER_CONFIRMATION`, default on).
91
- - Every applied change is recorded in a durable audit log.
92
- - HTTP mode rate-limits OAuth and `/mcp` per client IP (process-local; put a reverse proxy in front for multi-replica).
93
-
94
- Trusted headless automation only: set `REQUIRE_USER_CONFIRMATION=false` so one-shot `confirmed:true` works without a chat yes/ok. Do that only when you already trust the caller with the account.
95
-
96
- ## Requirements
112
+ - Shared budgets are shared: changing one campaign's budget can hit every campaign on that budget (the tools warn when they can).
97
113
 
98
- - Node 22.5 or newer.
99
- - Google Ads API credentials (see [Credentials](#credentials)).
114
+ `REQUIRE_USER_CONFIRMATION=false` disables the chat yes/ok so one-shot `confirmed:true` works, for trusted headless automation only. On a live account with real spend, leave it on.
100
115
 
101
- No native build step and no database to run: it uses Node's built-in SQLite, so `npx` just works.
116
+ You are responsible for the Google Ads account and any charges from it. This is MIT software that talks to Google's API; it does not pay your media bill and does not absorb mistakes.
102
117
 
103
118
  ## Add it to your AI harness
104
119
 
@@ -199,7 +214,7 @@ env = { GOOGLE_ADS_DEVELOPER_TOKEN = "...", GOOGLE_OAUTH_CLIENT_ID = "...", GOOG
199
214
 
200
215
  <br>
201
216
 
202
- LibreChat connects over HTTP and lets each user sign in with their own Google account, so you run the server yourself (see [Hosted, multi-user](#hosted-multi-user)) and point LibreChat at it. A ready-to-use `librechat.yaml` snippet ships in this repo:
217
+ LibreChat connects over HTTP and lets each user sign in with their own Google account, so you run the server yourself (see [Hosted, multi-user](#hosted-multi-user)) and point LibreChat at it:
203
218
 
204
219
  ```yaml
205
220
  mcpServers:
@@ -207,9 +222,15 @@ mcpServers:
207
222
  type: streamable-http
208
223
  url: "https://your-subdomain.example.com/mcp"
209
224
  startup: false
225
+ requiresOAuth: true
210
226
  ```
211
227
 
212
- `startup: false` matters: this server uses OAuth, so it should connect when a user first signs in, not at boot. Also add the host to `mcpSettings.allowedDomains` in `librechat.yaml`. Users then click Connect in chat and approve at Google. Nothing to paste.
228
+ Two settings matter:
229
+
230
+ - `requiresOAuth: true` declares this a per-user OAuth server. Without it, LibreChat tries to auto-detect OAuth by opening an unauthenticated connection to list tools, which always fails on an auth-walled server and fills your logs with `OAuth not supported in unauthenticated discovery` and repeated `Reinspection failed ... timeout`. The flag skips that probe and shows the sign-in prompt directly.
231
+ - `startup: false` connects on first use, not at boot, since there is no user to authorize at startup.
232
+
233
+ Also add the host to `mcpSettings.allowedDomains` in `librechat.yaml`. Users then click Connect in chat and approve at Google. Nothing to paste. To run LibreChat and this server on one machine with no public URL, see [LibreChat on the same host](#librechat-on-the-same-host-no-public-url).
213
234
  </details>
214
235
 
215
236
  <details>
@@ -259,17 +280,33 @@ Three values are always required, because they identify the app (not the user):
259
280
 
260
281
  For local (stdio) use, add one account's own credentials:
261
282
 
262
- - `GOOGLE_ADS_REFRESH_TOKEN`: a refresh token for a Google account with access to the ads account. You can mint one with the [OAuth 2.0 Playground](https://developers.google.com/oauthplayground) using the `https://www.googleapis.com/auth/adwords` scope.
263
- - `GOOGLE_ADS_CUSTOMER_ID`: the 10-digit account id, no dashes.
264
- - `GOOGLE_ADS_LOGIN_CUSTOMER_ID`: optional, set it to your manager (MCC) id if you access clients through a manager account.
283
+ - `GOOGLE_ADS_REFRESH_TOKEN`: a refresh token for a Google account with access to the ads account. See [Getting a refresh token](#getting-a-refresh-token-oauth-playground) below.
284
+ - `GOOGLE_ADS_CUSTOMER_ID`: the account you act on, 10 digits with no dashes. Its campaigns and reports are what you read and change.
285
+ - `GOOGLE_ADS_LOGIN_CUSTOMER_ID`: optional. The manager (MCC) account you reach that account *through*, if any.
286
+
287
+ These two trip everyone up, so plainly: `CUSTOMER_ID` is **which account to act on**, `LOGIN_CUSTOMER_ID` is **which manager to go through to reach it**. A manager (MCC) account holds no campaigns itself; it just grants access to the client accounts under it. So:
288
+
289
+ - Your Google user has **direct** access to the account (it shows as `[client]` in `google_ads_account list`): set `CUSTOMER_ID` to it and **leave `LOGIN_CUSTOMER_ID` empty**.
290
+ - You only reach the account **through a manager**: set `CUSTOMER_ID` to the client account and `LOGIN_CUSTOMER_ID` to that **manager's** id, never to the client id, and never to a manager that does not actually own the client (both cause `PERMISSION_DENIED`).
265
291
 
266
292
  Keep the OAuth app in the **In Production** publishing status. In Testing, refresh tokens expire after 7 days.
267
293
 
268
294
  For hosted (http) use you don't set a refresh token at all. Users authorize themselves in the browser and the server stores each token encrypted. See below.
269
295
 
296
+ ### Getting a refresh token (OAuth Playground)
297
+
298
+ For stdio mode you supply one account's refresh token. Two settings are what everyone gets wrong, so both steps below are required:
299
+
300
+ 1. **Add the Playground redirect to your OAuth client.** In Google Cloud Console, open your OAuth client (the one whose id and secret you use) under APIs & Services, then Credentials. Under **Authorized redirect URIs**, add `https://developers.google.com/oauthplayground` and save. Miss this and the Playground fails with `redirect_uri_mismatch`.
301
+ 2. **Use your own client in the Playground.** Open the [OAuth 2.0 Playground](https://developers.google.com/oauthplayground), click the **gear** (top right), check **Use your own OAuth credentials**, and paste the same client id and secret. Miss this and the token is minted for Google's demo client, which later fails with `unauthorized_client`.
302
+ 3. **Authorize the Ads scope.** In the left panel under "Input your own scopes", enter `https://www.googleapis.com/auth/adwords`, click **Authorize APIs**, and sign in with the Google account that can reach the ads account.
303
+ 4. **Exchange for the token.** Click **Exchange authorization code for tokens** and copy the `refresh_token` into `GOOGLE_ADS_REFRESH_TOKEN`.
304
+
305
+ A token works only when both are true: it was minted by *your* client (step 2) and *your* client permits the Playground redirect (step 1). The Playground redirect is only needed for minting, so you can remove it from the client afterward; it is separate from the `PUBLIC_BASE_URL/auth/callback` redirect that http mode registers.
306
+
270
307
  ## Configuration
271
308
 
272
- Everything is set through environment variables, and every setting can also be passed as a command-line flag (useful in a client's `args` or a launch command). The flag is the env var name, lowercased, with dashes for underscores:
309
+ Everything is set through environment variables. Every setting can also be passed as a command-line flag: the flag is the env var name, lowercased, with dashes for underscores. A bare `--flag` sets `true`, and `--no-flag` sets `false`. Flags are handy in a client's `args` or a launch command:
273
310
 
274
311
  ```bash
275
312
  npx -y @aligulzar729/google-ads-mcp \
@@ -278,20 +315,47 @@ npx -y @aligulzar729/google-ads-mcp \
278
315
  --no-require-user-confirmation # trusted automation only
279
316
  ```
280
317
 
281
- In a client config, add them to `args`:
282
-
283
318
  ```json
284
319
  "args": ["-y", "@aligulzar729/google-ads-mcp", "--app-name=Acme Ads"]
285
320
  ```
286
321
 
287
- | Setting | Env var (or flag) | Notes |
288
- |---------|-------------------|-------|
289
- | App name | `APP_NAME` / `--app-name` | shown on the OAuth consent and error pages |
290
- | Log level | `LOG_LEVEL` / `--log-level` | `debug`, `info`, `warn`, `error` |
291
- | Require confirmation | `REQUIRE_USER_CONFIRMATION` / `--no-require-user-confirmation` | default on; gates every write, including deletes; off only for trusted headless |
292
- | HTTP port | `PORT` / `--port` | default 3001 |
322
+ Prefer env vars for secrets: flags can show up in the process list.
293
323
 
294
- Credentials and keys (`GOOGLE_ADS_*`, `GOOGLE_OAUTH_*`, `TOKEN_ENC_KEY`) work as flags too, but prefer env vars for secrets: flags can show up in the process list.
324
+ ### All environment variables
325
+
326
+ **App identity, required in both modes.** These identify the app, not the user.
327
+
328
+ | Env var | Flag | Description |
329
+ |---------|------|-------------|
330
+ | `GOOGLE_ADS_DEVELOPER_TOKEN` | `--google-ads-developer-token` | Google Ads API developer token, from your manager account API Center. |
331
+ | `GOOGLE_OAUTH_CLIENT_ID` | `--google-oauth-client-id` | OAuth client id from a Google Cloud project with the Google Ads API enabled. |
332
+ | `GOOGLE_OAUTH_CLIENT_SECRET` | `--google-oauth-client-secret` | OAuth client secret. |
333
+
334
+ **Behavior, both modes.**
335
+
336
+ | Env var | Flag | Default | Description |
337
+ |---------|------|---------|-------------|
338
+ | `APP_NAME` | `--app-name` | `Google Ads MCP` | Name shown on the OAuth consent and error pages. |
339
+ | `LOG_LEVEL` | `--log-level` | `info` | `debug`, `info`, `warn`, or `error`. |
340
+ | `REQUIRE_USER_CONFIRMATION` | `--no-require-user-confirmation` | on | Gates every write, including deletes. Turn off only for trusted headless automation. |
341
+
342
+ **stdio mode, single user.** One account's own credentials.
343
+
344
+ | Env var | Flag | Default | Description |
345
+ |---------|------|---------|-------------|
346
+ | `GOOGLE_ADS_REFRESH_TOKEN` | `--google-ads-refresh-token` | empty | Refresh token for a Google account with access to the ads account. See [Getting a refresh token](#getting-a-refresh-token-oauth-playground). |
347
+ | `GOOGLE_ADS_CUSTOMER_ID` | `--google-ads-customer-id` | empty | The account to act on (10 digits, no dashes). |
348
+ | `GOOGLE_ADS_LOGIN_CUSTOMER_ID` | `--google-ads-login-customer-id` | empty | The manager (MCC) to reach it through; leave empty for direct access. See [Credentials](#credentials). |
349
+
350
+ **http mode, hosted and multi-user.** Per-user credentials come from each user's browser sign-in, so you do not set a refresh token here.
351
+
352
+ | Env var | Flag | Default | Description |
353
+ |---------|------|---------|-------------|
354
+ | `PORT` | `--port` | `3001` | Listen port. |
355
+ | `PUBLIC_BASE_URL` | `--public-base-url` | required | Public base URL of this instance. Register `PUBLIC_BASE_URL/auth/callback` as a redirect URI on the Google OAuth client. |
356
+ | `TOKEN_ENC_KEY` | `--token-enc-key` | required | 32-byte base64 key (`openssl rand -base64 32`) that encrypts stored refresh tokens. Keep it stable and secret. |
357
+ | `ALLOWED_REDIRECT_ORIGINS` | `--allowed-redirect-origins` | required | Comma-separated allowlist of client origins allowed to complete the OAuth flow, for example `https://chat.example.com`. |
358
+ | `AUDIT_DB_PATH` | `--audit-db-path` | `./data/audit.db` | Where the audit log and encrypted authorizations live. Mount a volume so it survives restarts. |
295
359
 
296
360
  ## Hosted, multi-user
297
361
 
@@ -303,13 +367,7 @@ Run it (behind HTTPS, on its own subdomain):
303
367
  npx -y @aligulzar729/google-ads-mcp --http
304
368
  ```
305
369
 
306
- Extra environment it needs in this mode:
307
-
308
- - `TOKEN_ENC_KEY`: 32-byte base64 key that encrypts stored refresh tokens. Generate with `openssl rand -base64 32`. Keep it stable and secret; rotating it invalidates every stored authorization.
309
- - `PUBLIC_BASE_URL`: the public HTTPS base URL of this instance, for example `https://ads.example.com`. Register `${PUBLIC_BASE_URL}/auth/callback` as a redirect URI on your Google OAuth client.
310
- - `ALLOWED_REDIRECT_ORIGINS`: comma-separated allowlist of client origins allowed to complete the OAuth flow, for example `https://chat.example.com`. This is what stops a phished authorize link from delivering a code to an attacker.
311
- - `PORT`: defaults to 3001.
312
- - `AUDIT_DB_PATH`: where the audit log and encrypted authorizations live. Mount a volume so it survives restarts.
370
+ Beyond the shared app credentials, this mode needs `TOKEN_ENC_KEY`, `PUBLIC_BASE_URL`, and `ALLOWED_REDIRECT_ORIGINS`, plus optional `PORT` and `AUDIT_DB_PATH` (see [All environment variables](#all-environment-variables)). Two things worth calling out: register `PUBLIC_BASE_URL/auth/callback` as a redirect URI on your Google OAuth client, and `ALLOWED_REDIRECT_ORIGINS` is the allowlist that stops a phished authorize link from delivering a code to an attacker.
313
371
 
314
372
  A `Dockerfile` and `docker-compose.yml` are included for a container deployment.
315
373
 
@@ -326,6 +384,47 @@ curl -sS http://127.0.0.1:3001/healthz
326
384
 
327
385
  Point your reverse proxy (TLS) at `127.0.0.1:3001`. The **whole subdomain** must reach this container: OAuth discovery, `/authorize`, `/token`, and `/mcp` all live on the same host (`PUBLIC_BASE_URL`). Back up the `ads_data` volume (audit log + encrypted authorizations).
328
386
 
387
+ ### LibreChat on the same host (no public URL)
388
+
389
+ To run LibreChat and this server on one machine over plain HTTP, with no public domain or TLS, run this server as a sidecar that shares the LibreChat api container's network namespace. That makes `http://localhost:3001` the same address for both your browser and LibreChat's backend, and Google allows `http://localhost` as the one non-HTTPS OAuth redirect, so sign-in works without a certificate.
390
+
391
+ Add to LibreChat's `docker-compose.override.yml`:
392
+
393
+ ```yaml
394
+ services:
395
+ api:
396
+ ports:
397
+ - "3001:3001" # expose the sidecar to your browser
398
+ google-ads-mcp:
399
+ image: node:24-bookworm-slim
400
+ command: ["npx", "-y", "@aligulzar729/google-ads-mcp", "--http"]
401
+ network_mode: "service:api" # share the api netns: one localhost for browser and backend
402
+ depends_on:
403
+ - api
404
+ environment:
405
+ PORT: "3001"
406
+ PUBLIC_BASE_URL: "http://localhost:3001"
407
+ ALLOWED_REDIRECT_ORIGINS: "http://localhost:3080" # your LibreChat origin
408
+ GOOGLE_ADS_DEVELOPER_TOKEN: ${GOOGLE_ADS_DEVELOPER_TOKEN}
409
+ GOOGLE_OAUTH_CLIENT_ID: ${GOOGLE_OAUTH_CLIENT_ID}
410
+ GOOGLE_OAUTH_CLIENT_SECRET: ${GOOGLE_OAUTH_CLIENT_SECRET}
411
+ TOKEN_ENC_KEY: ${TOKEN_ENC_KEY}
412
+ AUDIT_DB_PATH: /app/data/audit.db
413
+ volumes:
414
+ - ads_data:/app/data
415
+ volumes:
416
+ ads_data:
417
+ ```
418
+
419
+ Then:
420
+
421
+ - Point the LibreChat entry at `url: "http://localhost:3001/mcp"` with `requiresOAuth: true` (see [LibreChat](#add-it-to-your-ai-harness) above), and keep `localhost` in `mcpSettings.allowedDomains`.
422
+ - Register `http://localhost:3001/auth/callback` as a redirect URI on the Google OAuth client.
423
+ - Sign in from Chrome or Firefox: the consent cookie is `Secure`, and those treat `localhost` as a secure context. Safari may refuse it.
424
+ - The sidecar shares the api container's network, so recreate both together after changes: `docker compose up -d --force-recreate api google-ads-mcp`.
425
+
426
+ Publish the OAuth app to In Production so per-user tokens do not expire after 7 days.
427
+
329
428
  ## Tools
330
429
 
331
430
  Seven tools, each takes an `action`:
@@ -365,12 +464,16 @@ Reporting is read-only and retried, so it's reliable for cron and scheduled jobs
365
464
  | Symptom | What to try |
366
465
  |---------|-------------|
367
466
  | Refresh token dies after ~7 days | OAuth app is still in **Testing**. Publish it to **In Production**. |
368
- | `PERMISSION_DENIED` / empty account list | User lacks access to that customer id; or set `GOOGLE_ADS_LOGIN_CUSTOMER_ID` to the MCC id when accessing clients through a manager. |
467
+ | `PERMISSION_DENIED` / "set login-customer-id" | `GOOGLE_ADS_LOGIN_CUSTOMER_ID` is only for reaching a client *through a manager*. For an account you access directly (it shows as `[client]` in `account list`), leave it empty. Setting a manager you do not reach that client through, or setting one at all when none is needed, causes this error. If it is still denied, the login genuinely lacks access to that customer id. |
468
+ | `unauthorized_client` on token exchange | The refresh token was minted by a different OAuth client than `GOOGLE_OAUTH_CLIENT_ID`. Re-mint it with that exact client (in the OAuth Playground, check "Use your own OAuth credentials" first). |
369
469
  | Quota / rate errors | Developer token may need **Standard Access**. Reads are retried with backoff. |
370
470
  | "user_confirmation" / confirmed rejected | Call once without `confirmed` to preview, ask the user to type yes or ok, then re-call with `confirmed:true` and `user_confirmation:"yes"` (or `"ok"`). |
371
471
  | "not connected" / reconnect message | Refresh token revoked; re-auth (HTTP) or mint a new refresh token (stdio). |
372
472
  | HTTP container exits on boot | Missing `TOKEN_ENC_KEY`, `PUBLIC_BASE_URL`, or `ALLOWED_REDIRECT_ORIGINS`. Check logs. |
373
- | OAuth works but LibreChat never connects | `startup: false` on the MCP server entry; host in `allowedDomains`; URL must be the public `/mcp` path. |
473
+ | OAuth works but LibreChat never connects | Set `requiresOAuth: true` and `startup: false` on the MCP entry, add the host to `allowedDomains`, and point `url` at the public `/mcp` path. |
474
+ | LibreChat logs `OAuth not supported in unauthenticated discovery` or repeated `Reinspection failed ... timeout` | Missing `requiresOAuth: true`. LibreChat is probing the server without auth to list tools, which always fails on an OAuth server. The flag silences the probe and shows the sign-in prompt directly. |
475
+ | Stale connection after changing the server URL under the same name | LibreChat caches OAuth tokens per server name. Reconnect, or clear its cached tokens for that server, so it registers fresh against the new backend. |
476
+ | Google returns `redirect_uri_mismatch` mid sign-in | `PUBLIC_BASE_URL/auth/callback` is not registered on the OAuth client. For localhost that is `http://localhost:3001/auth/callback`. |
374
477
 
375
478
  ## Notes
376
479
 
package/dist/index.js CHANGED
@@ -1995,7 +1995,7 @@ var metadataHandler = {
1995
1995
  // src/tools/orchestrators/report.ts
1996
1996
  var reportTool = defineOrchestrator({
1997
1997
  name: "google_ads_report",
1998
- purpose: "Read Google Ads performance. Prefer a curated action: campaign_performance for any channel, impression_share for Search visibility (the Average Position replacement), or asset_group for Performance Max. For anything else, daily or weekly trends, keyword or search-term views, custom field combinations, use gaql after calling metadata first.",
1998
+ purpose: 'Read Google Ads performance. Prefer a curated action: campaign_performance for any channel, impression_share for Search visibility (the Average Position replacement), or asset_group for Performance Max. For anything else, daily or weekly trends, keyword or search-term views, custom field combinations, use gaql after calling metadata first. Resource hints for less obvious asks: "cart / basket value / cross-sell sales" -> cart_data_sales_view ; "iOS vs Android breakdown" -> add the segment segments.mobile_device_platform. Always call metadata on a resource before querying it to get its exact field names.',
1999
1999
  limitations: "Read-only. ROAS is computed as conversion value divided by cost. Average Position does not exist; use action impression_share instead. impression_share only applies to Search campaigns; asset_group only applies to Performance Max. Curated reports already format values, but in raw gaql results, money fields are in micros (divide by 1,000,000) and rates (metrics.ctr, conversion rate, impression share) are ratios from 0 to 1. For gaql, do not guess field names: call metadata first to get the exact selectable, filterable, and sortable fields plus compatible metrics and segments, then use those names verbatim.",
2000
2000
  examples: [
2001
2001
  '{"action":"campaign_performance","date_range":"LAST_30_DAYS"}',
@@ -2063,7 +2063,7 @@ function langId(s) {
2063
2063
  // src/tools/handlers/campaign/create.ts
2064
2064
  var schema10 = z13.object({
2065
2065
  name: z13.string().min(1).max(255),
2066
- channel_type: z13.enum(["SEARCH", "PERFORMANCE_MAX", "DISPLAY", "DEMAND_GEN", "VIDEO", "APP", "SHOPPING"]),
2066
+ channel_type: z13.enum(["SEARCH", "PERFORMANCE_MAX", "DISPLAY", "DEMAND_GEN", "APP", "SHOPPING"]),
2067
2067
  daily_budget: z13.number().positive().describe("Daily amount in account currency (e.g. 50 = 50.00/day)"),
2068
2068
  bidding: z13.enum(BIDDING).default("MAXIMIZE_CONVERSIONS"),
2069
2069
  target_cpa: z13.number().positive().optional().describe("Target CPA in account currency (TARGET_CPA / MAXIMIZE_CONVERSIONS)"),
@@ -2077,7 +2077,7 @@ var schema10 = z13.object({
2077
2077
  });
2078
2078
  var createHandler = {
2079
2079
  action: "create",
2080
- summary: "Create a campaign plus its daily budget, atomically. channel_type: SEARCH, DISPLAY, DEMAND_GEN, VIDEO, PERFORMANCE_MAX, APP (needs app_id + app_store, TARGET_CPA bidding), or SHOPPING (needs merchant_id from a linked Merchant Center). Created PAUSED. Preview first (omit confirmed). Then ask the user to type yes or ok in chat; only after that re-call with confirmed:true and user_confirmation yes|ok.",
2080
+ summary: "Create a campaign plus its daily budget, atomically. channel_type: SEARCH, DISPLAY, DEMAND_GEN (use this for YouTube; Google no longer lets the API create Video campaigns), PERFORMANCE_MAX, APP (needs app_id + app_store, TARGET_CPA bidding), or SHOPPING (needs merchant_id from a linked Merchant Center). Created PAUSED. Preview first (omit confirmed). Then ask the user to type yes or ok in chat; only after that re-call with confirmed:true and user_confirmation yes|ok.",
2081
2081
  readOnly: false,
2082
2082
  category: "mutate",
2083
2083
  schema: schema10,
@@ -2102,9 +2102,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
2102
2102
  if (params.channel_type === "DEMAND_GEN" && params.bidding === "MANUAL_CPC") {
2103
2103
  throw new Error("Demand Gen requires automated bidding (not MANUAL_CPC): use MAXIMIZE_CONVERSIONS, TARGET_CPA, MAXIMIZE_CONVERSION_VALUE, or TARGET_ROAS.");
2104
2104
  }
2105
- if (params.channel_type === "VIDEO" && params.bidding !== "MAXIMIZE_CONVERSIONS" && params.bidding !== "TARGET_CPA") {
2106
- throw new Error("A Video Action campaign requires automated bidding (MAXIMIZE_CONVERSIONS or TARGET_CPA), not MANUAL_CPC.");
2107
- }
2108
2105
  if (params.channel_type === "APP") {
2109
2106
  if (!params.app_id) throw new Error("app_id is required for an App campaign (the Android package name or numeric iOS App Store id).");
2110
2107
  if (!params.app_store) throw new Error("app_store is required for an App campaign (GOOGLE_APP_STORE or APPLE_APP_STORE).");
@@ -2119,7 +2116,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
2119
2116
  SEARCH: enums3.AdvertisingChannelType.SEARCH,
2120
2117
  DISPLAY: enums3.AdvertisingChannelType.DISPLAY,
2121
2118
  DEMAND_GEN: enums3.AdvertisingChannelType.DEMAND_GEN,
2122
- VIDEO: enums3.AdvertisingChannelType.VIDEO,
2123
2119
  PERFORMANCE_MAX: enums3.AdvertisingChannelType.PERFORMANCE_MAX,
2124
2120
  SHOPPING: enums3.AdvertisingChannelType.SHOPPING,
2125
2121
  APP: enums3.AdvertisingChannelType.MULTI_CHANNEL
@@ -2139,8 +2135,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
2139
2135
  campaign.network_settings = { target_google_search: true, target_search_network: true };
2140
2136
  } else if (params.channel_type === "DISPLAY") {
2141
2137
  campaign.network_settings = { target_content_network: true };
2142
- } else if (params.channel_type === "VIDEO") {
2143
- campaign.advertising_channel_sub_type = enums3.AdvertisingChannelSubType.VIDEO_ACTION;
2144
2138
  } else if (params.channel_type === "APP") {
2145
2139
  campaign.advertising_channel_sub_type = enums3.AdvertisingChannelSubType.APP_CAMPAIGN;
2146
2140
  campaign.app_campaign_setting = {
@@ -2183,7 +2177,6 @@ Ask the user, then call create again with brand_guidelines_enabled set to true o
2183
2177
  PERFORMANCE_MAX: "\nNext: add an asset group before enabling, a P-MAX campaign needs assets to serve.",
2184
2178
  DISPLAY: "\nNext: add an ad group, then a responsive display ad (add_ad ad_type RESPONSIVE_DISPLAY_AD) or an HTML5 ad, then enable the campaign.",
2185
2179
  DEMAND_GEN: "\nNext: add an ad group, then a Demand Gen ad (add_ad ad_type DEMAND_GEN_MULTI_ASSET), then enable the campaign.",
2186
- VIDEO: "\nNext: add an ad group, then a responsive video ad (add_ad ad_type VIDEO_RESPONSIVE with a YouTube video), then enable the campaign.",
2187
2180
  APP: "\nNext: App campaigns auto-create an ad group, find it with ad_group list_ads (or a report), add an app ad (add_ad ad_type APP), then enable the campaign.",
2188
2181
  SHOPPING: "\nNext: add an ad group, then a product ad (add_ad ad_type SHOPPING_PRODUCT). Products serve from the linked Merchant Center feed, make sure Merchant Center is linked.",
2189
2182
  SEARCH: "\nNext: add an ad group and a responsive search ad, then enable the campaign."
@@ -2481,7 +2474,7 @@ var targetingHandler = {
2481
2474
  var campaignTool = defineOrchestrator({
2482
2475
  name: "google_ads_campaign",
2483
2476
  purpose: "Create and manage campaigns. create builds a new one for Search, Display, Demand Gen, App, Shopping, or Performance Max (for YouTube, use DEMAND_GEN, not VIDEO). update renames it or changes its dates and network settings. status pauses or resumes it. budget sets the daily budget. bidding sets the bidding strategy. targeting sets location, language, and schedule.",
2484
- limitations: "Every write previews first; then the user must type yes or ok in chat before confirmed:true + user_confirmation. New campaigns are created PAUSED. All edits here are in-place updates, not delete-and-recreate. Use the right action: update for name, dates, and networks; status for pause or resume; budget for the daily budget; bidding for the strategy; targeting for locations, languages, and schedule. Get campaign_id from report. Performance Max, Demand Gen, and Video all require automated bidding. App needs app_id, app_store, and TARGET_CPA bidding. Shopping needs a merchant_id from a linked Merchant Center account. VIDEO campaigns can no longer be created through the API (Google sunset Video Action campaigns for Demand Gen), so use DEMAND_GEN for YouTube instead. Location and language are numeric ids, so resolve names with google_ads_lookup first.",
2477
+ limitations: "Every write previews first; then the user must type yes or ok in chat before confirmed:true + user_confirmation. New campaigns are created PAUSED. All edits here are in-place updates, not delete-and-recreate. Use the right action: update for name, dates, and networks; status for pause or resume; budget for the daily budget; bidding for the strategy; targeting for locations, languages, and schedule. Get campaign_id from report. Performance Max and Demand Gen require automated bidding. App needs app_id, app_store, and TARGET_CPA bidding. Shopping needs a merchant_id from a linked Merchant Center account. VIDEO campaigns can no longer be created through the API (Google sunset Video Action campaigns for Demand Gen), so use DEMAND_GEN for YouTube instead. Location and language are numeric ids, so resolve names with google_ads_lookup first.",
2485
2478
  examples: [
2486
2479
  '{"action":"create","name":"Brand - Search","channel_type":"SEARCH","daily_budget":50,"bidding":"MAXIMIZE_CONVERSIONS"}',
2487
2480
  '{"action":"create","name":"App - Installs","channel_type":"APP","daily_budget":50,"bidding":"TARGET_CPA","target_cpa":3,"app_id":"com.example.app","app_store":"GOOGLE_APP_STORE"}',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aligulzar729/google-ads-mcp",
3
- "version": "0.2.0",
3
+ "version": "0.3.0",
4
4
  "description": "Manage Google Ads from Claude, Codex, LibreChat, or any MCP client. Natural-language reporting plus guarded campaign, keyword, and Performance Max operations.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -51,22 +51,22 @@
51
51
  "access": "public"
52
52
  },
53
53
  "dependencies": {
54
- "@hono/node-server": "^1.19.12",
54
+ "@hono/node-server": "^2.0.8",
55
55
  "@modelcontextprotocol/sdk": "^1.29.0",
56
- "google-ads-api": "^23.0.0",
56
+ "google-ads-api": "^24.1.0",
57
57
  "google-auth-library": "^9.15.0",
58
58
  "hono": "^4.12.28",
59
59
  "zod": "^4.4.3"
60
60
  },
61
61
  "devDependencies": {
62
62
  "@eslint/js": "^10.0.1",
63
- "@types/node": "^22.10.0",
63
+ "@types/node": "^26.1.1",
64
64
  "eslint": "^10.6.0",
65
65
  "globals": "^17.7.0",
66
66
  "tsup": "^8.3.5",
67
67
  "tsx": "^4.23.0",
68
- "typescript": "^5.7.2",
68
+ "typescript": "~6.0.3",
69
69
  "typescript-eslint": "^8.63.0",
70
- "vitest": "^2.1.8"
70
+ "vitest": "^4.1.10"
71
71
  }
72
72
  }