Google Analytics Embed API: How to retireve access token?

Question

I've used the code provided in this question to gain access to the Google Analytics Embed API. I want to display the statistics from my website without the need for users with the correct privileges to log in (so no login screen).

For that reason, I've created a service account and saved the p12 file. However, the following code displays an empty page.

<!DOCTYPE html>
<html>
<head>
  <title>Embed API Demo</title>
</head>
<body>

<section id="timeline"></section>

<script>
(function(w,d,s,g,js,fjs){
  g=w.gapi||(w.gapi={});g.analytics={q:[],ready:function(cb){this.q.push(cb)}};
  js=d.createElement(s);fjs=d.getElementsByTagName(s)[0];
  js.src='https://apis.google.com/js/platform.js';
  fjs.parentNode.insertBefore(js,fjs);js.onload=function(){g.load('analytics')};
}(window,document,'script'));
</script>

<script>
gapi.analytics.ready(function() {

  var IDS = 'ga:XXXX'; // I've hidden my personal ID for security purposes
  var ACCESS_TOKEN = 'key.p12'; // obtained from your service account

  gapi.analytics.auth.authorize({
    serverAuth: {
      access_token: ACCESS_TOKEN
    }
  });

  var timeline = new gapi.analytics.googleCharts.DataChart({
    reportType: 'ga',
    query: {
      'ids': IDS,
      'dimensions': 'ga:date',
      'metrics': 'ga:sessions',
      'start-date': '30daysAgo',
      'end-date': 'yesterday',
    },
    chart: {
      type: 'LINE',
      container: 'timeline'
    }
  }).execute();

});
</script>
</body>
</html>

Maybe the Access Token shouldn't be the p12 file? But if so, what should it be? I'm really lost.

the embeded api is javascript you cant use a service account with Javascript. — Linda Lawton - DaImTo, Jan 21 '15 at 18:12
Well that's a shame. So there's no way to use both the Embed API and a Service Account? Maybe with a PHP version of the Embed API? — TheLeonKing, Jan 21 '15 at 19:59

score 3 · Answer 1 · answered Jan 21 '15 at 21:05

3

You can absolutely use a service account with the Embed API. The trick is getting an access token from the .p12 file, but once you have a valid access token, your code will work just fine.

I've just verified this myself. Here are the steps I took:

I created a service account, and then I followed the steps listed on the google-oauth-jwt node module documentation page to get an access token. (If you're not using Node.js, just do a Google search for how this works in other languages, this devguide describes the process for PHP.)

I converted the .p12 file to a .pem file (required to work with Node) with this command:

openssl pkcs12 -in downloaded-key-file.p12 -out your-key-file.pem -nodes

I ran the following Node program to get an access token from the .pem file:

var googleAuth = require('google-oauth-jwt');
var authOptions = {
  email: 'my-service-account@developer.gserviceaccount.com',
  keyFile: './key.pem',
  scopes: ['https://www.googleapis.com/auth/analytics']
};

googleAuth.authenticate(authOptions, function (err, token) {
  console.log(token);
});

Once I had the access token, I just substituted it into the code you have in your questions, fired up a local server, and everything worked just fine.

answered Jan 21 '15 at 21:05

Philip Walton

29,693
16
60
84

You don't see this as a security risk? – Linda Lawton - DaImTo Jan 22 '15 at 07:50
The only thing that needs to be a secret is the .pem file, so as long as that's securely stored on the server, it shouldn't be a problem. Access tokens are often exposed on the client, which is why they expire after an hour. – Philip Walton Jan 22 '15 at 15:04
Many thanks for your answer! Unfortunately, when I try to run the Node program, I get the error: "Error: Cannot find module 'google-oauth-jwt'". Do you know how to fix this? – TheLeonKing Jan 23 '15 at 11:44
You have to install that module. You can run `npm install google-oauth-jwt`. – Philip Walton Jan 23 '15 at 17:52
@PhilipWalton Thanks! I've managed to gain a 83-key Access Token using the way you described (ya29.XX-XX), but when I substitute it into the code provided above and enter my Google Analytics ID, I still get a blank page :-( – TheLeonKing Jan 28 '15 at 10:49
Are you looking at the JavaScript errors in the developer console? Because that should tell you what's wrong. – Philip Walton Jan 28 '15 at 17:32
@PhilipWalton Good idea. I get the following error, maybe it indicates my credentials are still incorrect? Would be strange though, I've done everything the way I'm supposed to. GET https://content.googleapis.com/analytics/v3/metadata/ga/columns?embedApiVersion=v1 401 (Unauthorized) – TheLeonKing Feb 01 '15 at 10:20

Google Analytics Embed API: How to retireve access token?

1 Answers1

Linked