Getting "Domain cannot use apis" when using Google Admin SDK Directory API

Asked 26/7, 2013 at 18:42 Answered 21/5, 2014 at 15:4

I'm trying to use the Admin SDK Directory API, specifically to retrieve user info as detailed by the Users: get endpoint.

I have requested the following permissions when oauthing

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.user.readonly

However, when I make the request to get info on a particular user, I get the following response:

HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=UTF-8
Date: Fri, 26 Jul 2013 18:25:29 GMT
Expires: Fri, 26 Jul 2013 18:25:29 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Transfer-Encoding: chunked

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "domainCannotUseApis",
    "message": "Domain cannot use apis."
   }
  ],
  "code": 403,
  "message": "Domain cannot use apis."
 }
}

I have enabled the Admin SDK in the API Console.

I have tried this on a Google Apps Standard (Free) Edition and also a Google Apps for Nonprofits Edition and get the same error. Does the Admin SDK Directory API require a Google Apps for Business Account?

Megalith answered 26/7, 2013 at 18:42 Comment(0)

You need to enable the administrative APIs in the G Suite Control Panel.

Bryozoan answered 26/7, 2013 at 19:17 Comment(1)

Thank you, this worked. After receiving your help, I finally did notice that this is clearly pointed out to the observant reader in the Directory API: Prerequisites. I fail = ( – Megalith 27/7, 2013 at 1:1

I am confused. Does it mean that if our App is listed in the Google Apps Marketplace, domains who install our App still have to manually enable the administrative API?

Irtysh answered 21/5, 2014 at 15:4 Comment(5)

This indeed is kind of weird – Iridium 14/7, 2014 at 9:26

Correct. There used to be an exception carved ou for marketplace apps to get read-only access to the old user feed, but that's no longer in place. I'll file a feature request. – Undeniable 26/8, 2014 at 21:33

Yeah, this is incredibly annoying and makes for a horrible UX! After granting permissions to our app, I'm going to have to detect this error and show an error message explaining how to turn this on. Even though all I need is read-only GET users! Crappy. @SteveBazyl did you make a feature request? – Fieldstone 2/9, 2014 at 19:29

@SteveBazyl, thanks for the clarification on this. I was finally able to get an impersonated service account working by 1) manually enabling the admin API access, 2) enabling the consumer key, and 3) authorizing the service account with the necessary scopes in the target domains admin panel. Having said that, this is a terrible experience for our customers and a regression from the previous marketplace experience. Can you please post back once you have the feature request logged so we can vote on it? – Alliteration 3/9, 2014 at 20:1

I am sure many others are in the same boat. Every client who wants to run my application has to jump through quite a few hurdles just to use my product. Will probably make them think twice about using my product. :-( – Prostatectomy 28/10, 2015 at 18:51

Recommended topics

Hot tags