Google Photos: 403: PERMISSION_DENIED - Request had insufficient authentication scopes

Questions
1

Hey Makers, I’m receiving an error from the Google Photos “Create an album” module.

403: PERMISSION_DENIED - Request had insufficient authentication scopes.

image
image611×663 52.9 KB

I re-authenticated the connection, this didn’t fix it. Any ideas?

1 Like
How to obtain a Google Photos album ID
2

Did you enable all scopes and used your own custom Google OAuth app?

How to Connect and Use Google APIs in Make!

0. Prerequisites

1. Enable Google APIs

2. OAuth Client

Direct Link: https://console.cloud.google.com/apis/credentials

  • 2a. Create “OAuth client ID” Credentials

    455×206 15.2 KB

  • 2b. Insert all the Google Redirect URIs for your app

    302×200 7.32 KB

    Insert All Google Redirect URIs

    Here are some commonly-needed redirect URIs you need for your Google Cloud Console OAuth app. If you set these up, you can reuse the same GCP app for other Google apps and modules on Make.

    https://www.make.com/oauth/cb/oauth2
https://www.make.com/oauth/cb/google
https://www.make.com/oauth/cb/google/
https://www.make.com/oauth/cb/google-custom
https://www.make.com/oauth/cb/google-restricted
https://www.make.com/oauth/cb/google-cloud-speech
https://www.make.com/oauth/cb/google-search-console
https://www.make.com/oauth/cb/google-analytics-4
https://www.make.com/oauth/cb/google-ads2
https://www.make.com/oauth/cb/google-ads2/
https://www.make.com/oauth/cb/youtube
https://www.make.com/oauth/cb/chrome

    Including These Google Redirect URIs

    You are also required to insert the legacy URLs below from the old Integromat system that not been migrated to Make yet (same as the above list, but replace “make” with “integromat”):

    https://www.integromat.com/oauth/cb/oauth2
https://www.integromat.com/oauth/cb/google
https://www.integromat.com/oauth/cb/google/
https://www.integromat.com/oauth/cb/google-custom
https://www.integromat.com/oauth/cb/google-restricted
https://www.integromat.com/oauth/cb/google-cloud-speech
https://www.integromat.com/oauth/cb/google-search-console
https://www.integromat.com/oauth/cb/google-analytics-4
https://www.integromat.com/oauth/cb/google-ads2
https://www.integromat.com/oauth/cb/google-ads2/
https://www.integromat.com/oauth/cb/youtube
https://www.integromat.com/oauth/cb/chrome

    Note 1: Due to inconsistencies in Make’s implementation of the connections, there are two separate entries where has one is google and another ending in a forward slash google/ - you might need one or the other, so we have to use both!

    Note 2: Once you’ve set these up, you can use/reuse the same Google OAuth App ID + Secret for all the supported Google connections and modules on Make - you’ll just have to enable the relevant Google APIs!

3. OAuth consent screen

Direct Link: https://console.cloud.google.com/apis/credentials/consent/edit

  • 3a. Insert Two Authorised Domains

    • Insert make.com and integromat.com

    • Fill in other required fields

    • Click “Save and Continue”.

      390×301 14.1 KB

  • 3b. Add All Scopes

    • Click “Add or Remove Scopes”

    • Select 100 “Rows per page”, for each page, check all the rows, OR

    • Manually type in the scopes you need

    • Click “Update” at the bottom

    1476×1156 182 KB

  • 3c. Step through and go to dashboard

    At the last step/page, click “BACK TO DASHBOARD” instead of “Prepare for Verification”

  • 3d. Publish your GCP OAuth2 app

    You will need to set your OAuth application to “Production”, otherwise the credentials expire very frequently.

    • To do this, go back to “OAuth consent screen

    • Then click the “PUBLISH APP” button

    • Then click the “CONFIRM” button

    479×206 9.36 KB

4. Create New Connection (HTTP, or respective Google module)

You can find the Client ID and Client Secret in the OAuth2 app you created in GCP, on the right-hand side of where you inserted the callback URLs in step 2:

471×488 18.6 KB

  • 4a. Specific Google module (Sheets, Docs, Drive, Gmail, etc.)

    Insert the GCP app client ID and secret here BEFORE clicking “Sign in”

    (Gmail example)

    525×643 65.1 KB

    OR,

  • 4b. HTTP OAuth 2.0 Request module

    708×401 44.2 KB

    You need a “Authorize Parameters” key of redirect_uri with the above Make OAuth2 callback URL.

    597×904 61.2 KB

Related Topics:

Hope this helps! Let me know if there are any further questions or issues.

@samliew

1 Like
3

Thanks for looking into this and your feedback. Has this become necassary even for ready-made modules? My understanding was that this is limited to custom use cases.

I’m not using a custom app or HTTP module to call onto the Google Photos API, but Make’s native Google Photos module. This was working fine until a few days ago and started throwing an error recently.

Thanks again for your help with this,
Ricardo

2 Likes
4

I have the exact same problem. Since today it throws me the same error message, even though I didn’t change anything, and it worked the same for years. I also tried your instructions, but it didn’t help. Has anything changed in Make or Google?

5

I’m guessing it may be related to updates to the Google Photos APIs. Updates to the Google Photos APIs  |  Google for Developers

6

I’ve managed to run the module after setting up the connection again.

Screenshot 2025-05-13 173847
Screenshot 2025-05-13 173847896×478 49.5 KB

Hope this helps! Let me know if there are any further questions or issues. P.S.: investing some effort into the tutorials in the Make Academy will save you lots of time and frustration using Make!

@samliew

7

H​i,
thanks for the advice. This really won’t do - I’ve tried this, including a new ID from google​ and new connection, a new scenario ​etc. and always the same error.

I’m guessing that there has been an api change in google and now the make modules are not working.
https://developers.google.com/photos/support/updates​

Snímek obrazovky 2025-05-13 v 15.43.42
Snímek obrazovky 2025-05-13 v 15.43.421568×1404 367 KB

Snímek obrazovky 2025-05-13 v 15.44.13
Snímek obrazovky 2025-05-13 v 15.44.131606×1278 328 KB

1 Like
8

This didn’t fix the issue for me either and the issue persists. I opened a ticket with Make, any suggestions are welcome.

9

Make confirmed that this is a known error and they’re working on resolving it without a set ETA.

1 Like
10

Thanks for the update and confirmation! So it looks like existing, older connections aren’t affected, only newly-created ones.

11

I don’t think so. In my case, it affected the old connection. But only the one that was connected via Client ID and Client Secret. So far, I’ve switched the automation to another account without that connection and it’s working. However, for example the “Share an album” module doesn’t work at all.

12

Have you managed to set up Google Photos?

The Make module doesn’t work as intended for neither existing, nor new connections.

I was unable to get the HTTP module’s OAuth 2.0 to work as I’m always receiving a error 403 “Request had insufficient authentication scopes.”.

13

Until today, it worked when I used another google account that was not authenticated through the outh platform. As of today, it doesn’t work anymore either.
I have also addressed this with support - they know about it, but I don’t know of any further developments. I currently have no choice but to disconnect these modules from the scenarios… :frowning:

14

Hello :waving_hand:

I’m very sorry to hear that you are facing these issues. I’ve collected feedback from the Devs that getting approval from Google to make the necessary fix would take some time, unfortunately. However, you can use the ‘HTTP - Make an OAuth2 request’ module as a workaround.

You need to follow these steps:

  1. Log in to the Google Cloud Platform using your Google credentials.

  2. On the welcome page, click Create or select a project > New project.

800×242 72.6 KB

3. Enter a Project name and select the Location for your project.

  1. Click Create.

800×221 27.1 KB

  1. In the top menu, check if your new project is selected in the Select a project dropdown. If not, select the project you just created.

Enable APIs for Google Photos

1.Open the left navigation menu and go to APIs & Services > Library.

  1. Search for the following API:

Google Photos Library API

  1. Click Google Photos Library API, then click Enable. If you see the Manage button instead of the Enable button, you can proceed to the next step: the API is already enabled.

655×227 11.4 KB

Configure your OAuth consent screen for Google Photos

To configure your OAuth consent screen:

  1. In the left sidebar, click Google Auth Platform.

800×185 53.5 KB

If you don’t see Google Auth Platform in the left sidebar, click View all products at the top of it, then pin Google Auth Platform to the sidebar.

  1. Click Get Started.

  2. In the Overview section, under App information, enter Make as the app name and provide your Gmail address. Click Next.

  3. Under Audience, select External. Click Next.

  4. Under Contact Information, enter your Gmail address and click Next.

  5. Under Finish, agree to the Google User Data Policy.

  6. Click Continue > Create.

  7. Click Create OAuth Client.

  8. In the Branding section, under Authorized domains, add make.com and integromat.com. Click Save

  9. In the Data Access section, click Add or remove scopes, and add the following scopes:

https://www.googleapis.com/auth/photoslibrary.appendonly
https://www.googleapis.com/auth/photoslibrary
https://www.googleapis.com/auth/photoslibrary.edit.appcreateddata

You can add scopes using:

A table with filters
A window to manually enter scopes

Click Update and Save.

Create your client credentials

  1. In the Google Auth Platform, click Clients.

  2. Click + Create Client.

Create Client
Create Client909×308 61.8 KB

  1. In the Application type dropdown, select Web application.

  2. Update the Name of your OAuth client. This will help you identify it in the platform.

  3. In the Authorized redirect URIs section, click + Add URI and enter the following redirect URI:

https://www.integromat.com/oauth/cb/google-restricted

Authorize redirect URI
Authorize redirect URI782×815 188 KB

  1. Click Create.

  2. Click the OAuth 2.0 Client you created, copy your Client ID and Client secret values, and store them in a safe place.

You will use these values in the Client ID and Client Secret fields in the HTTP - Make an Oauth 2 request module.

Ensure to set up the connection as shown here, the scopes are stated above:

1070×1227 156 KB

When you click on Save, you will need to follow the prompts to authenticate your account.

When the connection is added successfully, you can then set up the module this way:

808×979 79.5 KB

I’m very sorry for such a long read, but it’s the only alternative for now. :folded_hands:

6 Likes
15

Thanks @Misha-Inactive! I appreciate that Make is taking the time to provide such detailed instructions on a workaround. The process isn’t very straightforward, but I’m relieved this works just fine after fiddling around with a similar approach myself. :slight_smile:

I don’t want to overreach, but would you be able to provide the scopes required and API endpoints for other Google Photos modules? I’m thinking of:

  1. Share an album.
  2. Get an album.

Thanks any ways, I understand if this is not possible.

16

Hello @Zbulo :waving_hand:

I’m sorry for my late reply! But here I come and bring the answer. :cowboy_hat_face:

Here are the required scopes for share an album:

Here are the scopes for get an album:

Hope this helps. :hugs:

2 Likes
17

The connection is still not working.

18

Hello @koprogrammer :waving_hand:

You’ll find a workaround in my previous reply. :up_arrow: Please try it, I’m sure it will work for you. :folded_hands:

19

How can I list shared albums?

Why standard modules doesn’t work?

20

To list shared album you can make this API call Method: albums.list  |  Google Photos APIs  |  Google for Developers if you’re using the HTTP module. Additionally, the standard module functions properly. Can you clarify on what exactly is not working? Please share it with our Customer Care Team by submitting a ticket. Thank you.