Google Photos - Make an API Call: 403: PERMISSION_DENIED - Request had insufficient authentication scopes

Hello Make Community,

I am working on an automation and trying to create an API Call to Google Photos to move photos from one album to another after certain actions are taken within my automation. I have setup my Google Photos connection and have confirmed I have proper permissions: https://www.make.com/en/help/app/google-photos?_gl=1*1nt7aa1*_ga*MTY3OTY2ODQ0OS4xNzEwNDUzMDE1*_ga_MY0CJTCDSF*MTcxNDcxMDU3NC4xNDQuMS4xNzE0NzE3MDkwLjU2LjAuMA

However, when I use the Make an API Call module for Google Photos on my album, I am getting the following error: The operation failed with an error. 403: PERMISSION_DENIED - Request had insufficient authentication scopes.

I have checked the scopes and they are giving correct access per the Google Photos API. The specific call I am trying to do is “AddMediaItems”:

Here is the Google Photo API library:

Can anyone help with this? Anyone else experiencing issues with Google Photos and Making an API call?

Thank you,
John

How to create an OAuth app in GCP: https://www.make.com/en/help/tutorials/calling-google-apis-via-the--http-make-a-oauth-2-0-request--module ← FOLLOW THIS

1a. Enable the relevant API

Find the relevant API here: Google Cloud console
Go to API page, end click “Enable”

1b. Add the relevant scopes

Direct Link: https://console.cloud.google.com/apis/credentials/consent/edit

2. Insert all the known Google Redirect URIs for your app

Direct Link: https://console.cloud.google.com/apis/credentials

Here are some known redirect URIs you need for your Google Cloud Console OAuth app. If you set these up, you can reuse the same GCP app for other Google apps and modules on Make.

Once you’ve set these up, you can use/reuse the same Make connection for all the supported Google apps & modules on Make - you’ll only have to enable the APIs for your custom app.

3. Publish your GCP OAuth2 app

Direct Link: https://console.cloud.google.com/apis/credentials/consent

You might need to set your OAuth application to “Production”, otherwise the credentials expire very frequently.

1. To do this, go to menu item “OAuth consent screen”

or click here https://console.cloud.google.com/apis/credentials/consent

2. Then click the button below if the Publishing status is not “In production”

4. Set up connection (HTTP OAuth, or respective Google App)

A. HTTP OAuth2

You need a “Authorize parameters” key of redirect_uri with the above Make OAuth2 callback URL.

You can find the Client ID and Client Secret in the OAuth2 app you created in GCP, on the right-hand side of where you inserted the 8 callback URLs in step 2:

B. Google App

Insert the GCP app client ID and secret here BEFORE clicking “Sign in”
Gmail example:

samliewrequest private consultation

Join the Make unofficial Discord server!

1 Like

Hi Samliew,

Thank you for your post. I am still experiencing an issue. Please see this:

  • I am encountering an insufficient scope error when trying to move a photo to a specific album in Google Photos

  • The error occurs when running the ‘albums batch add media items’ method in the API

** Steps to Reproduce**

  • List the media items
  • Get the media item
  • Get a specific album
  • Perform an action to move a photo to the album ID and move to trash through HTTP Post

** Success Would Be **

  • User should be able to successfully move a photo to a specific album without encountering an insufficient scope error

==========
{
“error”: {
“code”: 403,
“message”: “Request had insufficient authentication scopes.”,
“status”: “PERMISSION_DENIED”,
“details”: [
{
@type”: “type.googleapis.com/google.rpc.ErrorInfo”,
“reason”: “ACCESS_TOKEN_SCOPE_INSUFFICIENT”,
“domain”: “googleapis.com”,
“metadata”: {
“method”: “google.photos.library.v1.PhotosLibrary.CreateAlbum”,
“service”: “photoslibrary.googleapis.com
}
}
]
}
}

Here is the Google Photos API call I am using:

Further thoughts?

Thank you!
John

What was the scope you used when setting up the OAuth connection?

Perhaps you can also try the Photos “Make an API Call” module instead of the HTTP OAuth module, which might be simpler to set up?

1 Like