Google Play API credentials for AI tools and automation

Google Play API credentials for AI tools and automation

A practical guide to creating a Google Cloud service account for Google Play Developer API access, granting least-privilege Play Console permissions, and connecting AI coding tools or CI safely.

What Google Play uses instead of a single API token

Google Play automation uses a Google Cloud service account rather than a standalone Play Console token. The service account authenticates with Google, while Play Console permissions decide which app and release actions it can access. Before starting, create the app in Play Console and confirm that the Android package name exactly matches the application ID in the Android build.

package-name.txt

1. Enable the Google Play Android Developer API

Create or select a Google Cloud project, then enable the Google Play Android Developer API in that project. This is required even if the service account already exists. Google may need a few minutes to propagate a newly enabled API.

enable-api.txt

2. Create a service account and JSON key

In Google Cloud Console, open IAM & Admin → Service Accounts and create an account dedicated to Play automation. Open its Keys tab, add a new key, and choose JSON. The downloaded file contains a private key, so keep it outside the repository and treat it like a password.

service-account.txt

3. Grant access in Google Play Console

Open Users and permissions in Play Console and invite the service account email. Give it access only to the required app and tasks. A testing-release workflow may need permission to view app information and manage testing releases, while production releases or store-listing updates require additional permissions. Avoid administrator access unless the automation genuinely needs it.

play-console-permissions.txt

4. Configure the AI tool or CI environment

The safest setup is to keep the JSON file in a protected location and point Google authentication libraries to it with GOOGLE_APPLICATION_CREDENTIALS. Keep the package name in a separate variable. Some CI systems accept the JSON as a secret; if a tool expects base64, encode it locally and decode it only at runtime.

google-play.env.example

5. Verify access with a read-only request

Test the credentials before attempting an upload or release. A simple option is to list reviews for the package with the Android Publisher API. An empty reviews result is still a successful authentication test. The example below uses Application Default Credentials, so it reads the JSON path from GOOGLE_APPLICATION_CREDENTIALS.

verify-google-play-api.sh

Common errors and security checks

A 401 usually means the JSON key is invalid or was not loaded. A 403 can mean that the API is disabled or the service account lacks Play Console permission. A 404 commonly points to a wrong package name or missing app access. After changing APIs or permissions, wait a few minutes and test again. Never commit the JSON key or its base64 form, rotate exposed keys immediately, and prefer short-lived workload identity credentials for long-running production automation when the platform supports them.

troubleshooting.txt