Google Play Android Developer API 401 Insufficient permissions

Question

I'm using Google Play Android Developer API to server to server check subscription status of our users' subscriptions but after successful authorization and asking for an existing subscription I get the 401 response with the following message 'The current user has insufficient permissions to perform the requsted operation'. Visiting https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XXXXXX I can see that I do have the requested scope (https://www.googleapis.com/auth/androidpublisher) but I still get the same response everytime. Did anyone else have the same problem?

Edit: I've seen what the Explore API app does, it adds the key in the query string of a request but I don't have that value. In the console I've created a Service Account Client Id which has a client id, email address and a private key but there is no API key which apparently Explore API uses.

Edit no. 2: I've added the service account generated email both to Google Play Developer Console and Google Wallet console but I still have no acces. I'm using nodejs and the google-oauth-jwt because there is not google provided lib for nodejs.

Here is the code I'm using to make a request:

var request = require('google-oauth-jwt').requestWithJWT();

function makeReq() {
    request({
        url: 'https://www.googleapis.com/androidpublisher/v1.1/applications/{packageName}/subscriptions/{subscriptionId}/purchases/{purchaseToken}',
        jwt: {
            // use the email address of the service account, as seen in the API console
            email: '[email protected]',
            // use the PEM file we generated from the downloaded key
            keyFile: 'purchases-test.pem',
            // specify the scopes you wish to access
            scopes: ['https://www.googleapis.com/auth/androidpublisher']
        }
    }, function (err, res, body) {
        if (err) {
            console.log(err);
        } else {
            console.log("BODY IS ------------------------------------------");
            console.log(JSON.parse(body));
        }
    });
}

Answer 1

If your app is only released in a closed alpha track, you'll also have to add your service account's email address (client_email) to the License Testers at Settings -> Account detail in the Play Console.

Answer 2

There is an email address associated with your service account.

This needs to have appropriate permissions in both the dev console AND the Play store. Make sure to add the service address to the Play store.

The way I approached it was to use

var googleAuth = require('google-oauth-jwt'),
    authObject = {
        email: '[email protected]',
        keyFile: 'purchases-test.pem',
        scopes: ['https://www.googleapis.com/auth/androidpublisher']
    };

googleAuth.authenticate(authObject, function (err, token) {
    next(err, token);
});

I store the token in redis for an hour and use that token to make my request to the store:

var opts = {
    url : verifyUrl + payload.packageName + '/inapp/' + payload.productId + '/purchases/' + payload.token,
    headers: {
        authorization : 'Bearer ' + token
    }
};

request.get(opts, function (error, response, body) {
    next(error, response, body);
});