Security · 6 min read
Per-Client OAuth vs Agency Credentials for Ad Accounts
If you run paid media across several brands, you have almost certainly inherited a shared-login mess. One ops person holds the master password. A spreadsheet lists which brand uses which email. It works right up until it doesn’t — and per-client OAuth fixes that by design.
The shared-login setup works until someone leaves, a device gets compromised, or a platform locks an account and takes the other eleven down with it. If you are still passing credentials around, you are carrying risk you don’t need to carry. This post is about the architecture, not the vibe: there is a right way to connect a brand’s ad accounts to the tools and people who manage them, and a wrong way. The wrong way is convenient. The right way is boring, auditable, and does not blow up when a laptop goes missing.
What “shared credentials” actually means, and why it fails
Shared credentials means more than one person authenticates as the same identity. In practice that’s a shared password on a platform login, a service account whose email and password get typed into a third-party tool’s config, or a single Business Manager admin login handed to whoever needs in this week. The failure modes are structural, not hypothetical:
- One compromise exposes everything. When ten brands sit behind one login, a single phished password or one infected device gives an attacker the whole portfolio — billing included. There is no blast-radius containment.
- You cannot revoke one person. Offboarding a departing team member means rotating the password and re-distributing it to everyone still on the team. Miss it once and a former contractor still has your keys.
- You cannot prove who did what. If everyone authenticates as the same identity, your change history is useless. When a budget gets 10x’d at 2am, “the shared account did it” is not an answer you can give a brand owner.
- Platforms discourage it. Credential-sharing runs against the grain of how these platforms are designed to be accessed, which means you are one policy enforcement away from a problem. Meta’s own guidance is to use person access for people and partner access for partners, and to grant access without sharing your login credentials.
What per-client OAuth looks like instead
OAuth flips the model. Instead of the operator holding a brand’s password, the brand (or the account admin) explicitly authorizes an application to act on the specific accounts it needs — and can withdraw that authorization at any time. No password ever changes hands. Concretely, across the three platforms most portfolio operators live in:
- Meta uses partner access: a brand grants a partner business scoped permissions to specific assets, and the grant is reversible and auditable. No one types anyone’s Facebook password into anything.
- Google Ads uses OAuth for API access, where the guidance is explicitly not to share a single client identity across entities and to keep credentials out of email, config files, and repos.
- TikTok uses OAuth 2.0 advertiser authorization as the only path for its Marketing API — the advertiser explicitly grants an app permission to manage their accounts, and there are no static API keys to leak.
The difference in properties is the entire point:
| Property | Shared credentials | Per-client OAuth |
|---|---|---|
| Blast radius of one compromise | Entire portfolio + billing | One scoped grant |
| Revoke a single person/tool | Rotate password, redistribute | Revoke one token, nothing else moves |
| Audit trail | Everyone is the same identity | Each grant is distinct and attributable |
| Offboarding | Manual, easy to miss | Revoke and done |
| Platform alignment | Discouraged / policy risk | The supported path |
| Cross-brand isolation | None by default | Scoped per account |
That last row matters more than it looks. Scoping each connection to its own accounts means the person or tool working on brands A, B, and C has no visibility into brand D. That’s both a security boundary and a data-hygiene boundary — it’s how you stop the cross-brand mistakes (wrong pixel, wrong budget, wrong audience) that happen when everything is one undifferentiated login.
The token detail operators should understand
OAuth doesn’t hand over a permanent key. It issues an access token that’s short-lived and a refresh token that renews it. TikTok’s access tokens, for instance, expire within 24 hours and are refreshed by a back-end job without re-prompting the user. You get continuous access without a long-lived secret sitting around waiting to be stolen, and if you revoke the grant, the refresh stops working — access ends cleanly.
“Just give the tool my password” and “authorize the tool via OAuth” are not two flavors of the same thing. The first hands over everything, forever. The second is a scoped, revocable, expiring grant.
If the tool is breached, the difference between those two situations is the difference between a bad week and a catastrophe. In the first case, the tool now knows your password and can do anything you can do, forever, until you change it. In the second, the tool holds a scoped grant to specific accounts that you can pull at any time.
A checklist for auditing your current setup
Run this against every brand you manage. Each “no” is a liability to close.
- No shared passwords. Is there any ad platform login that more than one human types in? If yes, that’s the first thing to migrate.
- Every tool connects via OAuth or native partner access — never by storing a platform username and password.
- Access is scoped per brand. Can you point to exactly which accounts each person and each tool can touch, and confirm it’s only what they need?
- Revocation is one action. Can you remove a departing contractor from one brand without disrupting anyone else or rotating anything?
- You have an audit trail. For any change to a live campaign, can you attribute it to a specific identity?
- Billing is isolated. Is any tool or person with campaign access also sitting on top of payment methods they don’t need?
- Offboarding is documented and fast. When someone leaves, is there a known, short sequence that fully cuts their access across every brand?
If you’re managing more than a couple of brands, this audit usually surfaces at least one shared login you forgot existed. That’s normal. The point is to find it before someone else does.
Why this gets worse as you add brands
At one brand, a shared login is a small, contained risk. At eight brands, the same habit becomes a portfolio-level single point of failure — one credential whose compromise is a very bad day across every account and every client relationship. The math doesn’t scale in your favor. The more brands you run, the more the shared-credential model concentrates risk exactly where you can least afford it.
This is the core reason we built Cesara on per-client OAuth from the start rather than agency-owned credentials. Every platform connection is authorized per account by the account’s own admin, scoped to what’s needed, and revocable without touching anything else — the approach we detail on our security page. If you’re standing up the operational side of this across a portfolio, our guide to managing ad accounts across multiple brands covers the structure that sits on top of the access model.
The short version
Shared credentials are convenient and wrong. They give you no blast-radius containment, no clean revocation, no usable audit trail, and they run against how the platforms want to be accessed. Per-client OAuth is the opposite on every axis: scoped, revocable, attributable, and aligned with the platforms. It costs a small amount of setup friction once and saves you from the failure mode where one lost laptop takes down eleven brands.
If you run paid media across a portfolio, the access architecture is not a detail to sort out later. It’s the foundation everything else sits on — fix it first. See how Cesara connects your platforms to run optimization across every brand from one place.
Per-client OAuth, scoped and revocable — by default.
Reserve founding-member pricing — no card, nothing charged today.