Ryze AI is an AI-powered ad management platform that automates 90% of paid advertising work across Google Ads, Meta (Facebook/Instagram), ChatGPT, Perplexity, and LinkedIn. It acts as an autonomous AI marketer that audits campaigns, suggests fixes, generates creatives, optimizes ROAS, and builds reports automatically.

How does AI ad management work?

Ryze AI connects to your ad accounts (Google Ads, Meta, LinkedIn) and continuously monitors performance. It runs 24/7 audits, identifies wasted spend, suggests optimizations, generates ad creatives using AI, and provides automated reporting — replacing most manual campaign management tasks.

Can I connect ChatGPT to my ad account?

Yes. Ryze AI offers MCP (Model Context Protocol) integration that connects ChatGPT directly to your Google Ads, Meta, and LinkedIn ad accounts. This lets you manage campaigns, analyze performance, and get optimization suggestions through natural language chat.

What platforms does Ryze AI support?

Ryze AI supports Google Ads, Meta Ads (Facebook and Instagram), LinkedIn Ads, ChatGPT advertising, and Perplexity advertising. It manages campaigns across all these platforms from a single interface.

How many clients use Ryze AI?

Ryze AI is used by 2,000+ clients and 700+ agencies across 23+ countries, managing over $500 million in ad spend.

How do I get Google Ads OAuth credentials for my MCP server?

To get Google Ads OAuth credentials: (1) Create or select a project in Google Cloud Console, (2) Enable the Google Ads API, (3) Go to Credentials and create an OAuth 2.0 Client ID, (4) Choose Desktop or Web application type, (5) Set authorized redirect URIs, (6) Download the client credentials JSON file. These credentials allow your MCP server to authenticate with Google Ads API.

What OAuth scopes are needed for Google Ads API access?

For Google Ads API access, you need the "https://www.googleapis.com/auth/adwords" scope. This scope provides full access to Google Ads accounts including reading campaign data, metrics, and making changes. Some MCP servers may also request "https://www.googleapis.com/auth/userinfo.email" to identify the authenticated user.

How do I handle token refresh in MCP server authentication?

Token refresh in MCP servers requires: (1) Store both access and refresh tokens securely, (2) Check token expiration before each API call, (3) Use the refresh token to get new access tokens when needed, (4) Update stored tokens with the new values, (5) Implement error handling for expired refresh tokens. Access tokens typically expire after 1 hour, while refresh tokens can last indefinitely if used regularly.

Can I use service account authentication instead of OAuth for Google Ads?

No, Google Ads API requires OAuth 2.0 user authentication, not service account authentication. This is because Google Ads access is tied to specific user permissions and account access. You must use OAuth 2.0 flow where users grant permission to your MCP server to access their Google Ads accounts. Service accounts work for other Google APIs but not for Google Ads API.

How do I secure OAuth tokens in my MCP server?

Secure OAuth tokens in MCP servers by: (1) Encrypting tokens before storage using AES-256 or similar, (2) Store tokens in secure databases or encrypted files, not plain text, (3) Use environment variables for encryption keys, (4) Implement proper access controls on token storage, (5) Rotate encryption keys regularly, (6) Never log tokens in application logs, (7) Use HTTPS for all token exchanges and API calls.

MCP

MCP Server Authentication Google Ads OAuth Setup — Complete Security Guide

MCP server authentication Google Ads OAuth setup ensures secure API access for AI agents managing Google Ads accounts. Configure OAuth 2.0 flows, manage refresh tokens, and implement authentication protocols that protect advertiser data while enabling autonomous campaign optimization.

Ira Bodnar·April 7, 2026·Updated Apr 7, 2026·18 min read

Contents

Autonomous Marketing

Grow your business faster with AI agents

✓Automates Google, Meta + 5 more platforms
✓Handles your SEO end to end
✓Upgrades your website to convert better

What is MCP server authentication for Google Ads?

MCP server authentication Google Ads OAuth setup is the security protocol that allows AI agents to access Google Ads API data through Model Context Protocol (MCP) while protecting advertiser credentials. Instead of sharing your Google account password with an AI system, OAuth 2.0 creates temporary access tokens that grant specific permissions — like reading campaign data or adjusting bids — without exposing your main account credentials.

The authentication flow works in three stages: credential setup (creating OAuth client ID/secret in Google Cloud Console), authorization (user grants permission to the MCP server), and token management (refresh tokens maintain access without re-authentication). Google processes over 8.5 billion searches daily, generating $282 billion in annual ad revenue, which means their API security standards are enterprise-grade. Proper MCP server authentication ensures AI agents can optimize your campaigns 24/7 without compromising account security.

This guide covers the complete OAuth setup process: Google Cloud Console configuration, MCP server deployment, token refresh automation, security best practices, and troubleshooting common authentication errors. For broader context on AI-powered Google Ads management, see Claude Skills for Google Ads. For the manual approach without authentication, see How to Use Claude for Google Ads.

1,000+ Marketers Use Ryze

Automating hundreds of agencies

★★★★★4.9/5

What are the OAuth 2.0 requirements for Google Ads MCP integration?

Google Ads API requires OAuth 2.0 authorization code flow with specific scopes and credential types. Unlike simple API keys, OAuth tokens have limited lifespans (typically 1 hour for access tokens, 6 months for refresh tokens) and can be revoked instantly if compromised. The MCP server must handle token refresh automatically to maintain 24/7 AI agent access without manual intervention.

Requirement	Specification	Purpose
OAuth Client Type	Web Application	Supports redirect URI for authorization code
Required Scopes	https://www.googleapis.com/auth/adwords	Read/write access to Google Ads account
Developer Token	Approved by Google Ads API team	Identifies your application to Google
Access Token Lifespan	1 hour	Limits exposure if credentials leak
Refresh Token Lifespan	6 months (if unused)	Automatic token renewal without re-auth

Critical OAuth Configuration: Your Google Cloud Console project must enable Google Ads API, configure OAuth consent screen, and add authorized redirect URIs for your MCP server. Google’s OAuth implementation includes rate limiting (10,000 requests per day for unverified apps, unlimited for verified apps) and requires HTTPS endpoints in production. Development environments can use localhost with HTTP for testing.

Developer Token Approval Process: Google Ads API requires a developer token that must be approved for production use. Test accounts work immediately, but production accounts serving real ads need manual approval from Google’s API team. This process typically takes 2–5 business days and requires demonstrating legitimate use cases. The approval is account-specific — each Google Ads manager account needs its own developer token.

Tools like Ryze AI automate this process — handling OAuth flows, token refresh, and credential management so you never deal with authentication errors. Ryze AI clients see an average 3.8x ROAS within 6 weeks of onboarding.

Essential security protocols for MCP Google Ads authentication

MCP server authentication Google Ads OAuth setup requires multiple security layers to protect advertiser data and prevent unauthorized account access. Google processes $46 billion in quarterly ad revenue, making their API a high-value target for attackers. Implementing proper security protocols prevents credential theft, unauthorized campaign modifications, and data breaches that could cost agencies their client relationships.

Protocol 01

HTTPS-Only Communication

All OAuth flows must use HTTPS encryption to prevent man-in-the-middle attacks during credential exchange. HTTP connections expose client secrets, authorization codes, and access tokens to network eavesdropping. Google rejects OAuth requests from non-HTTPS endpoints in production, though localhost development is permitted. Use TLS 1.2 or higher with valid certificates from trusted certificate authorities.

Protocol 02

Environment Variable Protection

Store client secrets, refresh tokens, and API keys as environment variables, never in code repositories. Use container orchestration secrets (Docker Secrets, Kubernetes Secrets) or cloud key management services (AWS Secrets Manager, Google Secret Manager, Azure Key Vault). Rotate secrets quarterly and implement automated detection for credentials accidentally committed to version control.

Protocol 03

Token Encryption at Rest

Encrypt refresh tokens before storing in databases using AES-256 with unique initialization vectors per token. Never store tokens in plain text files, browser local storage, or unencrypted databases. Implement database-level encryption for additional protection. Consider using hardware security modules (HSMs) for enterprise deployments managing > 50 Google Ads accounts.

Protocol 04

Scope Minimization

Request only the minimum OAuth scopes required for your MCP server functionality. Google Ads API offers granular scopes for read-only access, campaign management, and account administration. Never request broad scopes like gmail.readonly or drive.full just because they’re available. Users can see exactly which permissions you’re requesting during OAuth consent, and excessive permissions reduce trust.

Protocol 05

IP Whitelisting and Rate Limiting

Implement IP whitelisting for MCP server endpoints and apply rate limiting to prevent credential stuffing attacks. Google Ads API has built-in rate limits (15,000 operations per hour for standard access), but your OAuth endpoints need additional protection. Log all authentication attempts with source IPs, timestamps, and success/failure status. Alert on unusual patterns like multiple failed attempts from the same IP.

Ryze AI — Autonomous Marketing

Skip the authentication setup — let AI optimize your Google Ads 24/7

✓Automates Google, Meta + 5 more platforms
✓Handles your SEO end to end
✓Upgrades your website to convert better

2,000+

Marketers

$500M+

Ad spend

Countries

How to set up MCP server authentication for Google Ads (6 steps)

This walkthrough creates a complete MCP server authentication Google Ads OAuth setup from scratch. Total setup time: 25–35 minutes including Google Cloud Console configuration, OAuth client creation, MCP server deployment, and token testing. You need a Google Ads account with API access, Google Cloud Console access, and basic knowledge of environment variables.

Step 01

Create Google Cloud Console project

Navigate to console.cloud.google.com > New Project. Name it "MCP Google Ads Auth" and note the project ID. Enable Google Ads API: APIs & Services > Library > Search "Google Ads API" > Enable. This process takes 2–3 minutes and creates the foundation for OAuth credential management.

Step 02

Configure OAuth consent screen

Go to APIs & Services > OAuth consent screen. Choose "External" for production use. Fill required fields: App name (your MCP server name), User support email, Developer contact email. Add scope: https://www.googleapis.com/auth/adwords. For production, submit for verification (takes 1–7 days). Test users can authenticate immediately without verification.

Step 03

Create OAuth 2.0 credentials

APIs & Services > Credentials > Create Credentials > OAuth client ID. Select "Web application." Add authorized redirect URIs: https://yourdomain.com/oauth/callback for production, http://localhost:8080/oauth/callback for development. Download the JSON credentials file — it contains client ID, client secret, and redirect URIs.

{ "client_id": "123456789-abc123.apps.googleusercontent.com", "client_secret": "GOCSPX-your-secret-here", "redirect_uris": ["https://yourdomain.com/oauth/callback"] }

Step 04

Obtain Google Ads developer token

Log into Google Ads account > Tools & Settings > API Center > Request developer token. Provide application details and intended use case. Test tokens work immediately with test accounts. Production tokens require manual approval (2–5 business days). Save the developer token — it’s required for all Google Ads API requests alongside OAuth tokens.

Step 05

Deploy MCP server with OAuth support

Install the MCP Google Ads server with OAuth support. Set environment variables from your OAuth credentials:

export GOOGLE_CLIENT_ID="your-client-id" export GOOGLE_CLIENT_SECRET="your-client-secret" export GOOGLE_DEVELOPER_TOKEN="your-developer-token" export REDIRECT_URI="https://yourdomain.com/oauth/callback" npx @ryzeai/mcp-google-ads-oauth

The server starts on port 8080 by default. For production, use process managers like PM2 or containerize with Docker for better reliability and automatic restarts.

Step 06

Complete OAuth authorization flow

Navigate to https://yourdomain.com/auth to start OAuth flow. Click "Authorize with Google Ads" > Sign in to your Google account > Grant permissions for Google Ads access > Copy the authorization code > Paste into MCP server > Server exchanges code for access/refresh tokens. Test the connection by requesting account data.

How to manage OAuth tokens for continuous MCP server operation?

OAuth token management is critical for uninterrupted AI agent operation. Access tokens expire every 60 minutes, while refresh tokens last 6 months (if actively used) or expire after 6 months of inactivity. Your MCP server must implement automatic token refresh to maintain 24/7 Google Ads API access. Failed token refresh results in authentication errors that halt campaign optimization until manual intervention.

Automatic Token Refresh Implementation: Monitor access token expiration timestamps and proactively refresh tokens 5–10 minutes before expiry. Store both access and refresh tokens securely in encrypted database or key management service. Implement exponential backoff for refresh failures — Google’s OAuth servers occasionally experience brief outages. Log all token refresh events for debugging authentication issues.

Token refresh exampleasync function refreshAccessToken(refreshToken) { const response = await fetch('https://oauth2.googleapis.com/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ client_id: process.env.GOOGLE_CLIENT_ID, client_secret: process.env.GOOGLE_CLIENT_SECRET, refresh_token: refreshToken, grant_type: 'refresh_token' }) }); const tokens = await response.json(); // Save new access token, update expiry time return tokens.access_token; }

Refresh Token Lifecycle Management: Refresh tokens can become invalid if users change passwords, revoke app permissions, or remain inactive for 6 months. Implement monitoring to detect invalid refresh tokens and trigger re-authorization flows. Send alerts to account owners when tokens are about to expire or become invalid. For enterprise deployments, consider implementing token sharing across multiple MCP server instances to reduce re-authorization frequency.

Error Handling and Fallbacks: Google Ads API returns specific error codes for authentication failures: 401 (invalid access token), 400 (invalid refresh token), 403 (insufficient permissions). Implement different handling strategies for each error type. Create alerting systems that notify administrators of authentication failures within 5 minutes. Consider implementing fallback authentication methods for critical campaigns that cannot tolerate downtime.

Sarah K.

Paid Media Manager

E-commerce Agency

★★★★★

“

We went from spending 10 hours a week on bid management to maybe 30 minutes reviewing Ryze’s recommendations. Our ROAS went from 2.4x to 4.1x in six weeks.”

4.1x

ROAS achieved

6 weeks

Time to result

95%

Less manual work

Common MCP server authentication errors and solutions

Error 1: "invalid_client" during OAuth flow. This occurs when client ID/secret mismatch or redirect URI doesn’t match Google Cloud Console configuration. Verify credentials file matches OAuth client settings exactly. Check for trailing slashes in redirect URIs — https://domain.com/callback and https://domain.com/callback/ are different URLs to Google’s OAuth server.

Error 2: "access_denied" when users try to authorize. User declined permission grant, or your app requests unauthorized scopes. Check OAuth consent screen configuration and ensure all requested scopes are properly added. If using unverified app for production, users see warning messages that may discourage authorization. Submit app for verification to remove warnings.

Error 3: "invalid_grant" when refreshing tokens. Refresh token expired (> 6 months old), user changed password, or user revoked app permissions. Implement re-authorization flow to obtain new refresh token. Monitor refresh token age and proactively re-authorize before 5-month mark to prevent expiration.

Error 4: "unauthorized_client" with Google Ads API calls. Developer token not approved for production use, or using test token against production Google Ads account. Test tokens only work with test Google Ads accounts (those with minimal spend and no real ads). Production accounts require approved developer tokens from Google Ads API team.

Error 5: SSL/TLS certificate validation failures. Occurs with self-signed certificates or expired SSL certificates on MCP server endpoints. Google OAuth requires valid HTTPS certificates for production redirect URIs. Use Let’s Encrypt for free valid certificates, or cloud load balancers that handle SSL termination automatically.

Frequently asked questions

Q: What is MCP server authentication for Google Ads?

MCP server authentication Google Ads OAuth setup allows AI agents to securely access Google Ads API through Model Context Protocol. It uses OAuth 2.0 flows to create temporary access tokens that grant specific permissions without exposing main account credentials.

Q: How long do Google Ads OAuth tokens last?

Access tokens expire after 1 hour, while refresh tokens last up to 6 months if actively used. MCP servers must implement automatic token refresh to maintain continuous API access for 24/7 AI campaign optimization.

Q: Do I need a Google Ads developer token?

Yes, Google Ads API requires a developer token along with OAuth credentials. Test tokens work immediately with test accounts, but production accounts need manual approval from Google (2-5 business days).

Q: Can I use HTTP for MCP server OAuth endpoints?

Only for localhost development. Production OAuth flows require HTTPS endpoints with valid SSL certificates. Google rejects OAuth requests from insecure HTTP URLs to prevent credential theft during authentication.

Q: What happens if my refresh token expires?

The MCP server loses API access until users complete re-authorization. Implement monitoring to detect expiring tokens and proactively trigger re-auth flows before the 6-month expiration deadline.

Q: How does Ryze AI handle authentication automatically?

Ryze AI manages the complete OAuth flow, token refresh, and credential security behind the scenes. You authenticate once during setup, then Ryze maintains API access indefinitely with automatic token management and monitoring.