Skip to main content
HireOtto accesses your Google Ads account through OAuth2, the same authorization standard used by apps like Gmail and Google Drive. You never share your Google password with HireOtto. Instead, you grant HireOtto a limited-scope access token through Google’s consent screen, and that token is what HireOtto uses to read and write your campaign data.

How OAuth2 works with HireOtto

When you complete the OAuth flow, Google issues HireOtto an access token and a refresh token scoped to your Google Ads account. HireOtto stores the refresh token securely and uses it to obtain fresh access tokens as needed. Your credentials stay with Google at all times.
HireOtto never stores your Google password. The only credential HireOtto holds is an OAuth refresh token, which you can revoke at any time through your Google Account security settings.

Authorize your Google Ads account

1

Trigger the authorization flow

Open your AI assistant and send any HireOtto request — for example, “List my Google Ads campaigns.” If HireOtto hasn’t been authorized yet, your assistant will respond with an authorization link.Click the link to open Google’s OAuth consent screen in your browser.
2

Sign in with the right Google account

On the Google sign-in screen, select or sign in with the Google account that has access to your Google Ads account. If you manage Google Ads under a separate account from your personal Gmail, make sure you choose that account here.
3

Review and grant permissions

Google will show you a consent screen listing the permissions HireOtto is requesting. HireOtto requests the following scopes:
ScopePurpose
https://www.googleapis.com/auth/adwordsRead and write access to your Google Ads account data, including campaigns, ad groups, keywords, ads, and performance reports
Review the permissions and click Allow to grant access. If you click Deny, HireOtto will not be able to connect to your account.
4

Confirm access is granted

After granting access, Google redirects you back to HireOtto. Your AI assistant will confirm that authorization is complete and retry the original request automatically.From this point on, HireOtto uses the stored OAuth token to access your account — you won’t need to repeat the authorization flow unless the token is revoked or expires without a valid refresh token.

Re-authorize after revocation

If you revoke HireOtto’s access or your token expires, your AI assistant will show an authentication error the next time it tries to use HireOtto. To restore access, repeat the authorization flow above — send any HireOtto request and follow the authorization link your assistant provides.

Revoke access

Revoking access immediately invalidates HireOtto’s OAuth token. Any in-progress or queued HireOtto requests will fail, and your AI assistant will not be able to access your Google Ads account until you re-authorize.
To revoke HireOtto’s access to your Google Ads account:
  1. Go to myaccount.google.com/permissions and sign in with the Google account you authorized.
  2. Find HireOtto in the list of third-party apps with access to your account.
  3. Click HireOtto, then click Remove access.
Google will immediately invalidate the OAuth token. HireOtto will no longer be able to access your account.

Troubleshoot authentication errors

Your AI tool may not have picked up the HireOtto MCP server configuration. Confirm that you saved the config file correctly and restarted the AI tool. See the quickstart guide for the correct config format.

”Token expired” or “Invalid credentials”

Your OAuth refresh token may have been invalidated. This can happen if you changed your Google account password, revoked access, or if the token was unused for an extended period. Re-authorize by sending any HireOtto request and following the new authorization link.

”Insufficient permissions” or “Access denied”

This error means the Google account you authorized does not have access to the Google Ads account you’re trying to manage. Verify that the Google account you used during OAuth is linked to the correct Google Ads account. If you need access to a different account, revoke the current token and re-authorize with the correct account.

”Wrong account” — HireOtto is accessing a different Google Ads account

If HireOtto is connecting to the wrong account, revoke the current token (see Revoke access above) and repeat the authorization flow. On the Google sign-in screen, explicitly select or sign in with the correct account.