Google Analytics 4 integration

What permissions does GA4audit need and why?

Which Google permission scopes GA4audit requests (analytics.readonly, analytics.manage.users.readonly), why they're read-only, what we do NOT ask for, and how long access lasts.

3 min read

When connecting your Google account, you'll see a consent screen listing the requested permissions. It's worth understanding exactly what we ask for - and, just as importantly, what we don't.

Two scopes, both read-only

Technically, we request two Google API permission scopes:

`analytics.readonly` - reading Google Analytics data and configuration.

This is the core scope of the audit. It lets us read your property's configuration (administrative settings, data streams, key events, attribution, integrations) and the reporting data needed for the checkpoints (e.g. whether the purchase event records continuously, whether transactions have unique identifiers, whether any channel converts at zero).

`analytics.manage.users.readonly` - reading the property's user list.

It lets us read who has access to your GA4 property and with what role - again, read-only. We cannot add anyone, remove anyone or change anyone's permissions.

On the wizard screen these scopes are described in benefit language as three items: "View your Google Analytics data", "List your GA4 properties" and "Read property settings" - all of them boil down to the two scopes above.

Why this matters: read-only is a technical property, not a promise

The key point: both scopes are read-only by definition on Google's side. This means that even if we wanted to change something in your configuration (we don't), the Google API would technically refuse - a write request would be rejected at the level of Google's infrastructure before it ever touched your data. The safety of your configuration therefore doesn't depend on our declaration, but on the architecture of the access itself.

For comparison: many analytics tools request the analytics.edit scope, which allows configuration changes. We deliberately don't - an audit is by nature an examination, not an intervention.

What we do NOT ask for

access to your email, Google Drive, calendar or any other Google service,
the ability to edit, create or delete anything in Google Analytics,
access to Google Ads, Search Console or other marketing accounts (regarding integrations, we only read what's visible in the GA4 configuration),
your Google password - the sign-in happens entirely on Google's side (OAuth), and we never see your login credentials.

How long the access lasts

The consent remains valid until you revoke it. The session token we use during an audit expires after about an hour - which is why, returning after a longer break, you may be asked to reconnect (see: "Your GA4 connection session has expired"). You can revoke access at any time: How do I revoke GA4audit's access to my Google account?

Compliance with Google's policies

GA4audit's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: we use the data solely to generate your report; we don't sell it, share it with third parties, use it for advertising or to train AI models. Full details: Privacy Policy.

Related articles:

More in Google Analytics 4 integration

Didn't find your answer?

Write to us - we respond fast, implementation questions included.

Write to us