Stop sharing your password
The fastest way to get an agency working on your accounts feels like emailing them your login. It is also the worst way. Shared passwords break two-factor auth, get flagged as suspicious sign-ins, and leave you with no record of who did what. The secure way is to grant access at the account level, with the right permission, so you can revoke it any time.
Here is how to do it for the three accounts agencies ask for most.
Google Ads
Google Ads uses a manager account (MCC) model. Your agency gives you their 10-digit manager account ID. You go to Tools and settings, then Access and security, and accept the link request from that ID. You choose the access level: Admin, Standard, Read-only, or Email-only. For most agency work, Standard is enough; reserve Admin for teams that manage billing.
You never type your password anywhere. The agency requests, you approve, and the link shows up in their dashboard instantly.
Meta (Facebook and Instagram)
Meta access runs through Business Manager. The right pattern is a partner assignment: the agency requests partner access to your ad account and Pages, and you approve specific permissions (for example, Manage Campaigns versus full admin). Avoid adding people to your personal account or sharing a login. Partner access keeps your assets yours and lets you remove the agency in one click when an engagement ends.
The most common mistake is granting the wrong level, then discovering it on launch day. Confirm the access level when you approve, not when a campaign fails to publish.
Google Analytics (GA4)
GA4 manages access per property under Admin, then Property Access Management. Add the agency's email with Viewer, Analyst, Editor, or Administrator, depending on whether they need to read, configure, or manage users. Analytics access is the step everyone forgets, because it lives in a different place than ads, so it is worth doing at the same time as the rest.
Permissions, not passwords
The principle across all three: grant access through the platform's own permission system, at the least level that gets the job done, and keep the ability to revoke. That is safer than a password for you, and faster for the agency.
The part that is still painful
Doing this once is fine. Doing it for Google Ads, Meta, GA4, Search Console, Tag Manager, the Business Profile, and a Shopify store, for every new client, is the chase. Each platform lives in a different menu, the client gets a wall of instructions, and someone always grants the wrong level.
This is the exact problem AutoStack collapses into one link. You pick the accounts you need, the client approves them at the right permission level in a couple of clicks, and every grant lands as tracked state: requested, verifying, granted, or wrong-level. No password emails, and you can see at a glance what is still outstanding before kickoff.
If you are setting up account access for a new client this week, [see how the access requests work](/product/access-requests).