The principle
Permissions, not passwords
The fastest way to get a client's account access feels like asking for their login. It's also the riskiest. Here's the case for doing it the secure way, every time.
Why shared passwords fail
- They break two-factor authentication, so either security is off or the agency is blocked.
- They trigger suspicious-login flags when a new device or location signs in.
- They can't be scoped: a password is all-or-nothing, with no read-only or campaign-only level.
- They leave no audit trail of who did what.
- They don't end cleanly: when the agency changes staff, your password is still out there.
What permission-based access gives you
Every major platform, Google Ads, Meta, GA4, Shopify, QuickBooks, Xero, has a built-in way to grant access by role: the agency or accountant signs in with their own account, at the level you choose, and you can revoke it in one click. You keep ownership, the audit trail, and your two-factor auth. It is safer for the client and faster for the partner.
How to grant access the right way
We have step-by-step guides for the platforms agencies and accountants ask for most:
See all access guidesThe catch: doing it for every platform, on every client
Permission-based access is the right way, but doing it by hand across a dozen platforms for every new client is the chase. AutoStack collects it all through one branded link, tracked as state, requested, verifying, granted, or wrong-level, so access is done before kickoff, not during it.
See AutoStack access requestsFrequently asked questions
Is it safe to share account access with an agency?
Yes, when you use permission-based access. Granting an agency access through each platform's own roles (not your password) is safer than sharing a login: it keeps two-factor auth intact, records who has access, and lets you revoke instantly.
Why shouldn't I just share my password?
A shared password breaks two-factor authentication, triggers suspicious-login security flags, can't be scoped to a permission level, and leaves no record of who did what. If the agency changes staff, your password is still out there.
What does “permissions, not passwords” mean?
It means granting access through a platform's built-in roles and partner-sharing (for example, Google Ads access levels, Meta partner access, a QuickBooks accountant invite) instead of handing over login credentials.
Collect every login in one link
See how AutoStack requests client account access at the right permission level, with no password emails.