Share Tightly Scoped Keys, Not Broad Keys

Safe Team Access

Shared work should use shared intent, not shared broad credentials. Do not give every teammate or contractor one Full Suite key. Create a key for the person, contractor, automation, or workflow that needs access, scope it to the work, and revoke it when the work ends.

Give your ads contractor an ads-read key for audits. If they need bid changes, create a separate write-enabled key with only the required write tools.

Read Keys And Write Keys

Read-only analysis and write-capable operations have different risk profiles. Keep them separate even when the same person performs both tasks.

• Use read-only keys for audits, reporting, and investigation.
• Use write-enabled keys only for approved workflows that need to change bids, budgets, listings, prices, quantities, or fulfillment actions.
• Avoid leaving write-enabled keys in general-purpose chat projects.
• Revoke contractor and short-term workflow keys as part of closeout.

Access Matrix

Reusable Access Prompt

Create an Agent Central access plan for this teammate or contractor:

Person or role:
Work they need to do:
Date range of access:
Read access needed:
Write access needed, if any:

Return:
- The key name to create
- The domains/tools to include
- What not to include
- When to revoke the key
- Whether write access should be a separate key