What's the safest way to get GA4 access from a client?

Use Joiyn or a similar OAuth-based tool — never share passwords, never log into the client's Google account, never request that the client add a shared email address. With Joiyn, the client logs into their own Google account, picks which GA4 property to share, and Joiyn requests the specific role (Viewer / Analyst / Editor / Administrator) you specified. The grant is scoped, audit-logged on Google's side, and revocable by the client at any time.

Which GA4 role should I request?

For most paid-media agencies, request Analyst — you can view all data, create explorations and audiences, and read configurations, but you cannot change settings or invite others. Viewer is right for read-only audit work. Editor lets you change event configurations and conversions; use when your agency owns the measurement plan. Administrator grants everything including user management — use only when your agency runs the entire analytics stack.

Why is asking clients to manually add my email to GA4 risky?

Three reasons. (1) Clients commonly add the wrong email (personal Gmail instead of agency Workspace) and you can't see the property until it's fixed. (2) The role they pick is rarely the role you needed — they default to Viewer when you needed Analyst, or Admin when you needed Viewer. (3) There's no audit trail of who granted what or when. OAuth via Joiyn solves all three: scoped role, audit-logged, no email mistakes.

Can I request access to multiple GA4 properties at once?

Yes. If the client has multiple GA4 properties under their Google account, Joiyn shows them a list and lets them grant access to as many as you both agree on — all in one flow. No need to send separate connect links per property.

Does Joiyn store the client's GA4 data?

No. Joiyn only holds an OAuth refresh token that's used to keep your agency's access alive on Google's side. The token is encrypted at rest with AES-256-GCM. We never copy, query, or store the client's analytics data — your agency reads GA4 through Google's own UI or API using the access we granted.

27,000+

AgenciesAccounts created

124,830+

ClientsClients connected

412,830+

PlatformsAccounts connected

Answer · Google Analytics 4

How do I safely request a client's Google Analytics 4 access?

Send a Joiyn link with GA4 selected. The client logs in to Google, picks which property to share, and your agency gets the exact role you specified (Viewer, Analyst, Editor, or Administrator) — scoped and auditable, no password sharing, no email mistakes.

Start free trial See GA4 integration

Last updated 8 June 2026 · 4 min read · By Waseem Mubasher

The safe way: scoped OAuth, one link

Three things make GA4 access "safe": (1) no password sharing, (2) exact role scoping (you ask for Analyst, you get Analyst — not Admin), (3) the client retains full revocation control. OAuth via Joiyn delivers all three.

1. Pick the GA4 role you need

In the Joiyn dashboard, create a connect link, select Google Analytics 4, and pick the role:Viewer, Analyst, Editor, or Administrator. The client can't override this — they grant the role you requested, not their own choice of role.

2. Send the link

The client receives a Joiyn link, clicks it, sees your agency's branded portal. No Joiyn account creation needed.

3. Client logs in with Google, picks the property

The client signs in with their Google account that has admin rights on the property they want to share. Joiyn lists every GA4 property under that account; the client picks the right one (or multiple) and confirms.

4. Access granted via Google's Admin API

Joiyn calls Google's GA4 Admin API on the client's behalf and adds your agency's designated Workspace email to the property with the specified role. Your team can now read the data through the GA4 UI or API.

Why the manual "add my email" flow is risky

The default agency playbook is: email the client your Workspace address, tell them to add you with a specific role, hope nothing goes wrong. Three common failure modes:

Wrong email added. Client adds your personal Gmail instead of the agency Workspace one. You can't see the property and don't know why.
Wrong role granted. You asked for Analyst, the client picked Admin "to be helpful." Now your agency has billing-affecting permissions you didn't want.
No audit trail. No record of who granted what, when, or which property. When clients churn or your team changes, nobody can reconstruct the access map.

Joiyn fixes all three: the email is your verified agency identity, the role is what you specified (immutable), and every grant is timestamped and logged in your dashboard.

GA4 role guide

Viewer — read-only access to reports and configurations. Right for audits, fractional analytics consulting, third-party reviewers.
Analyst — Viewer + create explorations, audiences, comparisons. Default for most paid-media agencies.
Editor — Analyst + edit property settings, events, conversions, data streams. Right when your agency owns the measurement plan.
Administrator — Editor + user management + delete property. Use only when your agency runs the entire analytics stack and account ownership.

Additionally, GA4 has two data restrictions on top of any role: "No Cost Metrics" and "No Revenue Metrics". Joiyn lets you stack these onto any role when the client requires data minimization (common in e-commerce engagements where the brand doesn't want the agency to see margin data).

Common pitfalls

Client doesn't have admin rights on the property. They can grant their own role but not yours. Joiyn detects this and prompts the actual property admin instead.
Client has multiple Google accounts. Common with founders who own properties on different accounts. Joiyn shows which account they signed in with; one-click switch.
"Universal Analytics" confusion. Universal Analytics was sunset July 2023. Joiyn only requests GA4 — if the client has only legacy UA data, that's a separate migration conversation.

Frequently asked questions

Do I need a Google Workspace account, or does Gmail work?

Either works at the GA4 level. Best practice: use a Workspace email at your agency domain (e.g. [email protected]) so the grant survives staff turnover. Personal Gmail accounts work but tie the access to one individual.

Can I bundle GA4 with Google Ads access in one flow?

Yes. Joiyn lets you stack Google Ads + GA4 + Tag Manager + Search Console + Merchant Center + Business Profile into a single connect link. The client confirms once; every asset is granted in parallel. See Google integrations.

What about data minimization for HIPAA / GDPR-sensitive clients?

Joiyn supports the "No Cost Metrics" and "No Revenue Metrics" data restrictions GA4 provides. For deeper privacy needs (e.g. PII-redaction at the property level), that's a configuration the client retains control of in GA4 settings — Joiyn doesn't override or bypass it.

Can the client revoke access?

Any time. They go to GA4 → Admin → Property Access Management → find your email → remove. The grant is a direct Google permission, not held by Joiyn. Cancelling Joiyn doesn't revoke existing grants.

GA4 access, safely.

Scoped role, audit-logged, no password sharing. 7-day free trial — no credit card.

Start free trial See pricing

How do I safely request a client's .css-9c7hvy{font-style:italic;color:var(--joiyn-coral);}Google Analytics 4 access?