Permissions
Control which tools each API key can access
Granular Permissions
Metrifyr allows you to control exactly which tools each API key can access, providing flexible and secure access control.
Permission Levels
Permissions work at three levels:
1. OAuth Scope Level
When you connect your Google account, you choose which services to authorize:
- ✅ Google Analytics (analytics.readonly, analytics.edit)
- ✅ Search Console (webmasters.readonly, webmasters)
- ✅ AdSense (adsense.readonly)
- ✅ Tag Manager (tagmanager.readonly, tagmanager.edit.containers)
If you don't grant a scope, no API keys can access those tools - even if you enable them.
2. Service Level (Tool Groups)
When creating an API key, enable/disable entire services:
| Service | Tools | Description |
|---|---|---|
| Analytics | 22 tools | All GA4 functionality |
| Search Console | 7 tools | All GSC functionality |
| AdSense | 6 tools | All AdSense functionality |
| Tag Manager | 13 tools | All GTM functionality (Beta) |
| SEO | 10 tools | PageSpeed, Trends, audits |
Example: Disable AdSense tools for a public demo API key to prevent revenue data exposure.
3. Tool Level (Coming Soon)
Fine-grained control over individual tools:
- Enable
ga4_list_propertiesbut disablega4_create_property - Enable
gtm_list_tagsbut disablegtm_delete_tag
Currently, tools are managed at the service level. Tool-level permissions are coming in a future update.
Configuring Permissions
During API Key Creation
- Go to Dashboard > API Keys
- Click "Create API Key"
- Toggle service groups on/off
- Click "Create"
Editing Existing Keys
- Find the key in the API Keys table
- Click on the key name
- Toggle services on/off
- Click "Save"
Changes take effect immediately - no need to restart your MCP client.
Use Cases
1. Read-Only Access
Create a key for public demonstrations that can only read data:
Enabled:
- ✅ Analytics (read-only tools)
- ✅ Search Console (read-only tools)
Disabled:
- ❌ AdSense (no revenue exposure)
- ❌ Tag Manager (no configuration changes)
- ❌ SEO (unnecessary for demo)
2. Developer Access
Give a developer access to test environments only:
Enabled:
- ✅ Analytics (for test properties)
- ✅ SEO tools (for performance testing)
Disabled:
- ❌ AdSense (production revenue data)
- ❌ Search Console (production search data)
- ❌ Tag Manager (production tracking setup)
Use Memory to restrict to test properties only.
3. Client Access
Give a client limited access to their own data:
Enabled:
- ✅ Analytics (their properties only)
- ✅ Search Console (their sites only)
Disabled:
- ❌ AdSense (you manage this)
- ❌ Tag Manager (you manage this)
- ❌ SEO (they don't need this)
4. CI/CD Pipeline
Create a key for automated testing:
Enabled:
- ✅ Analytics (for integration tests)
Disabled:
- ❌ All other services (not needed)
Minimal permissions reduce attack surface.
Permission Inheritance
Permissions are checked in this order:
- OAuth scope - Do you have the Google permission?
- API key service - Is the service enabled for this key?
- Tool availability - Is the tool implemented?
If any level denies access, the request fails.
Example:
Request: ga4_run_report
├─ OAuth scope: analytics.readonly ✅
├─ API key service: Analytics enabled ✅
└─ Tool available: Yes ✅
Result: Request succeedsRequest: adsense_generate_report
├─ OAuth scope: adsense.readonly ✅
├─ API key service: AdSense disabled ❌
Result: Permission deniedError Messages
"Permission denied: service not enabled"
Cause: The tool's service is disabled for your API key.
Fix:
- Go to Dashboard > API Keys
- Edit the key
- Enable the required service
"Permission denied: missing OAuth scope"
Cause: You haven't granted the required Google OAuth scope.
Fix:
- Go to Dashboard > Connection
- Reconnect Google
- Grant the missing scope
"Unauthorized"
Cause: API key is invalid or revoked.
Fix:
- Verify the key in your MCP config
- Check if it's still active in dashboard
- Create a new key if needed
Security Best Practices
Principle of Least Privilege
Only enable what you need:
❌ Too broad:
All services enabled for all keys✅ Least privilege:
Production key: Analytics + Search Console only
Development key: All services (test data only)
Demo key: Analytics read-only (no AdSense)Separate Keys for Different Purposes
Don't reuse the same key everywhere:
✅ Good:
- Claude Desktop (personal) - All services
- CI/CD pipeline - Analytics only
- Public demo - Analytics read-only
❌ Bad:
- One key for everything - no isolation
Regular Audits
Review API key permissions quarterly:
- List all API keys
- Check which services are enabled
- Verify they're still needed
- Revoke unused keys
- Tighten permissions where possible
Monitor Permission Changes
Watch for unauthorized permission changes:
- Check audit log in dashboard
- Set up alerts for permission edits (coming soon)
- Review regularly
Coming Soon
Tool-level permissions:
- Enable/disable individual tools
- Example: Allow
gtm_list_tagsbut blockgtm_delete_tag
Role-based access:
- Predefined roles: Viewer, Editor, Admin
- Assign roles to API keys
Time-based permissions:
- Temporary access grants
- Auto-revoke after expiry
IP restrictions:
- Limit API key usage to specific IP ranges
- Useful for server-side integrations