Authentication
How Google OAuth and API keys work in Metrifyr
Authentication
Metrifyr uses a two-layer authentication system: Google OAuth for accessing your data, and API keys for MCP server access.
How It Works
Claude/Cursor
↓ (uses API key)
MCP Server
↓ (authenticates with Metrifyr)
Metrifyr Platform
↓ (uses OAuth tokens)
Google APIs- You connect your Google account to Metrifyr (one-time OAuth)
- You create an API key in Metrifyr dashboard
- MCP server uses your API key to authenticate with Metrifyr
- Metrifyr uses your Google OAuth tokens to fetch data from Google APIs
Google OAuth Connection
What Scopes Are Requested?
When you click "Connect Google", Metrifyr requests these read-only scopes:
Google Analytics 4:
analytics.readonly- Read GA4 dataanalytics.edit- Manage properties, events, conversions
Search Console:
webmasters.readonly- Read search performance datawebmasters- URL inspection
Google AdSense:
adsense.readonly- Read revenue and performance data
Google Tag Manager (Beta):
tagmanager.readonly- Read containers, tags, triggerstagmanager.edit.containers- Edit container configurationtagmanager.edit.containerversions- Create versions (no publishing)
See full OAuth scopes reference
Granular Permissions
You can choose which services to connect:
- ✅ Analytics only
- ✅ Search Console only
- ✅ AdSense only
- ✅ Tag Manager only (Beta)
- ✅ Any combination
When creating an API key, you can further restrict which tools are available.
Token Refresh
Your OAuth tokens expire after 1 hour. Metrifyr automatically refreshes them using the refresh token - you never need to re-authenticate unless you revoke access.
Revoking Access
You can revoke Metrifyr's access at any time:
- Go to Google Account Permissions
- Find "Metrifyr"
- Click "Remove Access"
Your API keys will stop working immediately.
API Keys
What Are API Keys?
API keys are credentials that authenticate the MCP server with Metrifyr. They're stored in your MCP client config and sent with every request.
Creating an API Key
- Go to Dashboard > API Keys
- Click "Create API Key"
- Give it a descriptive name (e.g., "Claude Desktop", "Cursor IDE")
- Select which tools to enable
- Copy the key - it's only shown once
Example API key format: mcp_1a2b3c4d5e6f7g8h9i0j
Security Best Practices
✅ Do:
- Store API keys in environment variables or MCP config
- Create separate keys for different machines/projects
- Revoke unused keys
- Use descriptive names to track usage
❌ Don't:
- Share API keys publicly (GitHub, Discord, etc.)
- Hardcode keys in source code
- Reuse the same key across multiple users
- Store keys in plaintext files
Key Permissions
Each API key can be configured with granular permissions:
Tool Groups:
- Analytics tools (22 tools)
- Search Console tools (7 tools)
- AdSense tools (6 tools)
- Tag Manager tools (13 tools, Beta)
- SEO tools (10 tools)
Memory:
- Enable/disable AI memory per key
- Useful for separating production vs development contexts
Learn more about API key configuration
Revoking API Keys
You can revoke an API key at any time:
- Go to Dashboard > API Keys
- Find the key to revoke
- Click "Revoke"
The key stops working immediately. Any MCP clients using it will get "Unauthorized" errors.
Security & Privacy
How Tokens Are Stored
- OAuth tokens are encrypted at rest in PostgreSQL
- API keys are hashed using bcrypt
- All communication uses HTTPS/TLS
What Data Does Metrifyr Store?
Metrifyr stores:
- Your email and name (from GitHub/Google login)
- OAuth access & refresh tokens (encrypted)
- API key hashes (not plaintext keys)
- Usage logs (tool calls, timestamps, success/failure)
- Memory items (if enabled)
Metrifyr does NOT store:
- Your Google Analytics data
- Your AdSense revenue
- Your Search Console data
- Query results from Google APIs
Data is fetched on-demand and returned directly to your MCP client.
Open Source
The MCP server is open source: github.com/freema/mcp-google-marketing
You can audit the code to verify security claims.
Rate Limits
Metrifyr enforces rate limits to prevent abuse:
- Free tier: 1,000 requests/day
- Pro tier: 10,000 requests/day (coming soon)