Google Ads API to require MFA, agencies face workflow disruption

Mandatory multi-factor authentication for the Google Ads API has turned what looks like a login change into an operations problem for agencies that depend on clean automation. Google said the rollout started on April 21, 2026, and will reach all users over the next few weeks, which means reporting pipelines, bidding tools and internal scripts now need a fresh look before access breaks.

The biggest risk sits in workflows that still rely on human OAuth credentials. Google’s Ads API documentation says 2-Step Verification can affect apps when they make API calls using a user’s OAuth credentials, and the API itself supports single-user, multi-user and service-account authentication patterns. That mix matters because many agency stacks use different methods for different client setups, from shared reporting dashboards to account-level bidding systems.

Google has also been blunt about credential handling. Its guidance says developers should treat OAuth app credentials with extreme care, and its account-security pages strongly encourage 2-Step Verification for Google Ads accounts because it helps protect accounts and sensitive data even if a password is stolen. For agencies, that pushes the change far beyond end-user security. It becomes a question of who owns each credential, which tools are tied to it and how much of the client operation depends on a person still being able to log in the old way.

Service accounts add another layer of complexity. Google’s service-account workflow uses OAuth 2.0 without human authorization, but Google also notes that service accounts require domain-wide impersonation and Google Workspace setup, and its production guidance recommends against using them for Google Ads API calls in many cases. That leaves agencies with an awkward balancing act: keep automations stable, but do it with a credential model that fits Google’s current recommendations.

The practical takeaway for agency leaders is simple enough, even if the work is not. Review every API-connected workflow, map which tools depend on user login behavior, and confirm whether access control, token reuse and credential ownership are documented. Google says Ads API changes are announced through its release notes and product blog, and teams that watch those channels closely will be better positioned to avoid a production surprise as the rollout completes.