ResourcesGuides

How to connect Claude to Google Ads safely: a PPC specialist's checklist

Daniel Popa, founder of AdPlug
Daniel PopaFounder, AdPlug7 min read

Updated July 14, 2026

Minimal flat illustration on warm cream: the coral Claude starburst character plugging a large plug into a slate socket panel while a teal shield with a checkmark hovers beside the connection

Every week a PPC specialist asks me some version of the same question: I want Claude to work on my Google Ads account, but I am not handing an AI the keys to something that spends real money. Good. That instinct is correct, and this article is the checklist I wish existed when I first wired my own accounts up. It covers what connecting actually means technically, what can genuinely go wrong, and the seven things a safe setup must have before you grant access to anything.

What connecting Claude to Google Ads actually means

Claude cannot log into websites and it never sees your password. A connection happens through the Model Context Protocol, an open standard where a server (in our case, a hosted Google Ads MCP server) exposes a fixed menu of tools like "list accounts", "pull search terms", or "preview a budget change". Claude can only do what those tools allow, nothing else. Authorization happens with Google OAuth, the same mechanism you use when a reporting tool asks for access, and you can revoke it at any time from either side.

So the real question is not "is AI safe with my ad account" but "does the connection layer between the AI and the account enforce the right limits". That layer is what you should be evaluating.

The honest threat model

Four things can actually go wrong, and each has a specific mitigation:

  • Silent writes. The nightmare scenario: the AI pauses a campaign or rewrites budgets without you noticing. Mitigation: a connection layer where every write requires an explicit preview and confirmation, and where write access is off unless you turn it on.
  • Over-broad access. You wanted read-only reporting and accidentally granted full management. Mitigation: readable scopes at the consent screen and a read-only default.
  • Token theft. The stored credential leaks and someone else uses it. Mitigation: tokens encrypted at rest, never exposed to the AI itself, revocable instantly.
  • No paper trail. Something changed and nobody knows which tool call did it. Mitigation: a per-call audit log with user, account, action, and timestamp.

The 7-point safety checklist

Whatever tool you use to connect Claude (or ChatGPT) to Google Ads, hold it to these seven points. This is exactly the standard I built AdPlug against, and it is a fair standard to hold any vendor to:

  1. OAuth, never passwords. If a tool asks you to type your Google password anywhere except accounts.google.com, close the tab.
  2. Read-only by default. Analysis needs zero write access. Write mode should be something you explicitly enable, not the starting state.
  3. Preview before every write. The AI should show the exact change (the resource, the field, the old value, the new value) and wait for your confirmation.
  4. Encrypted credentials. Refresh tokens encrypted at rest (AdPlug uses Fernet, AES-128-CBC with HMAC), never handed to the model, never logged.
  5. A per-call audit log.Every tool call recorded: who, which account, which tool, when. You should be able to answer "what did the AI do last Tuesday" in one search.
  6. Instant revocation. Disconnecting should kill access immediately, and you should also be able to revoke from your Google account permissions page independently.
  7. No training on your data.Your performance data should answer your questions, not train anyone's model. Check the privacy policy actually says this.

AdPlug documents its answers to all seven publicly: the privacy policy, the data processing agreement, and the Google API disclosure cover encryption, storage, retention, and revocation in plain language.

The safe setup, in five minutes

The actual connection is quick: create an account, connect Google Ads with OAuth, paste one MCP server URL into Claude, authorize, and run a test prompt. Rather than duplicate every step here, follow the step-by-step Google Ads connection guide, which has screenshots and a two-minute video of the whole flow. The free tier is read-only and covers unlimited accounts, so you can complete this entire article without a card.

One habit worth adopting on day one: when Claude asks for tool permissions, leave read tools on "always allow" and set write tools to "ask every time". That puts a second confirmation layer inside Claude itself, on top of the preview step.

Turning on writes without losing sleep

Eventually analysis alone gets frustrating: the AI finds forty wasted search terms and you still have to add the negatives by hand. This is where most read-only tools leave you. With a preview-gated setup, the flow looks like this instead:

Prompt
Find search terms with more than $50 spent and zero conversions in the last 60 days. Preview adding them as campaign-level negatives. Do not execute until I confirm.

Claude pulls the report, drafts the negative list, and calls the preview tool. You see the exact operations that would run, campaign by campaign. Nothing has happened yet. You read it, adjust ("drop the two brand-adjacent terms"), then say execute. The change applies, and the audit log records both the preview and the execution. That is the entire trick: writes are fine when the default is "show me first".

If you manage client accounts and want a harder guarantee, keep the free read-only tier for client work and reserve write mode for accounts you own. Same checklist, stricter posture. And the same setup extends to LinkedIn Ads when you are ready, with the identical preview gate on every mutation.

Questions, answered honestly.

Is it safe to connect Claude to my Google Ads account?

Yes, when the connection layer enforces the right limits: OAuth instead of passwords, read-only by default, a preview step before every write, encrypted tokens, an audit log, and instant revocation. The AI model is not the risky part; the connection layer is what you should evaluate.

Can Claude change my campaigns without asking?

Not through AdPlug. Write access is off by default, and even when enabled, every mutation runs through a preview-confirm-execute flow: Claude shows the exact change and waits for your confirmation. The free tier is read-only entirely.

Does Claude see my Google password?

No. Authorization uses Google OAuth: you sign in on Google's own page and Google issues a scoped token. AdPlug stores that token encrypted (Fernet, AES-128-CBC + HMAC) and never exposes it to the AI.

How do I revoke access?

Two independent ways: click Disconnect in the AdPlug dashboard (deletes the stored token immediately), or remove AdPlug from your Google account's third-party access page. Either one cuts Claude off instantly.

Does the same checklist apply to ChatGPT?

Yes, point for point. ChatGPT connects to the same MCP server over the same OAuth flow, so the read-only default, preview gate, audit log, and revocation all behave identically whichever assistant you use.

Try this on your account.

Connect Google Ads and LinkedIn Ads to Claude or ChatGPT in two clicks. Free tier, read-only by default, no card required.