ga4audits
Back to Help Center

Security & Privacy

Can Tag & Analytics Audit modify my property?

No. We request only the analytics.readonly OAuth scope. Google's API rejects any write request from a read-only token with HTTP 403.

How OAuth scopes enforce read-only access

When you connect your Google account to Tag & Analytics Audit, you grant specific OAuth scopes. Tag & Analytics Audit requests only analytics.readonly. This scope is defined by Google as permitting read-only access to Analytics data. Google's API servers reject any write operations (create, update, delete) attempted with a token that only carries the readonly scope. with an HTTP 403 Forbidden response.

Modifying GA4 configuration requires the analytics.edit or analytics.manage.users scopes. Tag & Analytics Audit has never requested these scopes, and Google's OAuth consent screen shows you exactly which scopes were requested when you authorised the connection.

What analytics.readonly can and cannot do

The analytics.readonly scope permits:

  • Reading property settings via the Admin API (GET requests only).
  • Querying aggregated reporting data via the Data API (run reports).
  • Listing accounts, properties, and data streams.

It explicitly does not permit:

  • Creating or deleting custom dimensions, metrics, or audiences.
  • Changing property settings (timezone, currency, retention, etc.).
  • Creating or modifying data streams or measurement IDs.
  • Adding or removing user access to the property.
  • Configuring conversion events or linked services.

The audit is entirely observational

Tag & Analytics Audit reads your property configuration, analyses your data, and presents findings with recommendations. Acting on those recommendations. changing a data retention setting, updating a referral exclusion, enabling a feature. is always done by you, in the GA4 Admin UI, under your own account. Tag & Analytics Audit identifies what to change and tells you how; it cannot make those changes on your behalf.

Verifying for yourself

You can verify the exact scopes Tag & Analytics Audit was granted at any time by visiting myaccount.google.com/permissions, clicking on "Tag & Analytics Audit," and reviewing the listed permissions. You'll see "View your Google Analytics data". which corresponds to the readonly scope. and nothing else.

Still need help?

Contact our support team. we typically respond within 1 business day.

Contact Support