Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
- Per-user OAuth (recommended). Each person authorizes with their own Google account, so every tool call runs under that user’s Analytics identity and permissions.
- Service account. A single Google service account authenticates everyone, so all tool calls reach Analytics as one shared identity.
How C1 connects to Google Analytics
C1 hosts the Google Analytics MCP server, so your users’ AI clients only ever see MCP tools — they never call Google Analytics directly. When an AI client calls one of these tools, C1 makes the matching request to the Google Analytics API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call Google Analytics on your users’ behalf.Before you begin
- AI access management must be enabled for your tenant. See Enable AI access management.
- A Google Cloud project where you can enable the Google Analytics Data API and create credentials.
- Access to the GA4 properties you want to query. The user or service account must already have at least Viewer access on those properties.
If you don’t see Google Analytics in your MCP server catalog, contact the C1 support team to enable it for your tenant.
Option 1: Set up per-user OAuth
With per-user OAuth, you register one Google OAuth client and each user authorizes individually. This keeps every action attributable to the user who took it, with only the access that user already has in Analytics.Create a Google OAuth client
Create an OAuth client in Google Cloud so C1 can prompt each user to authorize with their own Google account.Go to APIs & Services > OAuth consent screen. Choose Internal for a Workspace-only app or External for any Google account, and add the Analytics scopes. For read-only reporting, add
analytics.readonly.Go to APIs & Services > Credentials > Create Client > Web application. For full details, see Google’s Manage OAuth Clients documentation.
Register the server with OAuth
With your OAuth client ready, register the server and provide its credentials.Follow Register an MCP server and select Google Analytics from the catalog.
When you configure authentication, choose per-user OAuth and enter your OAuth client’s client ID and client secret, plus the scopes you configured.
Option 2: Use a service account
A Google service account authenticates every user as one shared identity. C1 signs a JWT with the service account’s key to obtain access tokens. Use this for automated reporting where per-user attribution in Analytics isn’t required.Create a service account and grant property access
Create a Google service account, download its key, and grant it access to the GA4 properties C1 will query.In the Google Cloud console, go to APIs & Services > Library and enable the Google Analytics Data API for your project.
Go to IAM & Admin > Service Accounts, create the service account, then generate and download a JSON key. For full details, see Google’s Create service accounts documentation.
Register the server with a service account
With your service account key ready, register the server and provide it as the credential.Follow Register an MCP server and select Google Analytics from the catalog.
When you configure authentication, choose OAuth2 — JWT bearer and provide the service account’s JSON key and the scopes you need, such as
analytics.readonly.How Google Analytics credentials are shared
How Google Analytics sees your users’ activity depends on the method you chose:- Per-user OAuth. Each user authorizes with their own Google account, so tool calls run under that user’s Analytics identity and inherit only the access they already have. Google attributes each action to the individual user.
- Service account. Every user’s tool calls use the one service account you configured, so Analytics sees a single shared identity. C1 still attributes each call to the individual user in the AI tool usage audit log.
Discover and govern tools
After you register the server, C1 runs tool discovery against Google Analytics. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification. Before anyone can call a Google Analytics tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to set this up.Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your Google Analytics credentials when an approved user successfully calls a Google Analytics tool from their AI client.
Manage your Google Analytics credentials
- Rotate the OAuth client secret in your Google Cloud project under APIs & Services > Credentials, then update the secret on the server’s authentication settings in C1.
- Rotate the service account key by generating a new JSON key in the Cloud Console, updating it in C1, then deleting the old key.
- Adjust access by editing the OAuth client’s scopes, or by changing the service account’s role in each GA4 property’s Property Access Management.