Does Google Analytics GA4 use an API key or OAuth?

OAuth, not an API key. You create a Google Cloud OAuth client, authorize the Analytics scopes in the OAuth Playground, and exchange it for a refresh token. Outloop stores the OAuth credential locally and mints short-lived access tokens host-side; the agent never sees them.

What is the difference between the GA4 Property ID and the Measurement ID?

The GA4 Property ID is a number (for example 540642806) that identifies the GA4 property the API reads. The Measurement ID starts with G- (for example G-XXXXXXXXXX) and belongs to a web data stream used by the tracking tag. Outloop needs the numeric Property ID — not the G- Measurement ID.

Where do I find the GA4 Property ID?

In Google Analytics, open Admin → Property details and copy the numeric Property ID at the top. Do not use Data streams → Web stream details, which shows the G- Measurement ID instead.

Which Google APIs do I need to enable for GA4?

Two: the Google Analytics Admin API (analyticsadmin.googleapis.com, for configuration data like account and property summaries) and the Google Analytics Data API (analyticsdata.googleapis.com, for report data). Enable both in Google Cloud → APIs & Services → Library.

Where do I get the GA4 refresh token?

From the Google OAuth Playground. Check "Use your own OAuth credentials", set Access type to Offline and Force prompt to Consent Screen, authorize the Analytics scopes, then click "Exchange authorization code for tokens". Paste the refresh token only into the Outloop Mac app.

Can my agent see the Google refresh token?

No. Outloop stores the OAuth credential in macOS Keychain and uses it host-side through the API Bridge — minting a short-lived access token and injecting the headers itself. The agent never sees the refresh token or access token, and every request is audited.

Can I use one Google Cloud project for multiple Google marketing APIs?

Yes. The same Google Cloud project and OAuth client can serve Google Ads, Merchant Center, Search Console, and GA4, as long as you enable each API and the Google user has access. Each connection still pins its own credential and property in Outloop.

Can I add more GA4 properties later?

Yes. Reuse the same Google Cloud project and OAuth client if the same Google user has access, then add another Google Analytics GA4 entry in Outloop (or assign the shared connector to the right workspace) and pin the correct numeric Property ID.

Learn · Setup guides

Connect Google Analytics GA4 to Outloop

Last updated: June 28, 2026

In short

Google Analytics GA4 uses OAuth, not an API key.

You enable the GA4 Admin and Data APIs, create one Google Cloud OAuth client, and exchange it for a refresh token. Outloop stores the OAuth credential locally in macOS Keychain, pins it to the numeric GA4 Property ID, and lets agents use it only through the API Bridge — minting short-lived access tokens host-side, so the agent never sees the Google token.

Summarize this setup guide with AI ChatGPT Claude Perplexity

What this setup gives you

You will enable the GA4 APIs in Google Cloud, create a Google OAuth client, generate a refresh token, copy the numeric GA4 Property ID into Outloop, and run a first proof through your agent. Outloop stores the credential locally and uses it through the API Bridge — the agent never sees the Google refresh token or access token.

Security rule. Never record, screenshot, paste, or publish a real client_secret, refresh_token, access_token, Authorization header, or Bearer token. Their only destination is the Outloop Mac app — never Outloop Cloud, the website, chat, docs, or .env files.

What you need before starting

✓Access to a Google Cloud project.
✓Access to the relevant GA4 property.
✓Outloop installed and activated, with a workspace selected.
✓The Google Analytics Admin API and Google Analytics Data API enabled (Step 1).

1. Enable the two GA4 APIs

In Google Cloud Console, open APIs & Services → Library, search Google Analytics Admin API, and click Enable. This is the configuration API (account and property summaries).

Google Cloud product details page for the Google Analytics Admin API with the Enable button highlighted.

Go back to the Library, search Google Analytics Data API, and click Enable. This is the report-data API.

Google Cloud product details page for the Google Analytics Data API with the Enable button highlighted.

2. Create an OAuth client

In Google Auth Platform → Clients, create a new OAuth client. Choose Application type: Web application, name it Outloop GA4 OAuth, leave Authorized JavaScript origins empty, and under Authorized redirect URIs add the OAuth Playground URL:

https://developers.google.com/oauthplayground

Create OAuth client ID form named Outloop GA4 OAuth with the OAuth Playground redirect URI added.

Click Create, then copy the Client ID and Client secret from the dialog.

OAuth client created dialog in Google Cloud with the client ID and client secret redacted.

Important. You will not be able to view the client secret again after closing this dialog — copy it now and store it securely. Do not screenshot or publish the secret.

3. Get a refresh token (OAuth Playground)

Open developers.google.com/oauthplayground, click the gear icon, and set: OAuth flow Server-side, Access type Offline, Force prompt Consent Screen, and check Use your own OAuth credentials. Paste the Client ID and Client secret (do not screenshot the pasted secret).

Google OAuth Playground configuration with Server-side flow, Offline access, and Consent Screen prompt.

Google OAuth Playground with Use your own OAuth credentials enabled and empty client ID and secret fields.

In Step 1, paste the Analytics scopes into Input your own scopes and click Authorize APIs:

https://www.googleapis.com/auth/analytics.readonly   (read-only, recommended for the first proof)

# or, for approved GA4 Admin writes:
https://www.googleapis.com/auth/analytics.edit
https://www.googleapis.com/auth/analytics

Scope note. Read-only is recommended for the first proof. Use analytics.edit + analytics only if you want approved GA4 Admin write actions. Outloop still keeps deletes and Measurement Protocol blocked by runtime policy.

After approving the Google consent screen, OAuth Playground returns to Step 2. Click Exchange authorization code for tokens and copy the refresh_token (do not screenshot or publish it).

OAuth Playground Exchange authorization code for tokens step with the token values redacted.

4. Find the numeric GA4 Property ID

Outloop needs the numeric Property ID — not the G-… Measurement ID. In Google Analytics, open Admin → Property details. The numeric PROPERTY ID is at the top right — click the copy icon to copy it.

Google Analytics Admin Property details page with the numeric PROPERTY ID and copy icon at the top right (value redacted).

Correct (numeric Property ID):  540642806
Wrong (Measurement ID):         G-XXXXXXXXXX

Do not use the Measurement ID. If you are in Data streams → Web stream details you will see a G-… Measurement ID — that belongs to the web stream tag, not the API. Go to Property details and copy the numeric Property ID instead.

GA4 Web stream details screen showing the G- Measurement ID that should not be used as the Property ID.

5. Add Google Analytics GA4 in Outloop

In Outloop, open API Access → Add an API key and choose Google Analytics GA4. Use Agency-global / shared when the same Google user can access multiple GA4 properties and you want to grant workspaces over time — tick the workspace that should use it. Outloop still pins runtime use to the specific numeric GA4 Property ID you enter.

6. Fill the OAuth fields and set up

Paste the values you collected, then click Set up Google Analytics GA4 OAuth:

→Client ID and Client Secret from Google Cloud.
→Refresh Token from the OAuth Playground.
→GA4 property ID — the numeric ID only (e.g. 540642806), never the G-… Measurement ID.
→OAuth scope — match the scope you authorized. Read-only is recommended; Read + write enables approved GA4 Admin writes (deletes and Measurement Protocol stay blocked).

Outloop Google Analytics GA4 OAuth setup form with the client ID and Property ID redacted and the client secret and refresh token masked.

macOS Keychain. macOS may ask permission to let Outloop read the stored credential from Keychain — click Always Allow. This is local Keychain access; the credential is not uploaded to Outloop Cloud.

7. View the stored key

Outloop confirms the credential is stored in macOS Keychain with secret_exposed: false. Click View in stored keys to open the key row and copy the workspace run prompt.

Outloop confirmation that the Google Analytics GA4 credential was stored locally, with View in stored keys highlighted.

8. Run the first proof

Paste the workspace run prompt into your agent. The first proof verifies GA4 access through Outloop with a read of your account and property summaries:

GET /v1beta/accountSummaries

A successful, verified Outloop proof looks like this:

decision / code: allow / OK
HTTP status: 200
service: google_analytics
secret_exposed: false
GA identity: accountSummaries[].propertySummaries[].property = properties/PROPERTY_ID
runtime-verified: yes

Outloop Google Analytics GA4 runtime proof showing allow, OK, HTTP 200, service google_analytics, and secret_exposed false.

The setup is complete when the proof shows runtime-verified: yes and secret_exposed: false. Your agent can now use Google Analytics GA4 through Outloop; the Google OAuth credential stays in macOS Keychain, and the agent never sees the refresh token or access token.

Verified vs not claimed yet

Verified GA4 read access through Outloop: accountSummaries returned HTTP 200 with decision allow, an audit entry, the property identity (properties/{property_id}), and secret_exposed: false.
Supported, not verified yet GA4 Admin write actions under the wider analytics.edit scope: permitted through bridge policy when authorized, but not runtime-verified in this guide.

Troubleshooting

I pasted a value that starts with G-

That is the Measurement ID, not the GA4 Property ID. Go to Admin → Property details and copy the numeric Property ID (e.g. 540642806).

I do not see a refresh token

In the OAuth Playground, confirm Use your own OAuth credentials is checked, Access type is Offline, Force prompt is Consent Screen, and the redirect URI in Google Cloud is exactly https://developers.google.com/oauthplayground. Then authorize again.

The proof returns 403

Usually the Google user who created the refresh token does not have access to that GA4 property, or the wrong OAuth scope was authorized. Confirm the user's GA4 access and that the scope in Outloop matches the scope you authorized in the OAuth Playground.

The proof shows a config issue

Check that both the Admin API and the Data API are enabled, the client ID and secret are correct, the refresh token is pasted, the Property ID is numeric, and the scope in Outloop matches the scope authorized in the OAuth Playground.

Adding another GA4 property

Reuse the same Google Cloud project and OAuth client if the same Google user has access. In Outloop, add another Google Analytics GA4 entry or assign the shared connector to the right workspace, and always pin the correct numeric GA4 Property ID.

Outloop is available with guided onboarding for agency teams. Outloop is an independent tool and is not affiliated with or endorsed by Google. See the security model, the Google Search Console setup guide, or the Google Ads API setup guide.