How One Agency Offboarded a Media Buyer in a Single Click

The resignation landed on a Friday afternoon, which is when resignations always seem to land. A senior media buyer — three years in, trusted, fast — was moving on, and his access was spread across roughly sixty client accounts in more than a dozen Business Managers. For most agencies that sentence describes the start of a bad week. For this one, it described a two-minute task. This is the story of how the agency turned the hardest task in agency security — how to offboard media buyer revoke ad account access everywhere in one move — into a single click, and why the trick was not a clever offboarding checklist but a decision made years earlier about who ever holds a login at all.

This is a composite story drawn from how agencies actually scale, but the failure mode and the fix are real. The names and exact numbers are illustrative; the offboarding nightmare — and the way to make it disappear — are not.

The Friday resignation

The buyer's note was gracious and gave two weeks. The operations lead's first thought was not about the handover of campaigns — that part was routine. It was about the keys. Over three years this person had touched Meta, Google, TikTok, and Taboola accounts for dozens of clients. Somewhere in that history were credentials, two-factor codes, saved sessions, and standing permissions, and the agency's obligation to every one of those clients was simple: the moment trust ended, access ended.

The problem most agencies discover at exactly this moment is that they do not actually know where all the access lives. A buyer who has worked sixty accounts has, over time, been added to client Business Managers, handed a shared login here, granted a partner permission there, and saved a session on a laptop nobody controls. The departure does not create the risk. It reveals a risk that was sitting there the whole time.

The old nightmare, account by account

Picture the offboarding this agency would have run in its earlier years. The operations lead opens a spreadsheet of clients and starts working down it. For each account: which login did this buyer use? Was it a shared client credential or a named seat? If shared, the password has to change — but changing it locks out the other two buyers who use the same login, so that has to be coordinated. The two-factor seed tied to that login has to be re-issued. Then the same dance on the next account, and the next, sixty times, across four platforms with four different permission models.

And that is the optimistic version, where every credential is written down. The realistic version has gaps: a login saved in the buyer's personal password manager the agency never sees, a client Business Manager where he was added directly as a user outside the agency's records, a partner grant that does not show up in the obvious place. Every one is a door that stays open after he leaves, and the agency cannot rotate a credential it does not know exists.

Why shared credentials make offboarding a security incident

The reason this is so painful traces back to a single choice: letting individual buyers hold raw platform logins. The dynamics of that choice are laid out in why shared logins are killing your ad agency, and offboarding is where the bill comes due. A credential is a copyable thing. Once a person has it, it can live in a browser, a phone, a notes app, a password manager you do not administer. Revoking it means finding and neutralizing every copy, and you can never be fully certain you have.

It gets worse the more accounts a buyer manages, which is exactly backwards. A buyer trusted with sixty accounts is your most valuable operator and, on the day they leave, your largest exposure. The agencies that try to solve this with separate logins per buyer per client end up drowning in credentials — the trap dissected in separate logins versus a real operating layer — and have simply multiplied the doors they will later have to find and lock. More logins is not more security; it is more surface area to forget.

The difference: the buyer never held a Meta login

Here is what made this agency's Friday a non-event. Years earlier it had stopped giving buyers platform credentials at all. Each client's Business Manager was connected to the agency's operating layer once, through a System-User token — a platform-level credential connected a single time, after which the layer discovered the client's connected Business Managers and accounts automatically. That token belonged to the system, not to any person. No buyer ever saw it, typed it, or saved it.

Buyers, instead, operated through internal roles on top of that connection. A buyer logged into the agency's operating layer with their own named seat and a scoped role, and from there launched, edited, and reported across every platform the client ran — Meta, Google, TikTok, Taboola, and the rest — without ever touching a native login. The same arrangement that makes onboarding clean, described in how to onboard a client account without sharing a Meta login, is what makes offboarding instant. The buyer's power to act came entirely from a role the agency controlled, and a role is not a secret: it cannot be copied to a laptop or saved in a browser, because there is nothing to copy. It is a switch the system holds, and the system can flip it.

The one-click revoke

So the actual offboarding took one action. On the buyer's last day, the operations lead opened the agency's operating layer, found his named seat, and removed his role. That was the entire procedure. Because his ability to touch any account flowed through that single internal role — not through sixty scattered credentials — pulling it ended his access to every connected Business Manager and every platform at the same instant. No spreadsheet of logins. No password changes rippling across shared credentials and locking out his colleagues. No two-factor seeds to re-issue. No client Business Managers to comb through hoping he had not been added somewhere off the books.

And, crucially, nothing else broke. The System-User token the whole team operated through stayed exactly as it was, so every other buyer kept working without interruption and not a single account had to be reconnected. The agency removed one person from the system; it did not disturb the system. The contrast with the credential-rotation nightmare is total: one is a controlled administrative action that takes seconds, the other is a multi-day search-and-hope across four platforms. Avoiding this exact scenario is one of the agency permission mistakes worth designing around from the start, because you cannot retrofit it cleanly under the pressure of an actual departure.

The audit trail that confirmed it was clean

Revoking access answered "can he still touch anything?" with a clean no. The second question every responsible offboarding asks is "what did he touch before he left?" — and because every buyer operated under a named role, the answer was equally clean. Every change the departing buyer had made was attributed to him by name and timestamp in the action history. The operations lead filtered the trail to his seat, narrowed it to his final weeks, and read down a short, ordered list of exactly what he had done across every client account.

There was nothing unusual to clean up, and now the agency could say so with evidence rather than hope. The two clients on his roster were handed to a new lead with a complete, attributed map of his recent changes — no orphaned decisions. In the old shared-login world that review was impossible: changes were stamped with a shared owner identity, so there was no way to isolate one person's footprint. Named roles made the departure auditable as well as instantly revocable — the two things a clean offboarding actually requires.

What this changes for client trust and risk reviews

The downstream effects reached past the IT side of the desk. When a prospective client — or their security team — asks an agency "what happens to access when one of your people leaves?", most agencies give a procedural answer about rotating passwords and revoking permissions, which quietly concedes that access was spread across credentials that now have to be chased. This agency could give a structurally better answer: our buyers never hold your platform credentials, so a departure is a single revocation, not a cleanup. That answer wins security reviews and the questionnaires that increasingly come with larger accounts and cyber-insurance renewals.

It also closes a quiet liability. An agency that cannot prove a former employee lost all access carries that exposure on every client it ever offboarded a buyer from. The System-User and named-role model converts that standing risk into a logged, instant, verifiable event. For the rest of the playbook on running multi-client access safely, the agency tools cluster collects the connected pieces — onboarding, permissions, the audit trail, and offboarding — into one operating model.

The lesson: if no one holds the credential, offboarding stops being a fire drill

Step back from the Friday and the lesson is almost embarrassingly simple. Every painful offboarding is the late bill for an easy onboarding — for the day someone handed a buyer a login because it was the fast way to get them working. The credential felt like a small convenience going in and became a security search going out, multiplied by every account the buyer ever touched.

The agencies that offboard in one click did not find a faster way to hunt down credentials. They removed the hunt entirely by never distributing credentials in the first place. Connect each account once through a System-User token, let buyers operate through named roles on top of it, and a resignation becomes what it should be: a moment of gratitude and a single click, not a week of dread and a lingering doubt about the door you might have left open. Wevion's plans start at a permanent free tier (€0), then Starter at €99/mo, Pro at €499/mo, and Plus at €1,499/mo, with a 14-day trial on every paid tier that coexists with the free plan — enough to connect a Business Manager through a System-User token and feel, before you commit, how different offboarding becomes when nobody ever held the key.