How an Agency Onboarded 80 Client Accounts Without a Single Shared Login

The breaking point arrived, as it usually does, as a spreadsheet. A media-buying agency that had grown from a handful of clients to a sprawling portfolio kept a tab called "Logins" — one row per client, columns for username, password, 2FA backup, and the date it last changed. The day that sheet crossed eighty rows, the operations lead stopped scrolling and admitted the obvious: this was not a system, it was a liability with a search bar. This is the story of how that agency learned to onboard client ad account without sharing login credentials at all — one System-User token entered once, auto-discovery surfacing every account, and internal roles instead of passwords.

This is a composite drawn from common agency patterns, but the failure mode and the fix are real. The exact numbers are illustrative; the credential sprawl, and the way it gets dangerous as an agency scales, is not.

The breaking point: a login for every client

For its first few years, the agency onboarded clients the only way it knew. A new client signed, and the kickoff call ended with the same awkward request: "Can you share your Meta login so we can get into the ad account?" Sometimes the client handed over their personal Facebook password. Sometimes they created a throwaway user with admin rights. Either way, the agency walked away with one more credential to store, and the "Logins" tab grew another row.

At ten clients this was annoying. At eighty it was a full-time risk. Every password that changed on the client side broke access silently until a campaign went stale. Every 2FA prompt landed on a phone belonging to one person, who became a single point of failure for the entire book of business. And nobody could answer the question that should have a one-word answer: who, exactly, has access to this client's account right now?

Why the shared logins were the actual risk

The agency had assumed its risk lived in performance — a bad week, a missed target. The real exposure was the login sheet. As we lay out in why shared logins are killing your ad agency, a shared credential is the worst of every world at once: it cannot be attributed, cannot be safely revoked, and cannot be audited.

Three failures stacked up. First, 2FA seeds and passwords lived in a password manager, so access to one vault was access to eighty clients — a breach surface no client would have approved. Second, juniors had full access by default, because a shared login has no notion of roles; handing a new buyer "the password" handed them everything. Third, offboarding was a manual hunt: when a buyer left, someone had to remember every Business Manager that buyer had touched and pull access by hand, account by account, hoping nothing was missed.

That last one kept the operations lead up at night. A departing buyer with lingering access across dozens of client Business Managers is the default outcome of a shared-login model — exactly the kind of gap catalogued in our rundown of agency ad account permission mistakes.

The shift: connect with a token, not a password

The change was less a new tool than a new mental model: stop treating account access as a credential to collect, and start treating it as a connection to establish once. The agency moved its portfolio onto Wevion and connected client accounts through a System-User token rather than a personal login.

The mechanics were almost anticlimactic. For each client, the agency established a System-User token against the client's Business Manager — a sanctioned, machine-level connection that does not depend on anyone's personal password or 2FA. The token was entered once. Then auto-discovery did the part that used to take an afternoon: reading the business_id, it surfaced every ad account and Business Manager that token could reach and pulled them into the workspace automatically — no copying account IDs between screens, no missed accounts discovered three weeks later.

A shared login is a secret you have to protect forever. A System-User token is a connection you establish once and then govern — the distinction explored in separate logins versus a multi-brand operating layer. The agency was no longer in the business of storing passwords. It was in the business of granting access.

Mapping the team to roles, not credentials

With accounts connected, the agency faced the question that the shared-login era had never let it ask cleanly: who on the team should be able to do what, on which client?

Internal role-based access made that a configuration, not a credential. Each buyer was given a role scoped to the accounts they actually worked. A senior on the enterprise roster got broad access there and none on the small-business book. A junior got exactly the accounts assigned to them and nothing else. Crucially, granting that access never involved handing over a Meta login — the underlying token stayed with the agency, and the buyer simply operated inside the workspace under their named role.

This is the half of the system shared logins make impossible. You cannot scope a password — you can only give it or withhold it. Roles let the agency grant the precise access a person needs and nothing more, which is the premise behind the disciplined onboarding flow we describe in the agency's first-week client onboarding playbook. Access became something you assign, review, and adjust — not a secret you hope stays contained.

Onboarding the next client in the first week

The proof showed up the next time the agency signed a client. In the old model, onboarding a new account was a multi-day, fraught affair: chase the client for credentials, store them, test access, discover a sub-account nobody mentioned, chase again, finally get a buyer working by the end of the second week.

The new flow collapsed that. The agency established the System-User token, auto-discovery surfaced the client's accounts and Business Managers in one pass, and the operations lead assigned buyers their roles. The buyer was working inside the workspace in the first week — not waiting on a password reset, not blocked by a 2FA prompt routed to someone on holiday. The client, for their part, was relieved not to be handing their personal Facebook password to an outside agency, turning an uncomfortable kickoff request into a point of confidence.

What changed for security and audit

The security story was the part the operations lead had not fully anticipated. Two things got dramatically better at once.

Offboarding went from a hunt to a click. When a buyer left, there was no list of Business Managers to comb through and no shared password to reset across eighty clients. The buyer's role was revoked in the workspace, and their access ended everywhere at once — in effectively one action. The "did we get all of it?" anxiety disappeared, because access had never been scattered across credentials in the first place.

And the agency could finally answer the access question. Because every buyer worked under a named role rather than a shared identity, the agency had a clear picture of who could touch what, and a record of who did — permissions decide who can change an account, and the trail records what they changed. An agency that runs its portfolio this way can tell any client precisely who has access and what they have done, which is a different conversation than "we think it was one of our buyers."

The portfolio view: one workspace, six platforms

The token-and-roles model was not a Meta-only convenience. The same principle — connect an account once, grant internal roles, never circulate a credential — extends across the six platforms the workspace supports: Meta, Google, TikTok, Taboola, Snapchat, and Outbrain. A client running Meta and TikTok and a little Taboola was no longer three login problems. It was one connected client in one workspace, with the agency's buyers working every channel under the same role they already had.

That consolidation finally retired the "Logins" tab for good. The agency was not managing eighty passwords across six platforms — a number that would have run into the hundreds of credentials. It was managing one portfolio, governed by roles, connected by tokens, visible in one place. The rest of the operating playbook lives in the agency tools hub.

On pricing, the model scales with the portfolio rather than the team: seats are unlimited on every plan, so adding buyers never costs more, and parallel accounts scale from three on the permanent Free tier (€0) up through Starter at €99/mo and Pro at €499/mo to unlimited on Plus at €1,499/mo (€1,199 annual, billed yearly at -20%), with Enterprise as a custom plan. Every paid tier includes a 14-day trial that coexists with the free plan.

The lesson: separate the operating layer from the credential

Asked what they would tell a younger version of the agency, the operations lead is direct: the mistake was treating account access and the operating tool as the same thing. They are not. The credential — the password, the 2FA seed — is the client's. The operating layer, where your buyers launch, edit, and report, is yours. The shared-login era fused them, and that fusion was the source of every problem: the sprawl, the offboarding hunts, the unanswerable access question.

Separating them is the whole fix. Connect the account once through a System-User token, let auto-discovery surface everything that token can reach, and give your team internal roles instead of passwords. Do that, and onboarding the eighty-first client looks like onboarding the first — a connection established and a few roles assigned — instead of one more row on a spreadsheet that should have stopped growing long ago. The agency that can onboard a client account without sharing a login is the one that can keep adding clients without its risk compounding alongside them.