MCP Servers vs Native API: Why Your AI Ads Tool Might Get Your Account Banned | Alethia
Back to Blog
AI & Automation

MCP Servers vs Native API: Why Your AI Ads Tool Might Get Your Account Banned

Aadil Saloojee 11 min read
MCPAPIsecurityGoogle AdsMetaadvertisingAI agentsOAuth
Hero image for MCP Servers vs Native API: Why Your AI Ads Tool Might Get Your Account Banned

MCP is everywhere. Since Anthropic launched the Model Context Protocol in late 2024, it’s become the default way to connect AI models to external tools. OpenAI adopted it. Google released an official MCP server for Google Ads. There are now thousands of community-built MCP servers for everything from Slack to Salesforce to spreadsheets.

For most use cases, MCP is genuinely useful. Connecting Claude to your codebase or letting ChatGPT query a database — great. The protocol solves a real problem.

But there’s a category where MCP servers create serious risk that nobody is talking about: advertising platform connections. Specifically, connecting AI agents to Google Ads, Meta, TikTok, and LinkedIn through community-built or commercial MCP servers.

The risk isn’t theoretical. Accounts are getting suspended. Credentials are being exposed. And the people using these tools often don’t understand why until it’s too late. (If you’re evaluating AI agents for campaign management, how they connect to ad platforms matters as much as what they can do.)

How MCP Connects AI to Ad Platforms

Quick primer if you’re not technical: MCP is a wire protocol. It lets an AI model (Claude, ChatGPT, Cursor) call external tools — “get my Google Ads performance data” or “pause this campaign” — through a standardised interface. The MCP server is the middleware that receives the request and talks to the platform API.

The appeal is obvious. Instead of building a custom Google Ads integration, you install an MCP server that someone else built. Five minutes of setup, and your AI assistant can manage your ad accounts. There are MCP servers for every major ad platform:

  • Google Ads — Google’s official read-only server plus dozens of community alternatives
  • Meta Ads — Multiple community servers, plus scraper-based tools
  • TikTok Ads — Community servers (TikTok has no official MCP server)
  • LinkedIn Ads — Mostly scraper-based (LinkedIn has no official MCP server)
  • Cross-platform — Commercial platforms like Adspirer that route through a central MCP endpoint

Sounds convenient. Here’s why it’s dangerous.

Risk 1: Shared Developer Tokens and Account Suspensions

Every advertising platform requires a developer token or app registration to access their API. Google Ads requires a developer token paired to a Google API Console project. Meta requires a registered app with Marketing API access. These are non-negotiable — the platform uses them to identify who’s making API calls and enforce their policies.

Here’s the problem: Google Ads API policy explicitly prohibits sharing developer tokens with third parties.

Google’s policy states that if you provide indirect access to your API token — which is exactly what a commercial MCP platform does — you risk token revocation if any user of that shared infrastructure violates policy. One bad actor on the platform, and every advertiser routing through that same MCP server loses API access simultaneously.

This isn’t hypothetical. In February 2026, Google acknowledged a growing backlog in developer token applications and introduced stricter conversion data requirements for new developers. Since April 2025, Google has been adding new error codes for invalid tokens. The trend is toward more enforcement, not less.

What this means practically: If you’re using a commercial MCP platform like Adspirer that routes your Google Ads API calls through their infrastructure, your account’s API access depends on every other advertiser on that platform behaving correctly. You have zero control over that risk.

Meta’s Rate Limit Crackdown

In October 2025, Meta slashed Instagram DM rate limits from 5,000 to 200 per hour — a 96% reduction that broke every non-official automation tool overnight. Meta’s Terms of Service explicitly prohibit automated access without prior permission, and the platform has demonstrated willingness to enforce this at scale.

Meta’s Terms of Service are explicit: automated access without prior permission is prohibited, regardless of whether you’re logged in. Several MCP servers in the ecosystem — including Apify’s Facebook Ads and LinkedIn Ads scrapers — don’t use official API credentials at all. They automate browser sessions or scrape public pages. This is the highest-risk pattern, and it’s packaged as a convenient MCP install.

Risk 2: Credential Exposure

Here’s a statistic that should concern anyone connecting AI tools to their ad accounts: 53% of MCP servers store long-lived static secrets rather than short-lived OAuth tokens. Only 8.5% use OAuth — the modern, secure standard for credential delegation.

That finding comes from Astrix Security’s analysis of over 5,200 open-source MCP server implementations on GitHub. For advertising platforms where credentials grant access to real campaign budgets, this is alarming.

What “Long-Lived Static Secrets” Means for Your Ad Account

When an MCP server stores a long-lived API key or access token in a config file, that credential:

  • Doesn’t expire — A stolen token works indefinitely
  • Can’t be scoped — It grants whatever access level it was created with
  • Isn’t rotated — The same credential sits in a plaintext file until someone manually changes it
  • Lives on third-party infrastructure — If you’re using a remote MCP server, your credentials are stored on someone else’s server

Compare this to proper OAuth 2.0 flows where access tokens expire in minutes to hours, refresh tokens can be revoked at the platform level, and permissions are scoped to specific actions.

The CVE That Should Have Been a Wake-Up Call

In 2025, CVE-2025-6514 — rated CVSS 9.6 (critical) — was discovered in mcp-remote, a popular OAuth proxy used in Cloudflare, Hugging Face, and Auth0 MCP integration guides. It had over 437,000 downloads.

The vulnerability allowed a malicious MCP server to achieve full remote code execution on the client machine through crafted OAuth metadata. In an advertising context, an attacker could:

  1. Publish a legitimate-looking “Google Ads Analytics MCP” server
  2. When an advertiser connects, steal their OAuth tokens for every connected platform
  3. Execute arbitrary commands on the advertiser’s machine

This isn’t a theoretical attack vector. Kaspersky documented real supply chain attacks in 2025 where malicious MCP packages were published to registries specifically to exfiltrate credentials.

Risk 3: The Rug Pull Problem

MCP servers can update their tool definitions after installation. You approve a safe-looking analytics tool on day one. Two weeks later, the tool description silently changes to include hidden instructions that the AI model follows without showing you.

Security researchers at Equixly found that 43% of tested MCP server implementations contained command injection vulnerabilities. Separately, Palo Alto’s Unit 42 demonstrated that MCP’s architecture is inherently vulnerable to tool poisoning — where malicious instructions embedded in tool descriptions are read by the AI but never shown to the user.

In advertising terms: a compromised MCP server’s get_campaign_performance tool could contain hidden instructions telling the AI to also execute update_campaign_budget or pause_all_campaigns without your knowledge.

This is the fundamental trust problem with MCP middleware. You’re not just trusting the protocol — you’re trusting every maintainer of every MCP server you’ve connected, indefinitely, with silent update capability.

Risk 4: No MCC Support, No Audit Trail

Beyond security, community MCP servers have practical gaps that make them unsuitable for professional advertising management:

No MCC (Manager Account) awareness. For agencies managing multiple client accounts through Google Ads MCC, API calls need a login-customer-id header to specify which manager account is authenticating. Most community MCP servers skip this entirely, which means they can’t manage multiple client accounts — the core use case for agencies. This also means no systematic Google Ads auditing across client accounts.

No audit trail. When an MCP server abstracts away API calls, you lose attribution for who made what change and when. Enterprise advertisers and agencies need this for billing verification, regulatory compliance, and simply understanding what happened when something goes wrong.

No rate limit intelligence. Advertising platforms have complex rate limiting rules — Google Ads limits by developer token, Meta limits per app-user pair, TikTok has 24-hour token expiry cycles. An MCP server that hammers endpoints without understanding these limits can exhaust your quota across all campaigns, not just the specific request that triggered it.

No API version tracking. Platform APIs deprecate and sunset versions on regular schedules. Meta’s v25.0 update in early 2025 broke Advantage+ Shopping campaign management through older endpoints. Community MCP servers that aren’t actively maintained will silently fail or, worse, corrupt campaign state when API versions change.

What Native API Integration Actually Looks Like

The alternative to MCP middleware is native API integration — connecting directly to each platform’s official API using their provided SDKs, registered developer tokens, and proper OAuth flows.

Here’s the difference:

Community MCP ServerNative API Integration
AuthenticationOften shared tokens or static secretsPer-user OAuth 2.0 with token rotation
Credential storagePlaintext config files or third-party serversEncrypted database, decrypted at call time
Developer tokenShared across users of the MCP platformRegistered per-organisation
Rate limitingUsually none — raw API callsPer-platform circuit breakers, exponential backoff
MCC supportRarely implementedFull manager account hierarchy
API versionsWhatever was current when the MCP was builtTracked against platform deprecation schedules
Audit trailNonePer-user, per-action request logging
Platform complianceVaries — some scrape instead of using APIsFull ToS compliance, platform-approved patterns
Update riskMaintainer can change tool behaviour silentlyCode under your control

Native integration is more work upfront. You need to register with each platform’s developer programme, implement OAuth flows, handle token refresh cycles, manage rate limits, and track API version changes. It’s weeks of engineering instead of five minutes of MCP setup.

But “five minutes of setup” means you’re outsourcing all of that complexity to someone you don’t know, with credentials you can’t control, on infrastructure you can’t audit.

When MCP Is Fine (and When It Isn’t)

To be clear: MCP as a protocol is not the problem. Google’s official Google Ads MCP server is a legitimate, well-built tool — it’s read-only, uses proper OAuth, and is maintained by the Google Ads team.

The risk comes from:

  1. Community MCP servers that share developer tokens across users
  2. Scraper-based MCP tools that don’t use official APIs at all
  3. Commercial MCP platforms that centralise advertiser credentials on their infrastructure
  4. Unmaintained MCP servers that fall behind API version changes

If you’re connecting an AI tool to a low-risk system — your codebase, a knowledge base, internal documentation — MCP servers are perfectly appropriate. The convenience-to-risk ratio makes sense.

If you’re connecting to advertising platforms that control real campaign budgets, use credentials worth stealing, and have ToS enforcement that can suspend your account, the calculus changes completely. You need to know exactly how your credentials are stored, who has access, how API calls are authenticated, and what happens when something goes wrong.

How Alethia Handles This

We built Alethia on native API integrations from day one. Not because we have anything against MCP — we use MCP for plenty of other things. But for advertising platform connections, the risk profile demands direct integration.

What that looks like in practice:

Per-user OAuth for every platform. Each user authenticates directly with Google Ads, Meta, TikTok, LinkedIn, GA4, and Google Search Console through standard OAuth 2.0 flows. (For a freelance media buyer managing multiple clients, this means each client’s credentials are fully isolated.) Alethia never sees or stores your password — we receive a scoped OAuth token from the platform after you grant permission.

Encrypted credential storage. OAuth tokens are encrypted at rest and only decrypted in memory at the moment of each API call. No plaintext tokens in config files, environment variables, or logs.

Credential isolation. Each user’s credentials are isolated in their own context. One user’s rate limit issue or API error cannot affect another user’s operations. This is the opposite of the shared-token model where one bad actor affects everyone.

Per-platform circuit breakers. If Google Ads API starts returning errors, only Google Ads tools are affected. Meta, TikTok, and LinkedIn continue operating normally. This prevents cascading failures that could trigger rate limit violations across platforms.

MCC auto-discovery. Agencies connecting their Google Ads MCC can manage their full client roster without manual configuration — manager accounts are detected and configured automatically during OAuth.

550+ native tools across 7 platforms. Google Ads, Meta, TikTok, LinkedIn, GA4, GTM, and Google Search Console. Each tool makes a direct, authenticated API call using the official SDK or REST endpoint. No middleware, no proxy, no third-party credential holder.

Human-in-the-loop approval. High-risk actions — budget changes, campaign creation, bid strategy modifications — require explicit human approval before execution. The AI agent proposes and explains; you decide and approve.

The Bottom Line

The MCP ecosystem is moving fast and that speed creates risk. Thousands of MCP servers have been built in months, many by individual developers with no background in platform API compliance, OAuth security, or advertising operations. Some work fine. Some will get your account suspended.

The question to ask any AI advertising tool — whether it uses MCP, REST APIs, or anything else — is straightforward:

  • Where are my credentials stored? If the answer involves a third-party server, you have a trust problem.
  • Whose developer token am I using? If it’s shared with other advertisers, you have a policy problem.
  • Does it use the official API or a scraper? If you don’t know, assume the worst.
  • What happens when the API changes? If the tool hasn’t been updated in months, it’s a liability.
  • Can I see what it did? If there’s no audit trail, you can’t debug problems or prove compliance.

Native API integration isn’t the easy path. But when your ad accounts, campaign budgets, and client relationships are on the line, easy isn’t the right optimisation target. Reliable is.

Share this article

LinkedIn X / Twitter
AS

Aadil Saloojee

Founder of Alethia Intelligence. Building AI-powered marketing operations tools for agencies and advertisers across Africa and beyond.

Related articles

AI & Automation

How AI Agents Are Replacing Manual Campaign Management

What AI agents actually do in advertising — not the hype, the reality. Covers specific tasks agents handle today, what stays manual, the human-in-the-loop model, and why the shift from tools to agents changes everything.

10 min read
Strategy

Meta Ads vs Google Ads: Where South African Brands Should Spend in 2026

An opinionated breakdown of Meta Ads vs Google Ads for the South African market. Covers audience reach, costs, sector recommendations, and how to allocate budget across platforms in 2026.

10 min read
Cross-Platform Ads

Cross-Platform Ad Reporting: One Dashboard Instead of Four

How to build unified reporting across Google Ads, Meta, TikTok, and LinkedIn. Covers metric normalisation, attribution conflicts, and why switching between four dashboards is costing your agency real money.

9 min read