Identity Types
An identity in AccessHive represents a set of credentials that your team uses to access a client’s marketing platform. Each identity has a type that determines how it authenticates, how credentials are stored, and whether the system provisions accounts automatically. Understanding identity types helps you pick the right one when creating an identity.
How identity types work
When you create an identity, the type you choose controls three things:
- How the identity authenticates – through single sign-on (SSO), a username and password, a key file, or client credentials.
- Where credentials come from – the system can create them automatically (managed), or you supply them yourself (external).
- How fast the identity is ready – some types are available instantly, while others need a few seconds for background setup.
Types at a glance
Human Interactive
A real person who signs in through SSO using a Google Workspace (GWS) domain account. Used for platforms that require a human login, such as Google Analytics 4 and Google Ads.
- Created automatically through the SSO flow – you cannot create one manually in the wizard.
- No credentials are stored in the credential vault. Authentication is handled entirely through SSO.
- Takes 5–15 seconds to set up, because the system creates accounts in both the identity provider and Google Workspace.
Shared Credential
A username and password account shared among team members through Privileged Access Management (PAM) checkout. This is the most common identity type for human-operated accounts.
Shared Credentials support two credential modes:
- Managed – The system creates a Google Workspace domain user (for example,
meta@youragency.com) and sets the password automatically. The password rotates each time the credentials are checked back in. - External – You supply a username and password yourself. The system stores them securely but does not rotate them automatically.
Shared Credentials include checkout governance: maximum checkout time, approval requirements, and check-in confirmation. See PAM Sessions for details.
Service Account
A machine identity that authenticates with a JSON key file, such as a Google Cloud service account. You provide the service account email address and key content. The system stores them in the credential vault immediately – no background setup needed.
Service Accounts carry their own authentication and never trigger Google Workspace or identity provider account creation, even on platforms that normally require Google Workspace.
API Key
A static API key or token for programmatic access to a platform, such as a Klaviyo API key for email automation. You provide a key label and the key value.
API Keys are always tied to a single platform – the agency-wide scope option is not available.
OAuth App
An OAuth 2.0 client identity that authenticates using a client ID and client secret. Used for integrations like custom analytics dashboards.
Like API Keys, OAuth Apps are always tied to a single platform.
Comparison table
| Feature | Human Interactive | Shared Credential | Service Account | API Key | OAuth App |
|---|---|---|---|---|---|
| Authentication method | SSO | Password | JSON key file | API key | OAuth client credentials |
| Needs Google Workspace | Yes | Managed mode only | No | No | No |
| Credentials stored in vault | No | Yes | Yes | Yes | Yes |
| Agency-wide scope available | Yes | Yes | Yes | No | No |
| Checkout governance (PAM) | No | Yes | Yes | No | No |
| Created in the wizard | No | Yes | Yes | Yes | Yes |
| Time to provision | 5–15 seconds | Instant (external) or 5–15 seconds (managed) | Instant | Instant | Instant |
Use Shared Credential for team accounts where multiple people need to log in with a username and password – it is the most flexible option and supports checkout governance. Use Service Account for machine-to-machine integrations that use JSON key files. Use API Key or OAuth App for programmatic access with static keys or client credentials. Human Interactive identities are created automatically through SSO and do not need to be set up manually.
Related pages
- Create an identity – Walk through the wizard step by step. See Creating Identities.
- Understand provisioning – Learn what happens behind the scenes after you click Create. See Provisioning.
- Credential storage – Learn how credentials are encrypted and stored. See Credential Vault.
- Platform connections – See which platforms support which identity types. See Platforms.