Reference: Identity Field Requirements
This reference lists the fields required when creating each identity type. Use it to understand what information you need before starting the identity creation process.
For a step-by-step walkthrough, see Creating Identities. For an explanation of each type, see Identity Types.
Common fields (all types)
These fields apply to every identity, regardless of type:
| Field | Required | Description |
|---|---|---|
| Platform | Yes | The marketing platform this identity is for (for example, GA4, Meta, or Shopify). |
| Identity type | Yes | One of: Shared Credential, Service Account, API Key, OAuth Client, or Human Interactive. |
| Username | Depends | Auto-generated from your naming template if not provided. Required for some types (see below). |
Per-type required fields
| Field | Required | Notes |
|---|---|---|
| Credential mode | Always | Must be set to Managed or External. |
| Username | External only | Required when credential mode is External. |
| Password | External only | Required when credential mode is External. |
Managed mode: Only the credential mode is required. AccessHive auto-generates the username and password through Google Workspace (GWS).
External mode: You must provide the credential mode, username, and password.
Use Managed when you want AccessHive to create and rotate credentials automatically through GWS. Use External when you already have credentials for a platform that does not support GWS provisioning (for example, Meta or Shopify).
| Field | Required | Notes |
|---|---|---|
| Username | Always | The service account email address. |
| JSON key | Always | The full JSON key file content. |
Service Accounts carry their own authentication. They do not trigger domain user creation or SSO provisioning, even on platforms that normally require Google Workspace. The identity is marked Provisioned immediately.
| Field | Required | Notes |
|---|---|---|
| Key label | Always | A human-friendly name for the key. |
| API key | Always | The API key value. |
API Keys are always tied to a specific platform. They cannot be created with agency-wide scope.
| Field | Required | Notes |
|---|---|---|
| Client ID | Always | The OAuth client ID from the platform. |
| Client secret | Always | The OAuth client secret from the platform. |
OAuth Clients are always tied to a specific platform. They cannot be created with agency-wide scope.
No credential fields are required. Human Interactive identities authenticate through single sign-on (SSO).
Human Interactive identities require Google Workspace provisioning to complete. They are typically created through the SSO provisioning flow rather than the creation wizard.
Validation error messages
If required fields are missing, the system shows an error. Here are the common messages and their causes:
| Error message | Cause |
|---|---|
| Shared Credential requires credential mode | The credential mode field is missing. |
| Credential mode must be Managed or External | An invalid credential mode value was provided. |
| External Shared Credential requires a username | External mode was selected without a username. |
| External Shared Credential requires a password | External mode was selected without a password. |
| Service Account requires a username | No email address was provided for the service account. |
| Service Account requires a JSON key | No JSON key file content was provided. |
| API Key requires a key label | No label was provided for the API key. |
| API Key requires an API key value | No API key was provided. |
| OAuth Client requires a client ID | No client ID was provided. |
| OAuth Client requires a client secret | No client secret was provided. |
Related pages
- Creating Identities – step-by-step identity creation guide
- Identity Types – explanation of all five identity types
- Credential Vault – how credentials are stored and protected
- Provisioning States – provisioning statuses and transitions
- Background Jobs – which identity types trigger background jobs