The short version. Dot Square Lab builds production AI systems, so when we wanted to run our own marketing we tried to drive Google Ads and GA4 straight from an LLM. The open-source ways to do it needed a heavy per-user setup, and the hosted alternatives were either read-only or optimisation suites that want to be the intelligence instead of serving your agent. So we built it ourselves: Nerb, a hosted MCP (Model Context Protocol) gateway that brokers the connection once and gives any LLM client safe, confirm-gated access to the APIs. It is a gateway, not an optimiser: your agent does the reasoning, Nerb handles the authentication and keeps the writes safe. We then turned it into a product and designed it to span your whole marketing stack, not just Google. Today it covers Google Ads, GA4 and Search Console, and Reddit Ads is already live as the first channel beyond Google, with more on the way. It is live at nerb.ai.
At a glance
- What it is: a hosted MCP gateway (credential broker + API proxy) that lets an LLM read and safely change your marketing accounts across platforms
- Problem it removes: the per-user setup normally needed to reach the APIs (own GCP project, OAuth client, developer token), and the read-only or optimisation-suite limits of the alternatives
- Tech: MCP over streamable HTTP; per-platform OAuth brokering with AES-256-GCM encrypted refresh tokens; confirm-gated writes; per-tenant isolation (signed session claims, Postgres row-level security, egress allowlist, audit log); Next.js on GCP Cloud Run
- Coverage: Google Ads, GA4, Search Console and Reddit Ads today; more ad channels and the revenue loop on the way
- Clients: any MCP-compatible LLM (Claude, ChatGPT, Cursor, Codex, Copilot, Gemini)
- Status: live at nerb.ai
The challenge
Large language models reason well over marketing data, but they cannot touch Google Ads or GA4 on their own. Something has to broker the Google OAuth grant, hold the credentials, translate tool calls into API calls, and (the part that matters most) stop the model from doing something costly to a live ad account. That connecting layer did not exist in a usable form.
One option is to skip the API and point a browser-automation agent, something like Claude in Chrome, at the Google Ads web interface. It works, but it is slow and only sees one screen at a time, so the model never gets the full, structured picture that a single API call can return. The API is the better route; getting to it was the problem.
Getting to the API was the hard part. We tried adloop, the open-source MCP for Google Ads and GA4, which is a good tool but needs every user to set up their own Google Cloud project and tokens first. Google's own Ads MCP server is read-only and built around Gemini. The established ad-optimisation platforms are the opposite issue: they bundle their own dashboards and playbooks, which are redundant when the intelligence is already your agent. What was missing was the simple version: hosted, safe, cross-client access to the API itself.
The approach
Nerb is deliberately narrow. It is a credential broker and an API gateway, and the intelligence stays in your agent, not the product. The design rests on four decisions.
- Speak MCP to any client. Nerb serves a single Model Context Protocol endpoint over streamable HTTP, so it works with any MCP-compatible client. You connect it the way you connect any other tool; there is nothing to install.
- Broker each platform's connection once. Instead of every user provisioning their own project and tokens for each platform, Nerb runs the OAuth authorization-code flow on a hosted callback, then stores the resulting refresh token encrypted at rest. The user grants access once in the browser; after that their agent reaches the accounts that grant covers, with no local setup.
- Make every write a two-step, capped action. Reads are free, but any change to an account goes through draft to preview to confirm: the agent drafts a change, the gateway returns exactly what would happen, and nothing is applied until an explicit confirm. Dry-run is the default. A configurable cap limits how much any single change can spend, new campaigns and ads are created paused, and unsafe combinations (Broad Match with Manual CPC) are rejected outright. Because the rules live in the gateway, they hold no matter what the model asks for.
- Isolate every tenant. Each request carries a signed session claim that identifies the tenant and is checked on every tool call. Postgres row-level security separates tenant data, an egress allowlist means the server can only talk to the platform APIs it brokers and its own dependencies (default-deny everything else), and every action is written to a per-tenant audit log.
What Nerb does today
Connect an account once at nerb.ai, paste the endpoint and token into your client, and your agent can query and safely change your marketing accounts through the confirm flow above. Google Ads, GA4 and Search Console are covered, and Reddit Ads is live as the first platform beyond Google. It runs as a containerised Next.js service on Google Cloud Run, with infrastructure in Terraform and secrets in Vault, so there is nothing for you to operate.
Nerb began as our own internal tool for Google and is now a multi-channel product. The gateway is provider-agnostic underneath, so each new platform is another connector on the same safe-write and isolation machinery rather than a rebuild. More ad channels are following Reddit, and the revenue side (tying spend to Shopify and Stripe) is on the roadmap, moving toward one connection that answers cross-channel questions no single-platform tool can.
Where this approach applies
The pattern generalises well past marketing. Any time you want an LLM to act on a sensitive third-party API, you need the same layer: broker the OAuth grant so users do not each have to, hold the credentials encrypted, make destructive actions a capped two-step confirm, isolate tenants, and log everything.
It applies just as well to a company's own systems. Point the same broker-and-guardrail pattern at your internal, specialised data (the knowledge sitting in your databases, documents and internal tools) and your teams can reach that collected knowledge through an LLM without handing a model raw, unguarded access to it. The same layer that makes it safe to talk to Google Ads makes it safe to talk to the systems that hold what your business actually knows. That is the kind of production infrastructure we build for clients: the safety-critical layer that makes an AI system trustworthy against live data.
Frequently asked questions
What is an MCP gateway? MCP (Model Context Protocol) is the open standard LLM clients use to call external tools. An MCP gateway is a hosted server that sits between the model and a third-party API: it handles authentication, exposes the API as MCP tools, and enforces safety rules, so any MCP-compatible client can use the API without a bespoke integration. Nerb is an MCP gateway for Google Ads, GA4 and Search Console.
Can I connect Google Ads or GA4 to Claude, ChatGPT or Cursor? Yes, that is what Nerb is for. It presents your accounts as MCP tools over a single hosted endpoint, so any MCP-compatible client (Claude, ChatGPT, Cursor, Codex, Copilot, Gemini) can query them once you have connected your Google account. There is no local Google Cloud project or developer token to set up.
Which platforms does Nerb support? Google Ads, GA4, Search Console and Reddit Ads today, all through the same endpoint. Nerb is built to be multi-channel, so more ad platforms and the revenue side (Shopify, Stripe) are on the roadmap; the goal is to answer cross-channel questions, like comparing performance across networks, from one connection.
Is it safe to let an AI agent change my Google Ads account? Yes, by construction. Every write is a confirm-gated, spend-capped action that the gateway enforces itself, so nothing is applied until you approve the exact change and no single change can exceed the cap you set. Reads are unrestricted.
How is this different from Google's official Google Ads MCP server? Google's server is read-only and built mainly for Gemini, and like the open-source options it expects you to bring your own Google Cloud project and developer token. Nerb is hosted (no setup), works across LLM clients, covers Google Ads and GA4 together in one connection, and adds safe, confirm-gated writes on top of reads. It is also not limited to Google: Reddit Ads is already supported, with more platforms on the way.
Is Nerb available yet? Yes. Nerb is live at nerb.ai: connect a Google account and you are running, with more channels arriving over time.
Want an AI system that can safely act on your live data?
Nerb is one example of the production infrastructure we build: the authentication, guard-rails and isolation that let an AI system touch real accounts, or your own internal systems, without risk. If you are building something similar, that safety-critical layer is exactly our work. Strategy to production, one team.
Get started with Nerb at nerb.ai, or tell us your challenge.