Google Search Console security update improves management of ownership tokens

Google Search Console has released a security update around user permissions and controls management where you can better manage the ownership tokens. Ownership tokens are used for when people verify your site in Search Console, Merchant Center and other Google products and sometimes people who had access in the past to your profiles no longer should.

This update show make it easier to manage such access and remove those tokens and permissions when they are no longer needed.

What Google said. Google wrote:

We’re rolling out further improvements to Search Console’s user and permission management, incorporating capabilities related to unused ownership tokens management. Tokens are the codes used for website ownership verification in Search Console, Merchant Center, and other Google products. We have seen cases where these were accidentally left behind after owners have moved on. In February 2023, we rolled out improvements to the user and permissions management report. The latest changes will improve the accuracy and reflect the actual state of unused ownership tokens.

What it looks like. Int he user and permissions interface, under the “unused ownership tokens” you will see a screen like this where you can click “remove” to remove access to those ownership tokens:

How it works. Here are the steps to take to manage these ownership tokens:

Visit the Users and permissions interface

Click “Unused ownership tokens”

Choose the tokens you’d like to remove and click “Remove” (see screenshot below)

Click “Verify removal” to get update for the unused ownership token

Why we care. It is always a good idea to ensure the right people have access to your data and Search Console properties and more importantly that the wrong people do not have access to it. As Nir Kalush from Google wrote, “The update rolled out today lets you verify the removal of the unused verification token so that removed owners cannot regain access to the property.”

So check your tokens and remove those who should not have access.