When to Remove Access
- Employee departure or team change
- Agency contract ends
- Security incident or compromised Apple ID
- Quarterly access review identifies stale accounts
- Contractor project completion
Pre-Removal Checklist
Before revoking access, complete these steps to prevent disruption:
- Check for API certificates -- If the user generated API credentials, those certificates authenticate automated integrations. Removing the user does not automatically invalidate their certificates.
# List all API certificates to identify any owned by the departing user
curl -X GET "https://api.searchads.apple.com/api/v5/acls" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID" | jq '.data'
- Review active campaigns -- Check if the user is the sole manager of any live campaigns, especially those with active budgets or upcoming flight dates.
- Export reports -- Download any saved reports or custom columns the user created, as these may not persist after removal.
- Document pending work -- Note in-progress optimizations, scheduled bid changes, or creative reviews.
- Notify stakeholders -- Inform the team so responsibilities transfer smoothly.
Removing a User via the UI
- Log in to Apple Search Ads with an Account Admin account
- Click the gear icon > Account Settings > User Management
- Locate the user in the list
- Click the X icon (or Remove button) next to their name
- Confirm the removal when prompted
Access is revoked immediately. If the user is currently logged in, their session terminates on the next page navigation.
Removing a User via the API
# Remove user by userId
curl -X DELETE "https://api.searchads.apple.com/api/v5/acls/123456" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID"
# Verify removal -- user should no longer appear in ACL list
curl -X GET "https://api.searchads.apple.com/api/v5/acls" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID" | jq '.data[] | select(.userId == "123456")'
# Expected: no output (user removed)
Revoking API Certificates
Removing a user from the UI does not automatically revoke their API certificates. If the user set up API access:
- Go to Account Settings > API in the Apple Search Ads UI
- Find certificates associated with the removed user
- Click Revoke on each certificate
- If automated integrations used those certificates, generate new credentials and update your integration code:
# Example: update your Apple Search Ads integration with new credentials
APPLE_SEARCH_ADS_CONFIG = {
'org_id': 7890,
'client_id': 'SEARCHADS.new-client-id',
'key_id': 'new-key-id',
'team_id': 'SEARCHADS.team-id',
'private_key_path': '/path/to/new-private-key.pem'
}
- Test the new credentials to confirm integrations still function
Revocation Timeline
| Action | Timing |
|---|---|
| User removed from User Management | Immediate |
| Active UI session invalidated | Next page navigation |
| Campaign data authored by user | Retained permanently |
| API certificate access (if not revoked separately) | Remains active until explicitly revoked |
| Pending invitations from removed user to others | Remain valid until accepted or expired |
Apple Search Ads does not have a soft-disable or suspension option. Removal is permanent and immediate. To restore access, send a new invitation.
Post-Removal Steps
- Verify removal -- Confirm the user no longer appears in User Management
- Check API certificates -- Ensure all their certificates are revoked
- Audit recent activity -- Review campaign changes from the past 30 days if the removal was security-related. Apple Search Ads does not expose a built-in audit log, so check campaign modification dates and budget changes manually.
- Update internal records -- Remove the user from your access register and offboarding checklist
- Snapshot current access -- Export a fresh access list for compliance:
curl -X GET "https://api.searchads.apple.com/api/v5/acls" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID" \
| jq '.data[] | {userId, roleName, email}' > access-snapshot-$(date +%F).json
Troubleshooting
Cannot remove user: Verify you have Account Admin access. You cannot remove the last remaining Admin from an account -- add a second Admin first.
User still accessing the account: Confirm removal completed in User Management. Check if the user has a separate invitation to a different org within the same Apple Search Ads instance. Check that API certificates were revoked separately.
Removed user's campaigns stopped running: Removing a user does not pause their campaigns. If campaigns stopped, check for budget exhaustion or scheduling end dates that coincided with the removal.