What Search Console data can GSC PAP access?

GSC PAP requests the webmasters.readonly OAuth scope - the same read-only level you would grant to any third-party Search Console viewer. Specifically we can read your verified site list, search analytics (clicks, impressions, CTR, position by query, page, country, device, date), sitemap submission status, and URL inspection results. This is exactly the data you see in your own Search Console UI.

We cannot write, modify, or delete anything in your Search Console: not sites, not sitemaps, not indexing requests, not anything. The OAuth scope we request technically excludes write operations, so even if our service were compromised, an attacker could not change your Search Console state. The worst case is read-only data exposure - which is why we encrypt every refresh token at rest with AES-256-GCM.

Beyond what Google provides natively, GSC PAP keeps a Personal Archive of your data so you can query beyond Google's 16-month native window. Your archive is private to your account; no other GSC PAP user can see it. See our Privacy Policy for the full storage and retention details.