MarketingPlaybook12 min readPublished July 16, 2026

Four QA checks · UrlFetchApp wires in the LLM · official templates cover the deterministic ground

Google Ads Scripts + AI Agents for Account QA at Scale

Google Ads Scripts run JavaScript on a schedule with no active user session, and UrlFetchApp lets a script call an LLM API mid-run. Together they turn routine account QA — broken final URLs, disapprovals, budget pacing, policy-risk triage — into a scheduled agent. This playbook maps which checks Google already templates and where the AI layer genuinely earns its keep.

DA
Digital Applied Team
Senior strategists · Published Jul 16, 2026
PublishedJuly 16, 2026
Read time12 min
SourcesGoogle Ads developer docs
Script run cap
30min
60 min for MCC parallel runs
Authorized scripts
250
max per account
Third-party API doc
Jul 15
refreshed the day before this post
MFA rollout start
Apr 21
new OAuth tokens, 2026

Google Ads Scripts plus an AI agent is the cheapest account-QA automation an agency can ship in 2026: a scheduled JavaScript layer that already lives inside every Google Ads account, wired to an LLM through UrlFetchApp for the judgment calls a regex can't make. There's no infrastructure to stand up, no API developer token application, and Google ships official templates for much of the deterministic ground.

The stakes are agency-ops stakes, not moonshot stakes. A broken final URL burns spend silently. A disapproved ad stops serving without anyone noticing until the client does. A campaign that fronts 60% of its monthly budget by mid-month forces an awkward conversation. Each of these is detectable by a script that runs every hour — and the interesting 2026 development is that the same script can now hand ambiguous cases to a language model mid-run and act on the classification that comes back.

This playbook covers the Scripts runtime and its real limits, a four-check QA coverage map showing what Google templates natively versus where the AI layer adds value, the UrlFetchApp integration pattern (Google refreshed that exact doc on July 15, 2026 — the day before this post), illustrative budget-pacing thresholds, and the multi-factor authentication change that quietly rewired credential setup for new deployments in April.

Key takeaways
  1. 01
    Scripts are a free, scheduled QA runtime.Google Ads Scripts run JavaScript in a browser-based IDE and execute on a schedule without an active user session — capped at 30 minutes per run, 250 authorized scripts per account, and 50,000 iterator results by default.
  2. 02
    Four checks cover most agency-ops risk.Broken final URLs, ad disapprovals, budget-pacing drift, and pre-emptive policy-risk triage. Google's official solution templates — Link Checker, Account Anomaly Detector, Flexible Budgets — cover much of the deterministic ground.
  3. 03
    UrlFetchApp is the AI bridge.Scripts call third-party APIs — including LLM endpoints — via UrlFetchApp, with API-key, HTTP Basic, and OAuth 1.0/2.0 auth documented. Google refreshed that integration doc on July 15, 2026.
  4. 04
    Pacing thresholds are conventions, not spec.The widely repeated 10%-over / 20%-under / 60%-by-the-20th alert thresholds are practitioner heuristics, not a Google standard. Treat them as starting points to tune per account, never as canon.
  5. 05
    MFA changed credential setup in April 2026.Mandatory multi-factor authentication began rolling out April 21, 2026 for new Google Ads API and Scripts OAuth refresh tokens. Existing tokens kept working, and service accounts — the right pattern for unattended automation — were unaffected.

01The RuntimeA scheduled JavaScript layer with hard limits.

Google Ads Scripts sit in an underrated middle tier of the automation ladder — above rules and recommendations, below full Google Ads API automation. They run inside the Google Ads UI, need no developer token, and crucially can execute on a schedule without an active user session. That last property is what makes an unattended QA agent possible at all.

"Google Ads scripts provide a way to programmatically manage and query your Google Ads data using JavaScript in a browser-based IDE."— Google Ads Scripts product overview, updated June 2026

The limits matter more than the pitch, because they shape what a QA agent can realistically do per run. Per Google's Scripts limits documentation, every number below is a hard ceiling you design around, not a soft quota you negotiate.

Execution cap
Per script run
30min

Every single-account script run is capped at 30 minutes. Manager-account (MCC) scripts can extend to 60 minutes using executeInParallel with a callback — the pattern that matters for multi-account QA.

MCC parallel: 60 min
Result ceiling
Iterator results by default
50,000

Selectors return at most 50,000 results by default, and selector.withIds() accepts at most 10,000 IDs per call. Large accounts need progress tracking across multiple runs — the official Link Checker template models this.

withIds: 10,000 max
Account budget
Authorized scripts per account
250

An account holds at most 250 authorized scripts, and logging output truncates at 100 KB per run. Bulk uploads triggered from Scripts cap at 50 MB and 1,000,000 rows with a 2-hour job timeout.

Logs truncate at 100 KB

Read those limits together and the design constraint is clear: a Scripts-based QA agent is a sampler and escalator, not a full-account crawler. It checks what changed, batches what it can inside 30 minutes, persists progress between runs, and escalates judgment calls — to a human, or increasingly to an LLM call that fits inside the same run window.

02Coverage MapFour checks, and where the AI layer genuinely earns its keep.

Most agency-ops risk in a Google Ads account concentrates in four failure modes: final URLs that break, ads that get disapproved, budgets that pace off-plan, and policy-risky copy that ships before anyone flags it. Google's own documentation describes its solution templates in isolation, and competitor writeups list scripts one-by-one — so we mapped the whole stack in one table. The deterministic columns are sourced from Google's solution docs and widely used practitioner patterns; the AI-layer column is our analysis of where an LLM adds value a threshold can't.

QA coverage map for Google Ads account quality assurance: the four core checks (broken final URLs, budget pacing drift, ad disapprovals, pre-emptive policy-risk flags), whether an official Google Ads Scripts template exists, the deterministic detection mechanism, where an AI agent layer adds value, and a suggested run cadence. Compiled from Google Ads Scripts solution documentation and practitioner script patterns; the AI-layer column is Digital Applied analysis.
QA checkOfficial templateDeterministic mechanismWhere the AI layer adds valueSuggested cadence
Covered natively by Google solution templates
Broken final URLsLink Checker (v4.1)HTTP response-code checks on ad, keyword, and sitelink final URLs; tracks progress across runs for large accounts; custom failure-string or JavaScript validation hooksCatch pages that return 200 but fail in practice — empty templates, out-of-stock pages, off-brand redirects — via LLM classification of fetched page textDaily
Budget pacing driftFlexible Budgets + Account Anomaly DetectorAnomaly Detector compares impressions, clicks, conversions, and cost against the same day/hour across 26 prior weeks by default; Flexible Budgets re-writes daily budgets on an even or weighted distributionNarrate why spend drifted and rank which campaigns need a human today, instead of firing raw threshold alertsHourly (detector) · daily near midnight (budgets)
Community patterns and the genuine agent-layer gap
Ad disapprovalsNone — established community patternGAQL query on approval_status = 'DISAPPROVED' across enabled campaigns and ad groups; writes campaign, ad group, ad ID, and policy topic to a sheet plus email alertTriage severity by policy topic and draft compliant rewrite suggestions for human reviewHourly or daily
Policy-risk flags (pre-emptive)NoneNo deterministic mechanism exists — you only learn about policy problems after the disapproval landsThe genuine gap: LLM classifies ad copy and landing-page text for likely policy triggers before an ad ships or a disapproval hitsOn every ad-copy change · weekly sweep

The pattern the table exposes is the thesis of this post: Google already automates the checks a machine can decide deterministically. A URL either returns a bad status code or it doesn't; spend either deviates from a 26-week baseline or it doesn't. The AI layer earns its keep exactly where the decision requires reading — judging whether a page that loads is actually a good landing page, whether ad copy is likely to trip a policy topic, and which of this morning's twelve alerts deserves the account manager's first hour.

Why speed matters on disapprovals
Practitioner consensus on disapproval alerting is blunt. As PPC scripter Nils Rooijmans puts it in his long-running disapproved-ads alert script: "Know when they get disapproved AS SOON AS POSSIBLE!" An ad that stops serving is spend that silently re-routes to whatever is left running — the detection delay is the cost, which is why the community pattern pairs the GAQL query with immediate email alerts rather than a weekly report.

03Official TemplatesStart from Google's solutions gallery, not a blank editor.

Google's Scripts solutions gallery is the closest thing to an official starter kit for account QA: it currently lists Account summary, Account anomaly detector, Ad performance, Common negative list, Flexible budgets, and Link checker among its first-party templates. Three of them map directly onto the QA stack above, and all three were last updated June 24, 2026 — these are maintained docs, not abandonware. (The Scripts platform itself keeps moving too: the April 22 Merchant API migration inside Google Ads Scripts is the most recent example of Google changing what scripts can touch.)

URLs
Link Checker
ads · keywords · sitelinks

Checks final URLs for bad HTTP response codes, tracks progress across multiple runs for accounts too large to scan in one pass, and supports custom failure-string or JavaScript-based validation. Email alerting has three triggers: after each run, after a full account scan, or unconditionally.

v4.1 · updated Jun 24, 2026
Drift
Account Anomaly Detector
impressions · clicks · conversions · cost

Flags an account behaving too differently from what's historically observed, comparing the current period against the same day and hour across a configurable number of prior weeks — 26 by default. Sends at most one alert email per day and accounts for up to 3 hours of reporting lag.

Recommended: run hourly
Budgets
Flexible Budgets
even or weighted distribution

Dynamically re-writes a campaign's daily budget using an even-distribution or back-loaded weighted formula, driven by a CONFIG object with total budget, campaign name, and start/end dates. Intended to run once daily near midnight local time.

Remediation, not just alerting

The strategic read: clone these templates first, then spend your build budget on the gaps. An agency that hand-rolls its own URL checker is re-implementing multi-run progress tracking Google already wrote and maintains. The differentiated work is the classification and triage layer on top — which is exactly the part the templates don't cover and the next section wires in.

04The AI LayerUrlFetchApp: one HTTP call from script to LLM.

The bridge between a Google Ads script and a language model is unglamorous: UrlFetchApp, the built-in HTTP client Scripts inherit from Apps Script. Google's Third-Party APIs documentation — updated July 15, 2026, the day before this post published — covers GET and POST requests with API-key, HTTP Basic, OAuth 1.0, and OAuth 2.0 authentication, including client-credentials, refresh-token, and auth-code grants. Any LLM endpoint that speaks JSON over HTTPS is reachable with the same mechanism.

The core pattern, framed generically (community gists document OpenAI-specific versions, but treat those as illustrative snippets rather than reference implementations):

// Illustrative UrlFetchApp pattern — adapt to your LLM provider.
const response = UrlFetchApp.fetch(API_URL, {
  method: "post",
  contentType: "application/json",
  headers: { Authorization: "Bearer " + API_KEY },
  payload: JSON.stringify({
    model: MODEL_ID,
    messages: [
      {
        role: "user",
        content: "Classify this ad copy for policy risk: " + adCopy,
      },
    ],
  }),
  muteHttpExceptions: true,
});
const result = JSON.parse(response.getContentText());

Three operational realities keep this honest. First, quotas stack: UrlFetchApp calls inside Scripts are subject to Apps Script's own service quotas, which Google's docs explicitly tell advertisers to check before building an integration. Second, latency eats the run cap — every LLM round-trip comes out of the same 30-minute window, so classify in batches (one call scoring twenty ads beats twenty calls) and reserve the LLM for items your deterministic filters already flagged as ambiguous. Third, keep the agent read-only at first: write findings to a sheet and an email, and only graduate to mutations (pausing an ad, adjusting a budget) after weeks of watching the classifications hold up.

No verified source quantifies a dollar or hours-saved figure for this pattern, so we won't invent one. The qualitative case is strong enough: checks that previously ran when someone remembered now run hourly, and the judgment step that made them human-dependent becomes a model call. It's the same shift we build toward in our paid media engagements — automation handling the floor so senior judgment handles the edge cases.

05Pacing HeuristicsBudget-pacing thresholds are conventions, not spec.

Here's where most writeups oversell. Community pacing scripts commonly alert when a campaign is projected to overspend its monthly budget by more than 10%, to underspend by more than 20%, or when it has burned more than 60% of the month's budget before the 20th. Those numbers are repeated across practitioner posts often enough to feel official. They aren't — no Google specification defines them. Treat the chart below as a set of illustrative starting points an agency tunes per account, not a standard.

Common pacing-alert heuristics · tune per account

Source: aggregated practitioner conventions — illustrative starting thresholds, not a Google specification
Projected monthly overspendAlert when projection exceeds budget by this margin
+10%
Projected monthly underspendAlert when projection falls short by this margin
−20%
Budget consumed before the 20thAlert when this share of monthly budget is spent early
60%

The right thresholds depend on the account's shape. A lead-generation account with weekday-weighted conversion patterns should expect to front-load spend; a 60%-by-the-20th alert would fire constantly and train the team to ignore it. An ecommerce account pacing into a month-end promotion inverts the logic entirely — that's what the Flexible Budgets template's weighted, back-loaded distribution exists for. This is also the check where the LLM layer is least necessary: pacing arithmetic is deterministic, and the agent's job is only to narrate the why and rank the response — the math itself needs no model.

Our projection: as more agencies wire LLM calls into pacing scripts, the differentiator won't be the thresholds — it will be alert quality. A model that reads the anomaly, the change history, and the campaign's promo calendar, then writes two sentences a client-facing account manager can forward, turns an alert stream into a briefing. Alert fatigue, not detection, is the failure mode these systems die of.

06CredentialsThe MFA change that rewired setup in April.

The setup detail agencies building these agents in 2026 must plan around: Google began rolling out mandatory multi-factor authentication for new Google Ads API, Scripts, and Google Ads Editor OAuth 2.0 refresh tokens starting April 21, 2026, with full enforcement over the following weeks — announced on the Google Ads Developer Blog on April 17 and corroborated by trade press the same day.

"Google will begin rolling out mandatory MFA for the Google Ads API starting April 21, with full enforcement expected over the following weeks."— Anu Adegbola, Paid Media Editor, Search Engine Land, April 17, 2026

Two clauses keep this from being a fire drill. Existing OAuth refresh tokens continued working without interruption — nothing already deployed broke on April 21. And service-account-based workflows, which Google recommends for unattended automation, were unaffected. The practical guidance falls out directly: anything that runs on a schedule with no human present belongs on a service account, and any new user-credential OAuth flow now assumes an MFA-capable identity — plan for that in client onboarding rather than discovering it mid-deployment.

One adjacent scope note, hedged deliberately: trade-press and vendor writeups report that new BigQuery Data Transfer Service configurations for Google Ads also fall under the MFA-backed individual-user requirement as of early May 2026 — relevant if you pipe Scripts output into BigQuery for QA dashboards — but that specific timing rests on secondary sources, so confirm it against Google's own documentation before planning around it. The MFA move also lands in a broader context of Google tightening account access; our Google Ads account security and hijacking-prevention audit covers the fuller checklist.

07Agency OpsScaling from one account to an MCC — and knowing when to leave Scripts.

A single-account QA agent is an afternoon project. An agency running the same stack across a manager account is an architecture decision, and the Scripts limits from Section 01 become the design constraints: MCC scripts get 60 minutes only via executeInParallel with a callback, each account holds at most 250 authorized scripts, and every LLM call spends shared run time. The decision matrix:

1-5 accounts
Official templates, lightly customized

Clone Link Checker, Anomaly Detector, and Flexible Budgets per account. Add the community GAQL disapproval alert. No AI layer yet — get the deterministic floor reliable first.

Pick the solutions gallery
Agency MCC
Scripts + LLM triage layer

One MCC-level script fans out via executeInParallel, batches ambiguous findings, and makes consolidated LLM calls for policy-risk and landing-page classification. Findings land in one sheet per client plus a daily digest.

Pick Scripts + UrlFetchApp
Outgrown Scripts
API + Cloud reference architecture

When 30-minute windows and iterator caps pinch, the pattern Google's own (older, 2024-era) Ads Policy Monitor models — daily GAQL snapshots into BigQuery via Cloud Functions on a scheduler, dashboarded in Looker Studio — is the shape to graduate toward.

Pick the Ads API
Full autonomy
A managed paid-media agent

QA is one subsystem of a full management agent — bidding, budgets, creative rotation, reporting. That build is a different scope with different guardrails, covered in our dedicated playbook.

Pick the full agent build

Two references anchor the graduation path. Google's open-source Ads Policy Monitor (google-marketing-solutions on GitHub, Apache-2.0) pulls a daily GAQL snapshot of ad and asset policy approval status into BigQuery with a Looker Studio template — but its last release, v2.0.2, dates to July 2024, so treat it as an architecture reference rather than an actively maintained 2026 tool. And the Ads API itself is on a brisk cadence — v24 shipped April 22, 2026, with v24.1 and v24.2 following in May and June — which is a real maintenance cost Scripts users don't pay. We cover that trade-off in the v23 management and April 2026 core-update playbook, and the full autonomous-management build in our paid-media PPC management agent guide.

08ConclusionAutomate the floor, reserve judgment for the edge.

The build order, July 2026

Templates first, LLM second, mutations last.

The playbook compresses to three moves. Clone Google's official templates — Link Checker, Account Anomaly Detector, Flexible Budgets — and add the community GAQL disapproval alert; that's the deterministic floor, maintained by someone else. Then wire in the LLM via UrlFetchApp only where reading is required: pre-emptive policy-risk triage, landing-page quality beyond status codes, and alert summarization. Keep it read-only until the classifications have earned trust.

Respect what's convention versus what's spec. The 30-minute run cap, the 250-script limit, and the April 21 MFA rollout are hard facts you design around. The 10/20/60 pacing thresholds are community heuristics you tune. Confusing the two categories is how teams end up either over-engineering against imaginary rules or treating folklore as compliance.

The larger arc: account QA is quietly becoming the first place agencies deploy a real agent, because the blast radius is small and the value is immediate. A scheduled script that reads, flags, and explains is a low-stakes rehearsal for the paid-media agents that will eventually act. The agencies that build the rehearsal now will trust their agents first.

Ship a QA agent for your ad accounts

Routine account QA should run every hour, not when someone remembers.

Our team builds Google Ads automation for agencies and in-house teams — from Scripts-based QA agents to full API-backed management systems — delivered in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Paid-media automation engagements

  • Scripts-based QA agents — URLs, disapprovals, pacing, policy
  • LLM triage layers via UrlFetchApp with batch classification
  • MCC-scale rollouts with executeInParallel architectures
  • Graduation paths to Ads API + BigQuery reference builds
  • Credential and MFA-compliant setup for unattended automation
FAQ · Scripts + AI account QA

The questions we get every week.

Google Ads Scripts let advertisers programmatically manage and query Google Ads data using JavaScript in a browser-based IDE, per Google's product overview. Critically for QA automation, scripts can run on a schedule without an active user session — which is what makes an unattended agent possible. The hard limits shape the design: each run is capped at 30 minutes (60 minutes for manager-account scripts using executeInParallel with a callback), iterators return at most 50,000 results by default, logging truncates at 100 KB per run, and an account holds at most 250 authorized scripts. A well-designed QA agent works within those ceilings by batching, persisting progress between runs, and checking what changed rather than crawling the whole account every time.