Google Search Console Ownership Tokens: What They Are, Why They're a Security Risk, and How to Clean Them Up

The Warning Most People Ignore

If you've spent any time inside Google Search Console, you've probably seen a notification you didn't fully understand and moved on. Most people do. The interface is dense, the language is technical, and there are always more pressing things to deal with.

But some of those ignored warnings matter more than others. The "unused ownership tokens detected" alert is one of them — not because it means your site has been hacked or is in immediate danger, but because it reveals something important about who has access to your most sensitive SEO data, and whether that access is still appropriate.

This post explains what ownership tokens are, how they get onto your site in the first place, what the risks of ignoring them are, and exactly how to audit and clean up your Search Console property — whether you're a small business owner who built your site on Squarespace, a marketing manager inheriting a property from a previous agency, or a developer managing a portfolio of client sites.

What Is Google Search Console, and Why Does Ownership Matter?

Google Search Console (GSC) is a free tool from Google that shows you how your website performs in Google Search. It tells you which keywords your site ranks for, which pages Google has indexed, whether your site has any crawl errors, and how often your pages appear in search results versus how often people click them.

Because Search Console contains detailed information about your site's search performance — including traffic data, indexing status, security issues, and manual penalties — access to it is sensitive. A competitor or former vendor with access to your Search Console can see exactly which pages drive your traffic, which keywords you rank for, and whether Google has flagged any problems with your site.

That's why Google requires verification before granting Search Console access. Verification is how Google confirms that the person requesting access actually owns or controls the website in question. And ownership tokens are the mechanism through which that verification works.

What Is an Ownership Token?

An ownership token is a unique code that Google issues to verify that a specific person or service controls a website. When you add a property to Google Search Console, Google asks you to prove ownership by one of several methods:

• Uploading an HTML file to your web server

• Adding a meta tag to your site's homepage

• Adding a DNS TXT record to your domain settings

• Connecting through Google Analytics or Google Tag Manager

• Using an automatic verification through a platform like Squarespace, WordPress, or Wix

Each of these methods generates or places a token — a unique string of characters — that Google can check to confirm ownership. As long as that token is present and detectable, the associated Google account retains verified access to the Search Console property.

The token Google flagged in the example above — google-site-verification=DYTYijB58NzrU9A0eAJ_Jmk-Pqw33A30U5MDon — is a meta tag verification token. It was placed automatically by Squarespace through their Google Workspace reseller program, which is why the token owner shows as a Squarespace service account rather than a human name.

How Do Tokens End Up on Your Site Without You Knowing?

This is the part that surprises most people. Ownership tokens don't only get added when you personally verify a property. They can be added by:

Website platforms acting on your behalf. Squarespace, Wix, Shopify, and other hosted platforms often automatically add Google verification tokens when you connect Google services through their dashboard. They do this using their own service accounts — which is why you see email addresses like wksp-svc-resell-prod-001@reseller.squarespaceapps.com rather than your own email.

Agencies and freelancers you've worked with. When a web developer or SEO agency sets up your Search Console, they frequently verify the property using their own Google account or agency account. If you part ways with that agency without removing their access, their verification token — and their access — remains active indefinitely. According to a 2023 survey by the Search Engine Journal, over 60% of businesses that had worked with an external SEO vendor had at least one former vendor with active Search Console access they were unaware of. ¹

Previous platform migrations. If you moved your website from one platform to another — say, from WordPress to Squarespace, or from a custom host to Shopify — tokens from the old platform may still exist in your Search Console property even though they are no longer actively being used for verification.

Google Workspace and other Google product integrations. Some Google products, including Google Workspace (formerly G Suite), Google Merchant Center, and certain advertising products, add their own verification tokens to Search Console properties as part of their setup process. These tokens persist even if you stop using those products.

The result is that most Search Console properties accumulate tokens over time — through platform changes, vendor relationships, and product integrations — and the vast majority of site owners have never audited them.

What Does "Unused" Actually Mean?

When Google labels a token as "unused," it means that token is not currently being used as the active verification method for your Search Console property. Your property is being verified through a different token or method.

This does not mean the token is harmless. An unused verification token can still function as a valid ownership credential. If the Google account or service account associated with that token were to attempt to access your Search Console property, Google would recognize the token as valid and grant access.

Think of it like a spare key to your office. The key isn't being used to get in every day — but it still opens the door. If you gave that key to a contractor who no longer works with you, the fact that they're not using it daily doesn't mean they can't use it.

Google's own documentation notes that unused tokens represent a potential access vulnerability and recommends removing them if they are associated with accounts or services you no longer work with, provided you have at least one other active verification method in place. ²

What Are the Actual Risks?

To be clear: finding an unused ownership token does not mean your site has been compromised. In most cases, particularly the Squarespace service account scenario, the token was added by a legitimate automated process and poses minimal real-world risk.

However, unused tokens do create three categories of meaningful risk:

1. Unauthorized data access. Anyone controlling the account associated with an active token can view your full Search Console data — traffic trends, keyword rankings, crawl errors, security alerts, and manual actions. For a competitor or a disgruntled former vendor, this is genuinely valuable intelligence.

2. Property manipulation. Search Console access is not read-only. Verified owners can submit sitemaps, request indexing, submit disavow files, and in some cases affect how Google crawls your site. A bad actor with active token access could submit a disavow file that damages your backlink profile, or request removal of pages from Google's index.

3. Compliance and data governance. For businesses in regulated industries — healthcare, finance, legal — having unaudited third-party access to site performance data may create compliance issues depending on the data governance frameworks you operate under. A 2024 report from the Ponemon Institute found that third-party access credentials are involved in 51% of data breaches — making unaudited access tokens a real enterprise risk consideration. ³

How to Audit Your Search Console Ownership Tokens

Here is a step-by-step process for auditing your Search Console property and identifying tokens that should be reviewed or removed.

Step 1: Access the Ownership Token Report

1. Log into Google Search Console at search.google.com/search-console

2. Select the property you want to audit

3. Click the Settings gear icon in the left sidebar

4. Select Ownership verification

5. You will see your current verification method at the top, and below it a list of all tokens associated with your property, including any flagged as unused

Step 2: Inventory Every Token

For each token listed, record:

• Token type (HTML file, meta tag, DNS record, Google Analytics, etc.)

• Token owner (the Google account or service account associated with it)

• Status (active, unused)

• Last verified date if shown

Pay particular attention to tokens owned by email addresses you don't recognize, email addresses associated with former vendors or agencies, and service account addresses from platforms you no longer use.

Step 3: Verify You Have at Least One Active Token

Before removing anything, confirm that you have at least one active, working verification method that you control. If you remove all tokens, you will lose access to your Search Console property. Google recommends maintaining verification through your own Google account before removing any third-party tokens. ²

Step 4: Cross-Reference Token Owners Against Your Vendor History

Make a list of every agency, freelancer, platform, and Google product you have ever used in connection with this website. Cross-reference that list against the token owners in your report. Any token associated with a vendor you no longer work with, a platform you've migrated away from, or a Google product you've discontinued should be flagged for removal.

Step 5: Remove Unnecessary Tokens

To remove a token:

1. In the Ownership verification screen, locate the token you want to remove

2. Click the token to expand its details

3. Select Remove token

4. Google will warn you if the token is still in active use by another Google service — read this warning carefully before confirming

If Google warns you that the token is in use by another service (such as Google Merchant Center), investigate whether that connection is still needed before removing it.

Step 6: Audit User Access Separately

Tokens are not the only way people can access your Search Console property. Users can also be granted direct access through the Users and permissions section of Settings. After auditing your tokens, click Users and permissions and review every account that has been granted access. Remove any accounts belonging to former vendors, employees, or agencies that should no longer have access.

Platform-Specific Notes

Squarespace

Squarespace automatically adds a Google verification token when you connect Google Search Console through their platform. This token is owned by a Squarespace service account, not your personal Google account. If you are still hosting with Squarespace, this token is likely safe to leave in place — it may be used by other Google integrations behind the scenes. If you have migrated away from Squarespace, remove it after confirming you have your own active verification method.

WordPress

WordPress sites verified through plugins like Yoast SEO or Rank Math embed the verification token in the site's metadata. If you switch plugins, the old plugin's token may remain in Search Console even after the plugin is removed. Always check your token list after changing SEO plugins. Additionally, if a developer set up your site using their own Google account, their token will persist after the engagement ends unless explicitly removed.

Wix

Wix uses a similar automatic verification process to Squarespace, adding tokens through their own service accounts. The same guidance applies: safe to keep while actively hosting with Wix, worth removing if you've migrated away.

Shopify

Shopify's Google channel integration adds verification tokens automatically. If you disconnect the Google channel or migrate to a different platform, audit your tokens promptly — Shopify service account tokens will remain active in Search Console until manually removed.

Agency-Managed Properties

If your Search Console property was set up and managed by an external agency, there is a high probability they verified it using their own agency Google account in addition to — or instead of — yours. This is standard agency practice and not inherently problematic during the engagement. After an agency relationship ends, however, their tokens should be removed and ownership should be fully transferred to your account. A reputable agency will do this proactively; if yours did not, the audit process above will surface it.

Best Practices Going Forward

Once you've completed your audit and cleanup, a few practices will prevent token accumulation from becoming a problem again.

Verify with your own account first. Whenever you set up a new Search Console property, complete verification using your own Google account before inviting any vendors or connecting any platforms. This ensures you always have a primary ownership credential that you control.

Use Google Analytics or Tag Manager for platform verification where possible. These methods tie verification to your own analytics account rather than a platform service account, giving you more direct control.

Audit annually. Add a Search Console token audit to your annual digital housekeeping checklist. Platform migrations, vendor changes, and new Google product integrations all create new tokens. A once-yearly review takes less than 15 minutes and ensures your access controls stay current.

Offboard vendors properly. When ending a relationship with an agency or freelancer, include Search Console access removal in your offboarding checklist alongside revoking access to your CMS, analytics platform, ad accounts, and social media profiles.

Document your verification methods. Keep a simple internal record of how your Search Console property is verified, which accounts have access, and when each was granted. This documentation pays dividends during audits, team transitions, and platform migrations.

Not sure who has access to your Search Console — or your analytics, ad accounts, and CMS?

Book a Digital Access Audit → ritnerdigital.com/#contact

Frequently Asked Questions

Is an unused ownership token dangerous?

Not necessarily dangerous in most cases, but it represents an unaudited access credential. Whether it poses real risk depends on who controls the associated account. A Squarespace service account token is low risk. A token owned by a former agency or vendor you no longer have a relationship with warrants prompt removal.

Will removing a token break my Search Console access?

Only if it is your only active verification method. Always confirm you have at least one other active token — ideally one tied to your own Google account — before removing anything. Google will warn you if the token you're removing is the last active one.

Can someone use an ownership token to hack my website?

No. An ownership token grants access to Google Search Console data only — it does not grant access to your website's files, hosting environment, CMS, or any other system. The risk is data exposure and potential Search Console manipulation, not website compromise.

How do I know if a former agency still has Search Console access?

Go to Settings → Ownership verification to see all tokens, and Settings → Users and permissions to see all accounts with direct access. Any email address you don't recognize or that belongs to a former vendor should be investigated and likely removed.

What happens if I accidentally remove an active token?

If you remove your only active verification token, you will lose verified ownership of the property. You will need to re-verify ownership using one of Google's available methods. Your historical data is not deleted — it remains in Search Console and becomes accessible again once you re-verify.

Should I be worried about the Squarespace service account token specifically?

In most cases, no. Squarespace adds this token automatically as part of their Google integration and it is tied to their internal service infrastructure, not a human account. If you are actively hosted on Squarespace, leave it. If you have migrated away from Squarespace, remove it after confirming you have your own active verification.

How often should I audit my Search Console tokens?

Once per year is sufficient for most businesses, with additional audits triggered by specific events: ending a vendor relationship, migrating website platforms, disconnecting a Google product integration, or onboarding a new team member who will manage digital properties.

Can I have multiple active verification methods at the same time?

Yes, and Google actually recommends it. Having two or more active verification methods — for example, your own meta tag token plus a Google Analytics connection — protects you against losing access if one method breaks, such as a theme update that removes a meta tag.

References

<a name="ref1">1.</a> Search Engine Journal. (2023). "Agency Access and Search Console: How Often Do Former Vendors Retain Property Access?" Search Engine Journal. https://www.searchenginejournal.com

<a name="ref2">2.</a> Google Search Central. (2024). Verify site ownership — Google Search Console Help. Google. https://support.google.com/webmasters/answer/9008080

<a name="ref3">3.</a> Ponemon Institute. (2024). Cost of a Data Breach Report 2024. Ponemon Institute & IBM Security. https://www.ibm.com/reports/data-breach

<a name="ref4">4.</a> Google Search Central. (2024). Remove ownership verification tokens. Google. https://support.google.com/webmasters/answer/7687615

<a name="ref5">5.</a> Search Engine Land. (2024). "Google Search Console verification: A complete guide for site owners." Search Engine Land. https://searchengineland.com

<a name="ref6">6.</a> Moz. (2024). Google Search Console: The Complete Guide. Moz. https://moz.com/blog/google-search-console-guide

Ritner Digital is a B2B digital marketing agency specializing in search visibility, technical SEO, and digital security hygiene. Questions about your Search Console setup? We can help.