Advanced setup · Enterprise

Bring your own
OAuth app.

Most VelaReach customers use the shared VelaReach app and connect in 30 seconds. If you need your own rate limits, data isolation, or branded consent screens, these guides walk you through setting up your own OAuth app on each advertising platform.

10 platforms AES-256-GCM encryption Live credential validation Zero-downtime switchover

Before you pick a platform

Is BYO right for you?

If you’re not already bumping into API rate limits, don’t have a legal need for data isolation, and just want to ship fast — stick with the shared VelaReach app. It’s a 30-second click-to-connect.

What you need

A developer account on the platform, admin access to your advertising account, and usually some form of business verification. Each guide lists exact prerequisites.

How long it takes

10–30 minutes of clicking, plus the platform’s approval window (instant to 4 weeks depending on platform). You can save credentials now and wait for approval in parallel.

Pick your platform

Meta Ads
Facebook + Instagram · Marketing API
~10 min Medium 1–3 days review
Google Ads
Search, Display, YouTube, Shopping
~15 min Hard 2–4 weeks review
TikTok Ads
TikTok For Business Marketing API
~10 min Medium Partner review
LinkedIn Ads
Sponsored Content + B2B lead gen
~12 min Hard 1–2 weeks review
X Ads
X (Twitter) Promoted Posts + Video
~10 min Expert Paid tier
Amazon Ads
Sponsored Products + Brands + DSP
~12 min Hard Region-locked
Microsoft Ads
Bing, Edge, Microsoft Audience Network
~12 min Hard Entra ID
Pinterest Ads
Promoted Pins + Shopping Ads
~8 min Medium Business account
Snapchat Ads
Story Ads, AR Lenses, Collection
~10 min Hard Verified domain
Reddit Ads
Promoted Posts + Conversation Ads
~6 min Easy Beta API

How the BYO process works

1
Create your app

On the platform’s developer portal, create an app and grab its ID + secret.

2
Paste into VelaReach

Settings → Integrations → Advanced → Set up BYO app. Credentials encrypt immediately.

3
Live validation

We hit the platform API with your credentials and show 5 inline checks.

4
Reconnect

Consent screen shows YOUR app. Historical data preserved, rate limits are yours.

How we protect your credentials

Encryption at rest

Every secret (client_secret, developer token, refresh token) is encrypted with AES-256-GCM before it touches disk. The key envelope uses a separate KEK that never leaves our infrastructure.

Workspace isolation (RLS)

PostgreSQL row-level security ensures your credentials are only visible to queries running in your workspace’s context. A compromise of one workspace can’t leak another.

Never logged or sent to Sentry

Every log statement that touches BYO creds strips the sensitive fields before writing. Sentry scrubbing rules catch any regression.

One-click revoke

Click Remove BYO and the encrypted row is hard-deleted, vault tokens revoked, and the connection reverts to the shared app. Historical data stays.