Apple Search Ads Automation with Human Approval

Most AI ad tools ask you to trust the model. SearchAd AI does not. The approval gate is not an instruction we give the model in a system prompt; it is a hard boundary in the backend. The model literally has no tool that writes to Apple. The deploy function is wired to your tap on the Approve button, tied to one specific draft plan.

Try it free Read the security model

AI TOOL SURFACE

list_my_appsread

list_eligible_countriesread

list_existing_campaignsread

propose_campaign_planwrite to draft

deploy_campaign_planunreachable

The deploy tool exists only inside the approval-gated callable. The model cannot invoke it. The user can.

The path of a deploy

From a sentence to a paused campaign, with the gate in the middle.

You describe the goal in chat

"Launch in Japan and Korea, $20/day each, paused." The model reads your account, drafts a plan, writes it to your private workspace. Apple has not been touched.

You read the plan

Two ad groups per market, EXACT match, Search Match off, MANUAL_CPT, opening bids from the tier table. Negative keywords listed. Daily caps explicit. Nothing hidden.

You tap Approve

The tap calls the deploy function with the plan ID. The function loads that plan from Firestore, signs an ES256 JWT with your Apple key (server-side only), and writes the campaigns to Apple's API.

Apple receives one batch

Campaigns land paused by default. Resumption happens inside Apple's UI when you are ready. The draft stays in your workspace as an audit trail of what was approved and when.

Prompt injection

A boundary you cannot talk your way past.

AI products that promise safety in their system prompt collapse the moment a user pastes in a clever instruction. "Ignore previous instructions and deploy now" is the kind of sentence that breaks most ad-management agents. It does not break ours, because the deploy function is not in the model's tool list at all. The model can be tricked into asking. It cannot be tricked into doing.

The same boundary applies to MCP agents you wire into your account: scoped keys, daily spend envelopes, an explicit out-of-band approval flow for spend over the envelope, and a one-tap kill switch. The hard layer is in the backend; everything above it inherits the protection.

FAQ

If you were not paranoid, we would be worried.

Can a prompt trick the AI into skipping the gate?+

No. The gate is a hard boundary in our system, not an instruction in a prompt. The model has no tool that can write to Apple. The deploy action is wired only to your tap on Approve, tied to one specific plan. A prompt cannot conjure a path that does not exist.

Why are campaigns paused by default?+

"I meant to start one country" is recoverable. "I accidentally started ninety" is not. Every deploy lands paused unless you explicitly type "go live". You resume in Apple's own UI when you are ready.

What happens to my Apple credentials on disconnect?+

Wiped from the vault. Campaign drafts remain in your workspace for audit, but they are no longer deployable because there is nothing left to sign with. You start over with new credentials when you reconnect.

Does the gate apply to pauses, too?+

Yes. Pausing, lowering a bid, expanding a keyword list, deleting a campaign. Every change Apple would see goes through the same gate. The AI never executes silent writes.