Know what access you need
Ask for access by system, role, and purpose. A client is more likely to send the right thing when the request says “Google Search Console owner access” instead of “send marketing logins.”
Prefer invitations
When a platform supports team invitations, use them. Invitations are easier to revoke and usually safer than sharing a password.
For systems that still require shared credentials, keep the request separate from normal project chat.
Avoid email
Email spreads credentials into inboxes, forwarded threads, and search history. It also makes it hard to know who has seen the details.
Use a dedicated portal or secure intake flow where sensitive values are clearly marked and handled intentionally.
Keep a record
Track what was requested, what was submitted, who reviewed it, and whether the credential still matters. At the end of a project, delete or rotate access that is no longer needed.