ServicesAboutNotesContact Get in touch →
EN FR
Note

GTM Server-Side: Architecture and Four Building Blocks

How GTM Server-Side works as an intermediary layer — the request/response data flow, and the four component types (Clients, Tags, Triggers, Variables/Transformations) that make it up.

Planted
ga4google adsanalyticsdata engineering

GTM Server-Side inserts a server between the browser and third-party vendor endpoints. Rather than sending hits directly from the browser to Google, Meta, or other vendors, the web container sends requests to the server container, which processes them and forwards data selectively.

The server controls what data goes where, can enrich or strip information before forwarding, sets cookies as a first-party server rather than a third-party script, and can fan out a single incoming request to multiple vendor endpoints simultaneously.

The Data Flow

Here’s what happens when a page loads with server-side GTM configured:

  1. The browser loads your web GTM container as usual
  2. Instead of sending hits directly to Google, Meta, or other vendors, the web container sends HTTP requests to your server container URL (e.g., https://gtm.yourdomain.com)
  3. The server container receives these requests, processes them, and forwards data to vendor endpoints
  4. The server sends an HTTP response back to the browser, which can include Set-Cookie headers for first-party cookies

Step 4 is where the FPID cookie mechanism lives. The response header approach is what bypasses Safari’s 7-day cap on JavaScript-set cookies — the browser receives a cookie via HTTP header from a server that shares its domain, not via document.cookie from a third-party script.

The multiplexing in step 3 is the architectural leverage. You’re replacing N browser-to-vendor connections with 1 browser-to-server connection that fans out server-side. This reduces browser payload, eliminates vendor scripts from the client, and gives you a single chokepoint for data governance.

The Four Building Blocks

GTM Server-Side uses four component types. They’re conceptually similar to web GTM but have important differences.

Clients

Clients are unique to server-side GTM — there’s no equivalent in web containers. They act as gatekeepers that listen for incoming HTTP requests on specific URL paths.

The GA4 Client, pre-installed by default, listens on the /g/collect path for GA4 Measurement Protocol requests. When a Client recognizes and claims a request, it parses the raw HTTP data into a standardized Event Data object that the rest of the container works with. Think of it as translation: raw HTTP → structured event.

Clients operate in priority order. The first Client to recognize and claim a request becomes active — subsequent Clients don’t get a chance. If no Client claims a request, it goes unprocessed. This ordering matters when you have multiple Clients (GA4 Client, Stape’s Data Client for vendor-agnostic requests, a custom Client for a specific endpoint).

Tags

Tags receive the parsed Event Data and compile outgoing HTTP requests to vendor endpoints. The built-in tags cover GA4, Google Ads Conversion Tracking, Google Ads Remarketing, and a generic HTTP Request tag. The Community Template Gallery extends this to Meta CAPI, TikTok Events API, LinkedIn CAPI, Snapchat, Pinterest, and more.

The key difference from web GTM tags: server-side tags never touch the browser. They make server-to-server HTTP calls. This is why consent state must be explicitly passed — server-side tags have no access to the browser’s consent status unless the web container encodes it into the request.

Triggers

Triggers work similarly to web GTM but with different event types. The Custom trigger, which fires when “a request was sent to the GTM server container,” is the workhorse of server-side setups.

One critical detail that breaks more setups than anything else: the Client Name condition in triggers is case-sensitive. If your Client is named “GA4” and your trigger condition checks for “ga4,” nothing fires. No error, no warning — silent failure. GTM shows no indication that the condition isn’t matching. This is the most common first-day debugging trap.

Variables and Transformations

Variables retrieve values from the incoming event data using key paths. The main types:

  • Event Data — accesses values like page_location, user_data.email_address, or any custom parameter using dot notation for nested fields
  • Query Parameter — reads URL parameters from the incoming request
  • Cookie — reads cookies sent with the request (useful for forwarding _fbp, _fbc to Meta)
  • Request Header — reads HTTP headers (user agent, IP address, etc.)
  • Constant — static values like API keys and measurement IDs

Transformations are a newer resource type that sits between Clients and Tags. They let you modify the Event Data before tags access it — include, exclude, or transform specific parameters. Practical uses: enriching event data from an external lookup, stripping PII before forwarding to specific vendors, or remapping field names to match a vendor’s expected format. A Transformation is applied to selected tags, so you can strip email from the Meta tag without affecting the GA4 tag.

Why the Intermediary Architecture Matters

The shift from client-side to server-side isn’t just about cookies. The intermediary pattern creates capabilities that don’t exist in client-side implementations:

Data control. You decide what each vendor receives. You can forward the full event to GA4 and a stripped version (no PII) to a less-trusted vendor. You can enrich events with server-side data — user segments from your CRM, product margin from your database — before forwarding to GA4.

Reduced browser load. Vendor SDKs are heavy JavaScript libraries. Moving to server-side means you load fewer third-party scripts, which reduces page weight and eliminates a class of ad-blocker target (the vendor scripts themselves).

Consent enforcement point. The server container becomes a single enforcement point for data governance. For non-Google tags that don’t automatically read consent signals, you build the enforcement logic once in the server container rather than across multiple client-side implementations.

Attribution signal recovery. Server-side hits aren’t blocked by browser-based ad blockers (which target JavaScript execution and network requests from known tracker domains). A request from gtm.yourdomain.com looks like a first-party server call, not a third-party tracker.

The architecture requires a deployed server container — it’s not just a GTM configuration, it’s actual infrastructure you run (or pay someone to run for you).