Configure the GTM Server Container

This step configures the GTM server container workspace for the Connect stage. It runs after the web container has been configured (so the test forwarder is sending traffic to the tagging endpoint) and before the optional Preview Test or the Publish stage.

The app page header reads Configure the GTM Server Container. The server container receives the events forwarded by the web container's Test Forwarder tag, processes them, and writes them to the server-only GA4 property. GSS creates or updates a small static set of required GTM items in the selected server workspace: a GA4 client to claim incoming requests, an All Pages trigger that fires on every claimed event, and the GA4 Forwarder tag that sends those events to the server GA4 property. On the first-party loader profile, a Web Container Client is also required. Step 1 picks (or creates) the GSS workspace. Step 2 picks the loader profile. Step 3 manages the workspace items. Step 4 checks the install. Step 5 records what you observe in GTM Preview.

Happy path

The app renders the workspace setup as its own step (visible marker 1), so the four numbered steps below appear as visible markers 2, 3, 4, and 5 on the page.

Set up the GSS workspace — pick or create the workspace inside your selected GTM server container.
How GTM is loaded on your site — pick Standard or First-party loader, click Save profile.
Server GTM items — click Create / Reset / Pick on each row that needs attention until every card is Ready (3 always-required items: GA4 client, All Pages trigger, GA4 Forwarder; plus Web Container Client on first-party loader).
Check GTM items and server-side install — click Check; the structural checks turn green (6 on Standard, 7 on First-party).
Confirm each runtime check after Tag Assistant — open GTM server Preview + GA4 DebugView, confirm 4.1–4.4 are observed, then click Save.
Continue to Verify wiring in Preview (optional cross-container probe), then on to Publish — Review staged setup.

Glossary▶

Server container: The GTM container that runs inside the Cloud Run tagging service (server-side), separate from the web container that runs in the browser.
Workspace: The unpublished draft inside a GTM server container where GSS writes. Step 2 + 3 read this draft, not the published live container.
MID: Measurement ID — the G-XXXXXXXXXX string that identifies a GA4 data stream. The server container uses the server property's MID, not the browser property's.
Loader profile: Standard (browser fetches gtm.js from googletagmanager.com) or First-party (browser fetches gtm.js from your tagging domain via the server container). Set in the How GTM is loaded step on this page.
Selected events: The subset of GA4 events you chose to verify end-to-end during Discover. These define the validation/coverage scope — which events GSS expects to observe arriving at the server. They are not materialized as GTM artifacts; the GA4 Forwarder mirrors every incoming event regardless of selection.
GSS - prefix: Naming convention for GTM items that GSS creates or tracks. Renames can still be Ready when behavior matches.

Not covered on this page: web container configuration (GTM Web Container), GA4 property setup (GA Properties), Cloud Run / tagging endpoint (Tagging Endpoint), or selecting which events to mirror (Discover / event selection).

Before you start

Complete GTM Web Container so traffic is reaching the tagging endpoint.
Complete GA Properties so the server GA4 property and stream are bound.
Complete Tagging Endpoint so the Cloud Run tagging service has a public custom domain.
Have edit access to the selected GTM server workspace (separate from the web container's workspace).
Selected at least one event in Discover. Without a selection, downstream observation checks have nothing to verify against.

Decision record

The decision record at the top of the app page summarizes what this step is working against and whether the page is ready to hand off to the next Connect step. Its header reads Configure GTM server container. Use it as the page-level status before reading the numbered steps below.

Field	Where it comes from	What "done" looks like
Server container	Inherited from GTM Containers. Read-only here.	Container name and `GTM-XXXXXXX` public ID are shown.
Workspace	The GTM server workspace GSS uses for draft edits and detection. Picked or created in the Set up the GSS workspace step below.	A workspace name is shown (not "Not saved").
Loader profile	Set in the How GTM is loaded step below. Determines whether First-party or Standard items appear in Step 3 and whether the `/gtm.js` 200 check runs in Step 4.	`Standard` or `First-party`.
GTM items	Rollup of the Server GTM items step. Counts required GTM items that are Ready vs. need attention.	`N of N GTM items ready` — 3 items on Standard profile, 4 on First-party loader.
Configuration checks	Rollup of the Check GTM items and server-side install step. Counts the structural checks that have passed.	`7 of 7 verified` after the Check button has run (the loader-endpoint check 3.1 shows as N/A — standard loader profile on Standard, so the effective count is 6 of 7).
Preview verification	Rollup of the Confirm each runtime check after Tag Assistant step. Counts the browser-assisted attestations you have saved.	`4 of 4 confirmed` after observing each runtime check in GTM server Preview / GA4 DebugView and clicking Save.

The bottom nav opens Verify wiring in Preview (the optional cross-container probe) once GTM items, Configuration checks, and Preview verification are all green. Preview Test sits between this page and Publish.

1Set up the GSS workspace

GSS writes its client, tag, and trigger changes into a single GTM workspace dedicated to GSS inside the server container. Nothing in your live server container changes until you publish that workspace in GTM. The app surfaces this as the first step on the page so you decide where GSS will write before any GTM item is touched.

The recommended path is to let GSS create its own server workspace. Click Create GSS workspace, accept the suggested name, and Save. A dedicated workspace keeps GSS’s edits separate from anything else in the container and lets you undo the whole setup later by deleting just this workspace.

Pick an existing workspace instead by clicking Refresh workspaces, choosing a row in the picker, then Save workspace. If that workspace already has draft items, a confirmation modal makes you acknowledge that those drafts will publish alongside GSS’s items.
Change later — after a workspace is saved, the bound row gets a Delete or Unlink action. Delete removes the workspace in GTM and re-opens the picker. Unlink keeps the workspace in GTM and detaches it from this project.
Saved workspace deleted in GTM — the status pill flips to "Saved workspace missing" and the picker re-renders so you can pick a replacement.

Steps 2, 3, 4, and 5 below are locked with a grey "Set up the workspace in step 1 first" pill until this step succeeds.

2 How GTM is loaded on your site

This step (visible marker 2 on the app page; anchored as #step-1 here) is where you pick how the GTM web container's loader script (gtm.js) reaches the browser. The two options render as radio rows in a table; the Save profile button at the bottom commits the choice (and stays disabled until you pick something different from the current saved value).

Standard — browser fetches gtm.js directly from googletagmanager.com. Simplest setup; no extra Cloud Run client needed. Pick this if a server subdomain isn’t an option.
First-party — browser fetches gtm.js from your tagging domain through the server container. The most resilient setup against ad blockers and browser tracking protections. Adds a Web Container Client item in Step 3 and gates an extra Step-4 check (/gtm.js returns 200).

The chosen profile shows up in the decision record (read-only) and on the row pill ("Selected — Standard" / "First-party"). The four downstream steps re-render when the profile flips because they depend on the profile filter.

3 Server GTM items

This step (visible marker 3 on the app page; anchored as #step-2 here and from app deep-links) is where configuration happens. Each row is a client, tag, or trigger that GSS checks in your saved GTM server workspace. The action verbs are operation-specific — there is no longer a generic "Configure" button. Use:

Create on a Missing row to author the GSS-managed item.
Reset on a Changed row to overwrite it with the GSS-managed body.
Pick a client / Pick a tag / Pick a trigger on a Multiple-matches row to tell GSS which existing item to track.
Re-check at the top of the step after you edit GTM directly.
Restore only when you want to roll a tracked item back to a prior saved version.

All changes stay as unpublished GTM workspace edits until you publish the server container at the Publish stage.

3.aWhat this step writes

A single cluster of static items. The GA4 client claims every incoming request and hands it to the All Pages trigger, which fires the GA4 Forwarder tag. The forwarder sends each event to the server GA4 property, mirroring every incoming event regardless of which events were selected for validation.

Static cluster: GSS - GA4 Client ─┐ GSS - All Pages (trig) ─┼─ GSS - GA4 Forwarder [server GA4 stream binding] ─┘ First-party loader profile only: GSS - Web Container Client

When a downstream item reports dependency_failed, fix the upstream binding or trigger first — the leaf tag depends on whatever the dependency rows resolved to.

3.bRequired GTM item reference

One block per required GTM item. The header line shows the item name, the GSS-managed name, and the GTM type. The four labeled rows below describe what Create / Reset writes, what the item depends on, what counts as Ready, and how to recover when it needs attention.

Reference note: the deep-dive copy below sometimes uses the noun Configure to describe the GSS-managed authoring step. On the app page itself, the actual buttons are Create (Missing), Reset (Changed), and Pick a {type} (Multiple matches). Read "Configure" as a stand-in for whichever of those applies to the row’s current status.

GA4 client GSS - GA4 Client GA4 client

Create / Reset writes: Existence-only: {name: "GSS - GA4 Client", type: "gaaw_client"}. No parameters, no overrides.
Depends on: —
Ready when: Any client whose type contains ga4 or gaaw is a match. GTM auto-provisions one in every new server container, so this normally passes without Configure.
If it needs attention: Detection finds no GA4 client (rare; usually means it was deleted, or the wrong workspace is bound). Configure creates the GSS-managed client.

Deep dive ▶

What it is. A GTM client object inside the server container. Clients are what claim inbound HTTP requests at the tagging endpoint. The GA4 client claims requests on the default GA4 measurement paths (/g/collect and /mp/collect) and turns each one into an event the rest of the server pipeline can react to.

How Configure builds the item. Existence-only generator: writes a client of type gaaw_client with no extra parameters. The default activate-paths setting is the GSS-managed state — Step 3 verifies that explicitly (3.3).

Where the inputs come from. None — this item has no upstream bindings. New GTM server containers ship with a GA4 client out of the box, so the typical Ready path is "detected, no Configure needed."

Why it might fail. This item's own generator cannot fail. Detection misses can happen if: the workspace binding points at a different workspace than the one with the client; the client was renamed in a way that hides its type; or the client was deleted in this draft.

How to recover. Re-check the workspace selection on the GTM Containers page. If the client really is missing, Configure recreates it. Then re-run Step 3 — both 3.2 (client enabled) and 3.3 (default paths) should turn green together.

Web Container Client first-party loader only GSS - Web Container Client Web container client

Create / Reset writes: Existence-only: {name: "GSS - Web Container Client", type: "web_container"}.
Depends on: First-party loader profile (set in the How GTM is loaded step above).
Ready when: Any client of type gtag_client, web_container, or swg, OR any client whose name contains "web container" (case-insensitive). The item is suppressed entirely on Standard profile projects.
If it needs attention: Profile is First-party but no matching client exists. Configure creates one. On Standard profile this card does not appear.

Deep dive ▶

What it is. A GTM client in the server container that claims requests for /gtm.js and proxies them to the GTM web container's JavaScript loader. This is what enables the first-party loader setup, where the browser fetches gtm.js from your custom tagging domain instead of googletagmanager.com. Standard profile sites do not need it (the browser fetches directly from Google).

How Configure builds the item. Existence-only generator: writes a client of type web_container with no extra parameters.

Where the inputs come from. The loader profile selection from the How GTM is loaded step on this page. The item itself has no other upstream bindings, but its visibility is gated on profile == first_party_loader — on Standard profile it is suppressed and never renders.

Why it might fail. Generator cannot fail. The card only appears for First-party loader projects, so its presence already implies the gate is open. Detection misses are unusual: the client is not auto-provisioned by GTM, so on a fresh server container you'll see Missing until someone Configures it.

How to recover. Configure to create the client. Then run Step 3.1 (the /gtm.js 200 check) to confirm the loader URL responds correctly from your custom domain.

All Pages trigger GSS - All Pages Always trigger

Create / Reset writes: Unfiltered Always trigger — no condition rows: {name: "GSS - All Pages", type: "always"}.
Depends on: —
Ready when: An unfiltered trigger of type always exists. In the server container, this fires on every claimed inbound request. GTM rejects pageview triggers in server containers; always is the server-side equivalent.
If it needs attention: Trigger is filtered, uses another type, or is missing. Configure. Substitute a filtered trigger only if the forwarder tag should run on a subset of incoming traffic by design.

Deep dive ▶

What it is. A GTM trigger of type always with no filters. In the server container, this fires once per claimed request — it is the server-side analogue of the web container's All Pages trigger. The GA4 Forwarder tag uses it as its only firing trigger so every claimed event is forwarded to the server GA4 property. GTM rejects type=pageview in server containers with a 400 error; always is the correct type here.

How Configure builds the item. Minimal: {name: "GSS - All Pages", type: "always"}. No condition rows.

Where the inputs come from. None — no upstream bindings.

Why it might fail. Generator cannot fail. If the trigger is deleted or its artifact_id is unresolved when the GA4 Forwarder tag tries to generate, that tag's Configure raises a missing-dependency error pointing here.

How to recover. Configure this row directly to recreate or rewrite. A filtered trigger will show Changed; Configure replaces it with the unfiltered GSS-managed setup.

GA4 Forwarder tag GSS - GA4 Forwarder Server GA4 tag (sgtmgaaw)

Create / Reset writes: {name: "GSS - GA4 Forwarder", type: "sgtmgaaw", parameter: [measurementId=<server MID literal>, redactVisitorIp=false, epToIncludeDropdown=all, upToIncludeDropdown=all], firingTriggerId: [<all_pages_trigger>], tagFiringOption: "oncePerEvent"}. measurementId is the literal server measurement ID, not a variable reference.
Depends on: GA4 client + All Pages trigger + server GA4 stream binding (for the MID).
Ready when: A tag of type sgtmgaaw exists whose measurementId resolves to the server measurement ID and whose firing trigger is the All Pages trigger. googtag is a web-only tag type (server containers reject it); gaawe is a web-only built-in template that server containers reject as an unknown entity type.
If it needs attention: Wrong server MID, paused tag, missing All Pages trigger, or unhealthy upstream bindings (Tier 2 cascade clears the server GA4 stream + property bindings, which prevents this tag from generating).

Deep dive ▶

What it is. The server-side GA4 forwarding tag. Its job is to take every event the GA4 client claims and send it to the server GA4 property. The All Pages trigger fires it on every claimed request so nothing is filtered out. There are no per-event tags — this single tag handles all events.

How Configure builds the item. Type sgtmgaaw (the server-container GA4 tag type), one measurementId parameter set to the literal server measurement ID (resolved at Configure time), plus the three non-MID params above. One firing trigger pointing at the resolved All Pages trigger; tagFiringOption: oncePerEvent.

Where the inputs come from. The server MID is resolved from ga4_stream_server (preferred) or ga4_property_server bindings, both written by the GA Properties page's save + Validate flow. The All Pages trigger comes from the trigger item above. The GA4 client is a dependency for ordering even though no field references it.

Why it might fail. cannot generate without resolved prerequisites: missing <list> with one or more of: ga4_stream_server / ga4_property_server, server.ga4_client, server.all_pages_trigger. Most common after a Tier 2 cascade: the server GA4 bindings get cleared, this tag stops generating until you re-save the server property on GA Properties.

How to recover. If the failure is GA4-binding-related: GA Properties page → save the server property → run Validate → return here and Configure. If a dependency item is unhealthy, fix that card first; dependency_failed here almost always means a real problem on a dependency card.

Detection can classify a matching GTM item as Ready even if the name or exact setup differs from the GSS default. Treat non-behavior changes as optional cleanup; treat behavior-changing differences as something to fix before moving on.

3.cAnatomy of a GTM item card

Each required GTM item renders as a card with a fixed shape. Knowing what each field means makes it faster to decide whether to act on a row.

Card field	What it tells you
Title + GTM link icon	Required item name (with the event name appended for dynamic instances). The arrow icon next to the title is a deep link into `tagmanager.google.com` for the tracked GTM item; it only appears when GSS has a tracked item.
Status LED + label	`Ready`, `Changed`, `Missing`, `Multiple matches`, or `Ignored`, plus a one-line summary.
GSS tracking	Whether GSS is tracking an existing item, has no item selected yet, or is ignoring this item.
Last activity	When and how the item was last touched (Configure, Restore, manual edit detected, etc.).
Action button(s)	The action needed for the current state. Restore and Ignore/Include sit alongside when applicable.
Technical details	Disclosure with internal key, tracking state, fingerprint, last-seen timestamp, why the item has this status, and a lazy-loaded diff between the current item and the GSS-managed version.

3.dReference: card states

Status values you might see ▶

Each item card has a visible status, tracking details, and sometimes an action. Use this table to decide whether you can proceed or need to act.

State shown	What it means	What to do
Ready	GSS found the required GTM item and it works for this setup. Includes both exact GSS-managed matches and equivalent user-created items.	Nothing required. Open Technical details to see the tracked item, fingerprint, or GTM link.
Changed, behavior still matches	The item behaves correctly but differs from the GSS-managed version — usually name, alias type, or literal value vs. variable reference.	You can proceed if intentional. Configure rewrites the GSS-managed version; Restore rolls back to a prior known-good version when one exists.
Changed, behavior may differ	The tracked item differs in a way that can change behavior: wrong measurement ID, wrong eventName, paused/blocked tag, filtered trigger, wrong client type.	Do not proceed. Open details, fix with Configure (or Restore), then Re-check.
Missing	No matching GTM item was found in the detected GTM state.	Configure. If Configure fails, check the error response and the dependency rows.
Multiple matches	More than one GTM item matches what GSS needs, so GSS cannot tell which one to track.	Choose the intended item from the card's selector. Prefer the item in the GSS workspace unless you intentionally want to adopt an existing equivalent item.
Ignored	You marked the item out of scope. Detection and publish readiness ignore it until you include it again.	Include this item if it should participate. Leave ignored only when you intentionally do not want GSS to manage or require that item.

Couldn’t check GTM items: if the whole step shows this, the item cards are not trustworthy for that render. Click Re-check. If it fails again, reconnect Google access, verify Tag Manager API access to the selected server container/workspace, and confirm the workspace still exists.

Actions on each card ▶

Action	When it appears	What it does
Create	Status is Missing, and the item is editable in the GSS workspace.	Authors a new item with the GSS-managed body. Does not publish the workspace.
Reset	Status is Changed and the tracked item is editable in the GSS workspace.	Overwrites the tracked item with the GSS-managed body. Does not publish the workspace.
Re-check	Always available at the top of this step.	Re-runs detection only — no writes. Use after editing GTM directly so the item cards reflect the current workspace.
Restore	A tracked item has prior saved versions in history.	Rewrites the existing item with a stored historical version. If multiple versions exist, a select appears next to the button. Shows a diff preview before confirm.
Pick a client / Pick a tag / Pick a trigger	Status is Multiple matches.	Pick which existing item GSS should track. After picking, status moves to Ready or Changed depending on the setup.
Ignore this item	Available from the card's More menu unless already ignored.	Marks the item out of scope. Detection becomes a no-op for the item and publish readiness ignores it. Confirms before applying.
Include	Item is currently ignored.	Reverses Ignore. Detection runs again next refresh.

Configure error responses and recovery ▶

Every Step 2 error should map to one of these recovery paths. After any fix, run Re-check; if Step 3 has already been checked, run Check again.

Error or response	Likely cause	What to do
Missing required bindings	The server container, server workspace, or server GA4 property is not available to Configure.	Return to the prior setup pages shown in the message, complete the missing selection, then reload this page and Configure again.
No measurement ID found on server GA4 property	The selected server GA4 property has no usable web data stream, so GSS cannot populate the GA4 Forwarder tag's `measurementId`.	Create or select a web data stream for the server property, run Validate, then Configure here again.
`dependency_failed`	A required item cannot be generated because one of its dependencies is missing, ignored, ambiguous, behavior-changing, or failed to create.	Fix the dependency card first. For GA4 Forwarder: GA4 Client + All Pages trigger + server GA4 binding must all be healthy.
`unhealthy_existing`	Detection found an existing item, but it differs in a way that can affect behavior or matches more than once.	Open the card details. For behavior-changing differences, Configure or Restore the tracked item. For multiple matches, choose the intended matching item first.
GTM create/update raised	The Tag Manager API rejected or failed the write — usually permission, stale workspace state, network failure, or a GTM validation error.	Retry once. If it repeats, confirm your Google account has edit access to the server container/workspace, refresh the workspace in GTM, and check whether another user changed or deleted the target item.
`unhandled_exception`	An unexpected configure failure escaped the modeled error paths. The response includes the exception type and message.	Retry once. If it repeats, keep the internal key and message from the error response and check the server logs for the captured traceback.

4 Check GTM items and server-side install

This step (visible marker 4 on the app page; anchored as #step-3) does not write GTM items. The single button is labeled Check. Clicking it re-runs detection against the selected workspace and (on first-party loader) probes your tagging endpoint to verify install details that GTM-item detection cannot prove from the GTM API alone.

Read the structural checks in two groups:

Loader endpoint check (3.1) — only on First-party loader. GSS fetches your tagging server's /gtm.js endpoint and confirms it serves valid JavaScript. Renders pass with the message N/A — standard loader profile. on Standard, with no fetch made.
Workspace-API checks (3.2–3.7) — GSS calls the Tag Manager API against the selected workspace draft, not the published container. These pass right after the previous step’s Create / Reset actions run, even if you have not published yet — that is intentional.

Loader endpoint check (3.1)

3.1First-party /gtm.js endpoint returns valid JS

Only applies when the First-party loader profile is selected. Your tagging domain's /gtm.js endpoint must return valid JavaScript so the browser can fetch the GTM web container loader from your custom domain instead of googletagmanager.com.

Where to check: Open https://your-tagging-domain/gtm.js?id=GTM-XXXXXXX in a browser. It should return JavaScript, not an error page.

Fix: Confirm the Web Container Client item is configured (Step 2) and that your Cloud Run tagging service has been deployed with first-party loader support enabled.

Deep dive ▶

What it checks. A GET request to https://{your-tagging-domain}/gtm.js?id={publicId} returns HTTP 200 and a body that contains the substring function (a coarse "looks like JavaScript" signal).

How GSS performs the check. Reuses the same HTTP fetch infrastructure as the web container's page-install checks: 10-second timeout, follows redirects, default httpx user-agent, no JS execution. The publicId comes from the bound gtm_web_container binding's metadata.

What counts as pass. HTTP 200 status AND body contains function. The check is gated on profile == first_party_loader — Standard profile projects show this check as pass with the message "N/A — standard loader profile." and no fetch is made.

Why it might fail. The server_custom_domain config is empty (returns needs_config). The web container's publicId binding is missing (also needs_config). The endpoint returns 4xx/5xx (Cloud Run not deployed, or routing not configured). Cloud Run service deployed but first-party loader support not enabled. SSL handshake fails (returned body is empty, check fails silently).

How to recover. Confirm the tagging endpoint custom domain is set on Tagging Endpoint and resolves correctly. Confirm the Web Container Client item in Step 2 is configured. If both are healthy and the check still fails, the Cloud Run image needs first-party loader enabled — check the deployment configuration.

Workspace-API checks (3.2–3.7)

3.2GA4 client is enabled in the server workspace

A GA4 client must exist in the server workspace. Without one, no incoming requests get claimed and the rest of the server pipeline never fires.

Where to check: GTM → server container workspace → Clients. Look for any client whose type is GA4.

Fix: Configure the GA4 client item in Step 2, or create the client manually in GTM (Clients → New → Google Analytics: GA4).

Deep dive ▶

What it checks. At least one client in the server workspace whose type (lowercased) contains ga4 or gaaw.

How GSS performs the check. Calls tagmanager.googleapis.com/.../workspaces/{id}/clients against the unpublished workspace draft. Iterates all clients, returns the first one matching the type predicate.

What counts as pass. Any GA4 client found. Type match, not name match — a client called my custom GA4 receiver with the right type still passes.

Why it might fail. Client was deleted or its type was changed. The bound workspace was deleted or moved (the API call errors). Workspace binding missing — all workspace-API checks return needs_config.

How to recover. Step 2 Configure on the GA4 client item; or create one manually in GTM. New server containers ship with this client by default, so finding it Missing is unusual.

3.3GA4 client uses default claim paths

The GA4 client must claim requests on the default GA4 paths (/g/collect, /mp/collect). Custom paths break the connection between the web container's outgoing requests and the server container's incoming claim logic.

Where to check: GTM → server container workspace → Clients → open the GA4 client. Confirm Request Path is left at the default (no custom path overrides).

Fix: Edit the client and clear any custom path overrides. The default activate-paths setting is what Step 2 writes.

Deep dive ▶

What it checks. The detected GA4 client's activateDefaultPaths parameter is "true" or absent, AND no customPaths or defaultPathsOverride parameter is set. Explicit "false" on activate-paths is a fail.

How GSS performs the check. Inspects the same client object found by 3.2 — no additional API calls. Reads three parameter keys and combines them into a single pass/fail.

What counts as pass. Default path activation enabled with no overrides. The check is permissive of an absent activateDefaultPaths field — many older clients omit it and rely on the GTM-server default.

Why it might fail. Someone explicitly disabled activate-paths and added custom paths. The GA4 client check failed first (no client → this check emits "No GA4 client found.").

How to recover. Open the client in GTM, remove any custom path overrides, leave activate-paths enabled (default state). Save the workspace and re-run Check.

3.4GA4 Forwarder tag exists and references the server measurement ID

A server-side GA4 Forwarder tag must exist that references the server property's measurement ID. Without it, claimed requests are not forwarded to the server GA4 property.

Where to check: GTM → server container workspace → Tags. Look for a sgtmgaaw tag whose Measurement ID is the server property's MID.

Fix: Configure the GA4 Forwarder tag item in Step 2.

Deep dive ▶

What it checks. A tag of type sgtmgaaw exists whose measurementId parameter resolves to the server measurement ID. Variable references are resolved one level. (googtag is a web-only tag type; gaawe is a web-only built-in template — both are rejected by server containers.)

How GSS performs the check. Calls tagmanager.googleapis.com/.../workspaces/{id}/tags + variables.list in the same Check run. server_mid is resolved from ga4_stream_server (preferred) or ga4_property_server bindings.

What counts as pass. Any matching sgtmgaaw tag. Tag name is irrelevant; the match is on tag type AND the measurementId parameter equaling the expected MID.

Why it might fail. needs_config when server_mid is unresolvable (no GA4 server property/stream bound — usually after a Tier 2 cascade). fail when the tag exists but references a different MID, or when no sgtmgaaw tag exists at all. The check evidence includes has_forwarder_candidate — true when a GA4 tag exists with some MID, just not the right one.

How to recover. If needs_config: GA Properties page → confirm + Validate the server property → return here. If fail with a wrong MID: Step 2 Configure on the GA4 Forwarder item writes the GSS-managed version.

3.5GA4 Forwarder tag fires on an always-type trigger

The GA4 Forwarder tag must fire on an always-type trigger (the server-container "fire on every event" trigger type). This is what the GSS-managed All Pages trigger provides. GTM rejects pageview triggers in server containers — always is the correct server-side equivalent.

Where to check: GTM → server container workspace → Tags → open the GA4 Forwarder → Triggering. Confirm the firing trigger is the All Pages trigger (type=always, no filters).

Fix: Configure the item in Step 2 to attach the GSS-managed All Pages trigger.

Deep dive ▶

What it checks. Every firing trigger on the GA4 Forwarder tag is of type always or no firing triggers are attached (interpreted as "fires on everything — acceptable"). A pageview-type trigger would indicate the wrong trigger type was used; GTM rejects it in server containers anyway.

How GSS performs the check. Reuses the GA4 Forwarder tag found by 3.4 plus the trigger list fetched in the same Check run. Inspects each firingTriggerId, looks up the trigger object, and checks its type.

What counts as pass. All firing triggers are always type, OR no firing triggers are attached. The GSS-managed All Pages trigger has type=always and no filter conditions.

Why it might fail. A wrong trigger type is attached to the tag, or the trigger was deleted after the tag was configured. blocked when the GA4 Forwarder check (3.4) failed but server_mid is known. needs_config when server_mid is missing.

How to recover. Step 2 Configure on the GA4 Forwarder item to set the GSS-managed All Pages trigger. If 3.4 is blocked-upstream, fix that first.

3.6IP address is not redacted before forwarding

The GA4 Forwarder tag must not redact IP addresses before sending events to the server GA4 property. Redacting removes geo-location accuracy from the server property, which makes the parity comparison with the browser property less meaningful.

Where to check: GTM → server container workspace → Tags → open the GA4 Forwarder tag. Look for an IP Redaction setting and confirm it is off.

Fix: Edit the tag and turn off IP redaction.

Deep dive ▶

What it checks. The GA4 Forwarder tag's redactVisitorIp parameter is NOT set to "true". Absent or "false" both pass.

How GSS performs the check. Inspects the tag object already fetched in 3.4. Reads one parameter key.

What counts as pass. Redaction explicitly off, or the parameter not present at all (default state).

Why it might fail. Someone enabled IP redaction in the GTM UI for compliance reasons. blocked/needs_config follows the same upstream cascade as 3.5.

How to recover. Open the tag, set the IP redaction toggle to off (or remove the override), save the workspace. If your compliance posture requires redaction, you'll have to accept the trade-off in geo accuracy on the server property.

3.7All default event parameters are included in forwarded hits

The GA4 Forwarder tag must include all default event parameters in the events it forwards. Stripping or filtering parameters means the server GA4 property receives incomplete data, which undermines the parity comparison with the browser property.

Where to check: GTM → server container workspace → Tags → open the GA4 Forwarder tag. Under Event Parameters, verify nothing is being filtered out.

Fix: Edit the tag and set the include-parameters dropdown to All (the GSS-managed state).

Deep dive ▶

What it checks. The GA4 Forwarder tag's epToIncludeDropdown parameter is "all" or absent. Any other value (e.g. "selected") is a fail because it means parameters are being filtered.

How GSS performs the check. Inspects the tag object from 3.4. Reads one parameter key.

What counts as pass. Include-all parameters mode, or the parameter absent (default state).

Why it might fail. Someone changed the dropdown to a restricted mode in the GTM UI. blocked/needs_config follows the same upstream cascade as 3.5/3.6.

How to recover. Reset the include-parameters mode back to All. If you genuinely want to filter parameters for cost or compliance reasons, accept that this check will fail and that the server property will be a strict subset of what the browser property captures.

5 Confirm each runtime check after Tag Assistant

This step (visible marker 5 on the app page; anchored as #step-4) is attestation, not auto-detection. GSS cannot drive your browser or your GA4 DebugView, so you open them yourself, observe each runtime behavior, tick the Confirm checkbox on each row, and click Save at the bottom to commit the full set in one POST. Unchecking a previously-confirmed row before Save surfaces a warning that you will need to re-confirm before this step passes.

Why you do this manually

GTM server Preview runs in your authenticated GTM session against an unpublished workspace, and GA4 DebugView shows events under your authenticated GA4 session. GSS cannot impersonate either session — only the human in the browser sees what claims, what fires, and what lands. The runtime checks here exist to prove the workspace draft actually behaves the way the previous two steps describe before you publish.

Toggling a checkbox is local until you click Save — the persisted label flips to Confirmed at {timestamp} only after the bulk save commits.

How to open server Preview + GA4 DebugView

In GTM, open the selected server container and switch into the workspace shown in the decision record.
Click Preview (top-right). A new tab opens showing the server Preview console.
Open your site in a separate browser tab — the test forwarder from the web container will start sending traffic to the tagging endpoint within seconds.
For GA4 DebugView: open the GA4 Admin section for your server property and navigate to DebugView. Events should appear within a few seconds of activity on the site.

If the server preview console stays empty: verify the web container's Test Forwarder is actually firing (see web container Step 3.1) and that requests are reaching your tagging domain (browser DevTools → Network → look for requests to your custom domain).

4.1GA4 client claims incoming requests in preview mode

In the server Preview console, requests from your site should appear under the GA4 client in the Clients Claimed column. If they appear as Unclaimed, the client is not intercepting them.

In the app: tick this row’s Confirm checkbox once you see at least one request claimed, then click Save at the bottom of the step. To re-verify, untick the row and Save again.

If they appear Unclaimed: verify the GA4 client is enabled (Step 3.2), uses default paths (Step 3.3), and that the request URL matches one of those paths (/g/collect or /mp/collect).

4.2GA4 Forwarder tag fires on each claimed event

In the server Preview console, select a claimed event and check the Tags Fired list. The GA4 Forwarder tag should appear there for every claimed event.

In the app: tick this row’s Confirm checkbox after you see the tag in Tags Fired for at least one event, then click Save.

If the tag does not fire: the firing trigger may not be set to always type, or the tag is paused. Check the trigger configuration (Step 3.5) and confirm the tag is unpaused in GTM.

4.3page_location parameter is the site URL, not the tagging domain

In the server Preview console, open the Tags Fired entry for the GA4 Forwarder tag and inspect the event parameters. The page_location parameter should be a URL on your site domain (e.g. https://example.com/path), not the tagging server domain.

In the app: tick this row’s Confirm checkbox after verifying page_location looks correct on at least one fired event, then click Save.

If page_location shows the tagging domain: the web container's Test Forwarder is sending the wrong value, or a server-side override is rewriting it. Check the Test Forwarder configuration in the web container.

4.4Events appear in the server GA4 DebugView

Events forwarded by the server container must appear in the server GA4 property's DebugView (not the browser property's), confirming the full flow from web container → server container → GA4.

In the app: tick this row’s Confirm checkbox after observing events in the server property's DebugView, then click Save.

If events do not appear: verify the server property's measurement ID is the one configured in the GA4 Forwarder tag (Step 3.4); confirm the server GA4 property has DebugView enabled (it auto-enables when GTM Preview is active for a connected session).

Common errors & failure modes

Cross-cutting failures that don't sit on a single GTM item card. If a card shows a specific error message, look at the item's If it needs attention field and Deep dive in Step 2.b first; the symptoms below are the page-level patterns.

Symptom	Likely cause	Where to fix
Workspace / container mismatch
Required GTM items all show Missing immediately after binding the server container	The server container has no All Pages trigger or GA4 Forwarder tag yet (fresh container). GTM auto-provisions a GA4 client but nothing else.	Step 2 Configure on each item in turn — most items are existence-only and create cleanly.
Step 3 verified, Step 4 preview console stays empty	The web container's Test Forwarder is not actually sending traffic to the tagging endpoint, or you are previewing the wrong workspace.	Verify web container Step 3.1; confirm the server Preview is connected to the workspace shown in the decision record.
Cascade after upstream changes
GA4 Forwarder tag flips to `dependency_failed` after changing the GTM web container or Discover selections	The Tier 2 cascade clears `ga4_stream_server`, `ga4_property_server`, and the server workspace bindings. Re-saving GA Properties restores the GA4 bindings; re-binding the server container restores the workspace.	GA Properties → re-save server property → Validate. Then return here and Configure.
GA4 Forwarder tag fails with "cannot generate without resolved prerequisites"	Server MID is unresolvable — usually the server GA4 stream or property binding is missing.	GA Properties → save the server GA4 property → run Validate so the stream binding lands. Then Configure here.
First-party loader specific
3.1 fails with non-200 or missing JS body	Cloud Run service not deployed with first-party loader support, or the custom domain is not routing requests to it. Web Container Client item missing or unhealthy.	Confirm Web Container Client item is configured in Step 2; confirm the tagging endpoint custom domain resolves; check Cloud Run deployment.
3.1 shows N/A and Web Container Client item does not appear	Loader profile is set to Standard. This is correct behavior — neither the item nor the check applies on Standard.	Nothing to fix. If you intended to use first-party loader, change the profile in the How GTM is loaded step above.
Workspace state changes
Step 2 Ready, Step 3 fails right after Configure	Workspace was edited externally between Configure and Check, or workspace state changed underneath GSS.	Re-run Step 2 Re-check, then Step 3 Check again.
Item card shows `Multiple matches`	More than one GTM item matches what GSS needs — usually multiple `sgtmgaaw` tags with the right MID, or multiple unfiltered `always` triggers.	Open the card, choose the intended item from the selector. Prefer the one in the GSS workspace.
Configure fails with "Selected item is not editable in the GSS workspace"	The matched item lives in live state or another workspace; GSS cannot write through it.	Create or select a workspace item (or let Configure create one when the required item is missing); then Re-check.
Preview & runtime
4.1 shows requests as Unclaimed	GA4 client is disabled, has custom paths that don't match incoming requests, or the requests aren't really reaching the server (DNS / Cloud Run misconfiguration).	Re-run Step 3.2 + 3.3; verify requests are actually arriving at your custom domain in browser DevTools.
4.2 claimed events appear but no tags fire	Tag is paused, or the All Pages trigger is missing or is not `always` type.	Confirm the GA4 Forwarder tag is unpaused; verify the trigger in Step 3.5 is the GSS All Pages trigger (`type=always`, no filters).
4.4 tags fire but no events in DebugView	DebugView is open on the wrong property (browser instead of server), or measurement ID mismatch on the GA4 Forwarder tag (sending to a different property than the one you're watching).	Verify which property's DebugView you have open; confirm the GA4 Forwarder tag's MID matches that property; allow a few seconds for ingestion.

Next step

Once the GTM items step is Ready, the configuration checks are verified, AND the runtime attestations are saved, the bottom nav opens Verify wiring in Preview — the optional cross-container probe. Preview Test sits between this page and Publish — Review staged setup.