Google Tag Gateway for Advertisers: First-Party Measurement Without the Limitations

If you’ve been paying attention to the tracking and measurement space over the last few years, one theme has dominated: the slow but steady erosion of third-party data collection. Browser restrictions, ad blockers, consent friction, ITP — they all chip away at your ability to reliably measure what’s happening on your site. Google’s answer to this, at least for its own tags, is the Google tag gateway for advertisers.

This post covers what it is, the two main ways to set it up, and how we’ve been using the manual approach to get clients there without requiring Cloudflare.

What Is Google Tag Gateway for Advertisers?

In a standard Google tag setup, your page requests the tag script directly from a Google domain (e.g. www.googletagmanager.com). When it fires, measurement data gets sent back to Google. Both the script load and the outbound hit are third-party by nature — they cross domain boundaries — which makes them vulnerable to blocking.

Google tag gateway changes that architecture. It lets you deploy your Google tag or GTM container using your own first-party infrastructure, served from your own domain. Your website loads the tag from your domain, and measurement requests are sent back to Google via your domain as a proxy. From the browser’s perspective, both the script load and the measurement hit look like first-party traffic.

The practical benefits are meaningful:

• Better measurement durability — first-party requests are far less likely to be blocked by browsers or extensions
• Conversion uplift — more complete measurement typically means better bidding signals and improved Google Ads performance
• Reduced third-party surface area — useful from a privacy and Consent Mode perspective
• Tag loaded at the top of <head> — the gateway places your tag before other scripts, which can improve tag reliability

The Two Setup Paths

Google offers two approaches: an automated Cloudflare setup and a manual CDN/load balancer setup. Which one you use depends on your infrastructure.

Automated Setup (Cloudflare)

If your site is already proxied through Cloudflare, this is the fastest path. The automated setup connects directly to your Cloudflare account from within Google Tag Manager, deploys a Worker, and configures everything on your behalf in a few clicks.

How it works:

1. In GTM (or your Google tag screen), go to Admin → Google tag gateway
2. Choose a measurement path — a unique path on your domain that won’t conflict with existing routes (e.g. /metrics or a random alphanumeric string like /abjfo/)
3. Click Sign into Cloudflare and authorise access
4. Review your domains and click Complete setup

That’s it. Google deploys a Cloudflare Worker that intercepts requests to your chosen path and proxies them through to Google’s infrastructure, while passing along the necessary geolocation headers.

One important caveat: the automated setup only supports one tag per domain. If you need multiple GTM containers or standalone tags on the same domain, you’ll need to use the manual Cloudflare setup instead.

Verify it’s working by opening Tag Assistant, triggering some events, and checking that hits in Summary → Output → Hits Sent are being routed to your measurement path rather than directly to www.googletagmanager.com.

Manual Setup (Any CDN or Load Balancer)

The manual setup is more involved, but it works with any CDN or load balancer — Cloudflare (including non-Enterprise), Google Cloud, Amazon CloudFront, Akamai, Fastly, or your own nginx/Caddy setup. This is the path we use for clients who aren’t on Cloudflare or who want more control over the configuration.

The core concept is the same: you need to route traffic from a reserved path on your domain to the Google tag gateway endpoint ({TAG-ID}.fps.goog), forwarding the host header and including geolocation information so Google can serve appropriate regional content.

Step 1: Choose your measurement path

Pick a path that isn’t already in use on your domain. For a GTM container, you only need one path for the container — all tags inside it (Google Ads, GA4, etc.) are handled by that single setup.

Step 2: Route traffic at your CDN or load balancer

For any CDN/load balancer setup, the requirements are the same:

1. Add a backend/origin pointing to {TAG-ID}.fps.goog
2. Override the Host header to {TAG-ID}.fps.goog
3. Allow all cookies and query strings to be forwarded
4. Pass visitor geolocation via headers:
   • X-Forwarded-CountryRegion (ISO 3166-2 combined code, e.g. GB-ENG), or
   • X-Forwarded-Country + X-Forwarded-Region separately
5. Add a path rule routing /metrics/* to that backend, with higher priority than your default rule

For Google Cloud Load Balancer, you create an Internet NEG pointing at the fps.goog endpoint, add the custom request headers in the backend configuration, and add a host/path routing rule.

For Cloudflare (manual/Enterprise), you add a CNAME record pointing at the fps.goog endpoint, create an Origin Rule to match your measurement path and override the host, then enable Add visitor location headers in Rules → Settings.

For Amazon CloudFront, you add the fps.goog domain as an origin, create a Behavior for your measurement path with caching disabled and AllViewerExceptHostHeader forwarding, and ensure the behavior has higher precedence than your default.

Verify the setup by navigating to:

• https://yourdomain.com/metrics/healthy — should return ok
• https://yourdomain.com/metrics/?validate_geo=healthy — should return ok (confirms geolocation headers are being forwarded correctly)

Step 3: Update your tag snippet

Replace your standard GTM snippet with a path-relative version:

<!-- Google Tag Manager (via tag gateway) -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'/metrics/?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-ABCDEF');</script>
<!-- End Google Tag Manager -->

Or for a standalone gtag:

<!-- Google tag (gtag.js) via tag gateway -->
<script async src="/metrics/"></script>

How We Use Manual Setup via Server-Side GTM Deployments

The Cloudflare automated setup is great if it applies, but a significant portion of clients we work with aren’t on Cloudflare — they’re on shared hosting, managed WordPress, or stacks where they don’t have meaningful control over CDN or load balancer configuration.

Our workaround has been to use existing server-side GTM infrastructure to fulfil the gateway routing requirement. Where we’ve already deployed a server-side GTM container on a client’s subdomain (e.g. sst.theirdomain.com), we can use that container’s reverse proxy capabilities — or the underlying stack (typically Stape, or our own Docker/Traefik setup on a VPS) — to handle the path routing and header forwarding that the manual gateway setup requires.

In practice this means:

• The sGTM container or Traefik config handles routing requests from theirdomain.com/metrics/* to gtm-ABCDEF.fps.goog
• The reverse proxy forwards the host header correctly and passes geolocation information
• The client gets the first-party measurement benefits of tag gateway without needing to move to Cloudflare or stand up a separate CDN

This pairs well with the broader server-side tagging setup — you get first-party script serving via the gateway and server-side event processing in the same deployment. For clients already running server-side GTM, adding tag gateway via the manual path is relatively low-effort and makes the overall measurement stack significantly more resilient.

It’s worth noting this does require some infrastructure access to configure correctly, and it’s not a one-size-fits-all solution — but for B2B clients with meaningful Google Ads spend where every conversion counts, the incremental setup effort is well worth it.

Should You Implement It?

If you’re running Google Ads or GA4 and care about measurement quality, the answer is almost certainly yes. The automated setup takes minutes if you’re on Cloudflare. The manual setup takes more effort but is achievable on virtually any modern hosting stack.

The tag gateway doesn’t replace server-side tagging — they’re complementary. Gateway handles script serving in a first-party context; server-side tagging handles event processing server-side. For the most durable measurement setup, Google recommends combining both.

If you’re not sure which approach makes sense for your infrastructure, get in touch — it’s something we set up regularly for clients across a range of stacks.