The Server-Side Tracking Audit Checklist

Custom Domain is Configured

Your server container must be running on a first-party subdomain (e.g., tracking.your-site.com). This is essential for bypassing ITP and ad blockers.

DNS Records are Correct

The A/AAAA records for your custom subdomain are correctly pointing to your server's IP address (OATS provides this for you).

Dual GTM Preview Mode is Enabled

Open GTM Preview for *both* your client-side container and your server-side container. You will need to debug both simultaneously.

GA4 Client is Claiming Requests

In the server-side GTM Preview, confirm the "GA4" client is "claiming" incoming requests from your website. If not, your client-side GA4 tag is misconfigured.

Validate Key Conversion Events

Trigger a test purchase or lead event. Check sGTM Preview to see it arrive with all parameters (value, currency, transaction_id).

Validate User Identifiers

Ensure a stable user_id (if logged in) and session_id are being passed with every event. This is crucial for attribution.

Test OATS UTM/Click ID Keeper

Visit your site from a test URL (e.g., ?utm_source=test&gclid=test12345). Navigate to another page, then check the sGTM Preview to see if gclid and utm_source are persisting and being attached to events.

Meta CAPI: Deduplication is Working

In sGTM Preview, confirm your Meta CAPI tag is sending a unique event_id. Then, check Meta Events Manager to see if server events are being received and "Deduplicated" against your client-side pixel events.

Meta CAPI: User Parameters are Hashed

Check the *outgoing* HTTP request for your Meta CAPI tag. Confirm that em (email) and ph (phone) values are long, hashed strings (SHA-256), not plain text.

Google Ads: Server-Side Conversion Linker Firing

Confirm you have a server-side "Conversion Linker" tag and that it is firing on all pages *before* your Google Ads conversion tags.

GA4: Real-Time Report is Populating

Open your GA4 property's "Real-Time" report. As you navigate your site in Preview mode, you should see your events and their parameters (like page_title) appearing correctly.

Consent Mode is Respected

Use your browser's dev tools to simulate "denying" consent (e.g., in your Cookie Banner). Check sGTM Preview to confirm that tags requiring ad_storage (like Meta CAPI) are *not* firing.

IP Addresses are Anonymized for Google

In the sGTM Preview, inspect the *outgoing* request to Google Analytics. Confirm that the &ip= parameter is *not* present or is set to "Redacted" by your GA4 tag.

No Plain-Text PII is Leaking

Check the *incoming* request in sGTM Preview. Look at all parameters (especially URL queries) to ensure no plain-text PII (like [email protected]) is being accidentally collected and sent to your server.