Skip to main
← All articles

Server-Side Tracking: The Complete Guide (2026)

What server-side tracking is, why it became essential, how it actually works, and how to deploy it without sGTM or a single line of code.

· 9 min read · The Walityk Team

If you run an online store, you have probably seen the gap: Shopify says you made 100 sales, Meta Ads counts 62, Google Ads 71, and nobody agrees. That gap has a name — tracking data loss — and the modern answer is called server-side tracking.

This guide explains what it is, why it became unavoidable in 2026, how it actually works, and how to deploy it without standing up complex infrastructure.

Browser-side tracking no longer cuts it

For years, everything relied on client-side pixels: a snippet of JavaScript (Meta Pixel, Google gtag, TikTok pixel) loaded in the visitor’s browser, sending events straight to the ad platforms.

That model is collapsing for four reasons:

  • ITP (Intelligent Tracking Prevention) on Safari caps first-party cookies to 7 days and drops third-party cookies. On iOS, that’s most of your mobile traffic.
  • Ad blockers flat-out block requests to facebook.com, google-analytics.com, and so on — between 20% and 40% of visitors depending on your audience.
  • Consent banners (CMPs) block scripts until consent is granted, and many scripts never reload properly afterward.
  • Browsers themselves (Brave, Firefox, soon Chrome) keep tightening privacy protections.

The result: a meaningful share of your conversions never reaches the ad algorithms. And an algorithm optimizing on partial data burns your budget.

What server-side tracking is

The principle is simple: instead of sending events from the browser straight to Meta/Google, you send them first to your own server (a first-party domain you control), which then relays them to the platforms through their server-side APIs:

  • Meta → Conversions API (CAPI)
  • Google Ads → Enhanced Conversions
  • GA4 → Measurement Protocol
  • TikTok → Events API
  • Pinterest / LinkedIn → Conversions API

The flow becomes: Browser → your first-party endpoint → platform server APIs.

Why it changes everything

  • Ad-blocker resistant: the request goes to your domain, not facebook.com. Blockers don’t see it.
  • Server-set first-party cookies: set by your server, they escape the 7-day ITP cap.
  • Enriched data: server-side you can attach reliable information (order value, hashed email) the browser doesn’t always have.
  • Control and compliance: you decide exactly which data leaves, after hashing and minimization.

The catch: it’s hard to set up

The classic method runs through a server-side Google Tag Manager (sGTM) hosted on Google Cloud Run. In practice you must:

  1. Provision an sGTM container on Cloud Run (and pay for hosting).
  2. Configure a CNAME subdomain (metrics.yourstore.com) with the right DNS records.
  3. Wire each server tag (CAPI, Enhanced Conversions, Events API) with the correct clients and triggers.
  4. Handle PII hashing (SHA-256), event_id deduplication, fbp/fbc, and retries.
  5. Wire up Consent Mode v2 to stay GDPR-compliant.
  6. Have the setup reviewed by a DPO or a lawyer.

That’s several weeks of work for a senior developer, plus ongoing maintenance. Most small and mid-sized merchants give up along the way.

The no-code approach

This is exactly the problem Walityk solves. Instead of building infrastructure, you:

  1. Install the native Shopify app (or the WordPress plugin).
  2. Connect your destinations (GA4, Meta, Google Ads, TikTok, Pinterest, LinkedIn) via OAuth or a simple token paste.
  3. That’s it — your events flow server-side, deduplicated and hashed.

No CNAME, no DNS, no Cloud Run, no HTTP headers. The first-party endpoint, deduplication, Consent Mode v2, and PII hashing are handled for you. See the Shopify install.

Best practices to know

Even with a tool that automates everything, a few principles still matter:

  • Deduplication: if you keep a browser pixel in addition to server-side, both must send the same event_id or you count each conversion twice. (Walityk bridges this automatically.)
  • PII hashing: emails and phone numbers must leave hashed in SHA-256 — never in clear text.
  • Consent Mode v2: without correct consent signals, Google degrades your conversion modeling.
  • Match quality: the more reliable parameters you send (hashed email, IP, user agent), the better the platform-side match rate.

Should you make the move?

If you spend on Meta, Google, or TikTok ads and your traffic is mostly mobile (so Safari/iOS), the answer is yes. The gap between what you sell and what your platforms see translates directly into wasted budget.

The real question is no longer “server-side or not,” but “in-house infrastructure or managed solution.” If you don’t have a dedicated data team, a no-code solution saves you weeks.

To go further, read our documentation or see how Walityk installs in under 5 minutes.