Integration Guide

Google Tag Manager Integration

A technical brief for Marketing Ops, InfoSec, and DPO teams. This document explains exactly what Pipelit accesses, how the connection works, and what we do not touch.

Overview

Scanner Pro connects to your Google Tag Manager via OAuth 2.0 with the tagmanager.readonly scope. This is the most restrictive GTM scope available — it allows reading container configuration but cannot modify, create, or delete anything.

The integration serves one purpose: to compare what is configured in your GTM against what actually fires on your website. This comparison reveals misconfigured consent settings, tags that bypass consent mode, and gaps between intent and reality.

How the connection works

You initiate the connection

In Scanner Pro, go to Integrations → Google Tag Manager → Connect. This opens the standard Google OAuth consent screen.

Google authenticates you

You sign in with your Google account that has GTM access. Google shows you exactly what Pipelit is requesting: "View your Google Tag Manager containers and their versions."

You select a container

Pipelit discovers your GTM accounts and containers. You choose which container to connect. Only that container is accessible.

Pipelit reads tag configuration

We read the list of tags, their types, trigger rules, and consent settings. This data is used to compare against scan results.

What Pipelit can see

Data	Example	Why we need it
Tag names	"GA4 Configuration"	Identify which tools are installed
Tag types	"Google Analytics: GA4 Configuration"	Classify by category (analytics, advertising, etc.)
Trigger rules	"All Pages", "consent_granted_analytics"	Check if tags fire before or after consent
Consent settings	"Requires analytics_storage = granted"	Verify Consent Mode V2 is properly configured
Container ID	"GTM-XXXXX"	Identify the container
Workspace name	"Default Workspace"	Read from the correct workspace

What Pipelit cannot see or do

✗ Cannot modify tags — read-only scope prevents any changes
✗ Cannot create or delete tags — no write access
✗ Cannot publish containers — no publish access
✗ Cannot access Google Analytics data — GTM scope only, not GA
✗ Cannot access user/visitor data — no access to any analytics or tracking data
✗ Cannot access other Google services — scoped exclusively to Tag Manager
✗ Cannot access other containers — only the one you explicitly select

OAuth technical details

// OAuth scope requested
scope: "https://www.googleapis.com/auth/tagmanager.readonly"

// Redirect URI
redirect_uri: "https://pipelit-backend-production.up.railway.app/api/auth/google/callback"

// Token handling
- Access tokens expire after 1 hour
- Refresh tokens are stored encrypted
- Tokens are revoked immediately on disconnect
    

Revoking access

You can disconnect GTM from Pipelit at any time:

1 In Scanner Pro: Integrations → GTM → Disconnect
2 In Google: myaccount.google.com → Security → Third-party apps → Remove Pipelit
3 Either method immediately revokes all access

For your InfoSec team

If your security team needs to approve this integration, here's a summary they can use:

Vendor: Pipelit Ltd (UK)
Integration: Google Tag Manager (read-only)
OAuth scope: tagmanager.readonly
Data accessed: Tag configuration, trigger rules, consent settings
Data NOT accessed: Analytics data, visitor PII, conversion data, any other Google service
Write access: None
Token storage: Encrypted, server-side, auto-expire
Revocation: Immediate via app or Google account settings
DPA: Available at pipelit.co.uk/dpa
Security overview: pipelit.co.uk/security
Contact: lalarukh@pipelit.co.uk

Questions about the integration?

Happy to schedule a call with your technical team or complete your vendor assessment form.

Email us → Security overview →