Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"gtm-ga4": {
"env": {
"GTM_ACCOUNT_ID": "1234567890",
"GA4_PROPERTY_ID": "331956119",
"GTM_CONTAINER_ID": "9876543",
"GOOGLE_APPLICATION_CREDENTIALS": "/path/to/service-account.json"
},
"args": [
"/path/to/mcp-gtm-ga4/dist/index.js"
],
"command": "node"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP server for Google Tag Manager and GA4 -- tag management, consent auditing, workspace versioning, and analytics reporting via Claude.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'mcp-gtm-ga4' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked mcp-gtm-ga4 against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in analytics / marketing
DataForSEO API modelcontextprotocol server
MCP server that enables AI agents to perform comprehensive web audits using Google Lighthouse with 13+ tools for performance, accessibility, SEO, and security analysis.
MCP server for Dynatrace Managed to access logs, events, and metrics.
An MCP server that provides [describe what your server does]
MCP Security Weekly
Get CVE alerts and security updates for io.github.mharnett/gtm-ga4 and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
MCP server for Google Tag Manager and GA4 -- tag management, consent auditing, workspace versioning, and analytics reporting via Claude.
npm install mcp-gtm-ga4
Or clone and build:
git clone https://github.com/mharnett/mcp-gtm-ga4.git
cd mcp-gtm-ga4
npm install
npm run build
Security: Never share your .mcp.json file or commit it to git -- it may contain API credentials. Add .mcp.json to your .gitignore.
Runtime configuration is via environment variables.
| Variable | Required | Description |
|---|---|---|
GOOGLE_APPLICATION_CREDENTIALS | Yes | Path to a Google credential JSON key file (service account or authorized-user — see Authentication below) |
GTM_ACCOUNT_ID | Yes | GTM account ID |
GTM_CONTAINER_ID | Yes | GTM container ID |
GA4_PROPERTY_ID | Yes | GA4 property ID |
GTM_SANDBOX_WORKSPACE_ID | No | Override workspace ID (auto-detects Default Workspace if omitted) |
MCP_SERVER_NAME | No | Server name (defaults to package name mcp-gtm-ga4) |
See config.example.json for a reference template. The only value read from disk is oauth.scope (in an optional config.json) — the single source of truth for the OAuth scope the onboarding paths request. If no config.json is present, the committed minimum scope is used.
This MCP supports two auth models. Both feed the same GOOGLE_APPLICATION_CREDENTIALS runtime path.
There is no runtime service-account-vs-OAuth toggle. Both models converge on a
single slot — GOOGLE_APPLICATION_CREDENTIALS — which the runtime hands to
GoogleAuth({ keyFile }). Whichever file you point that env var at is the
credential:
authorized_user keyfile the auth subcommand writes (option 2) — a
file that plugs into the exact same slot.So the only real precedence rule is failure handling: an explicitly-configured
keyfile is used; when GOOGLE_APPLICATION_CREDENTIALS is unset the server fails
loudly at startup with an onboarding error naming both the service-account path
and the auth OAuth helper. It deliberately does not fall back to Google's
Application Default Credentials (gcloud user creds / GCE metadata server) — no
silent machine-local default, no silent runtime failover.
Create a service account in your GCP project, download its JSON key, grant it the
GTM container role (on the target GTM container) and GA4 property access, and
point GOOGLE_APPLICATION_CREDENTIALS at the key file. No OAuth flow, no browser,
no refresh token. This is the recommended path for headless/server/unattended
deployments.
If you can't use a service account, mint a user credential with your own Google OAuth client (a "Desktop app" OAuth 2.0 Client ID created in your own GCP project — enable the Tag Manager API and the Google Analytics Admin + Data APIs). Two equivalent onboarding commands, both hardened with PKCE (RFC 7636, S256) and both requesting the scope from config.json (oauth.scope) so they never drift:
export GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
export GOOGLE_CLIENT_SECRET=your-client-secret
# Option A: write an authorized_user credential file directly
node dist/index.js auth --output .
... [View full README on GitHub](https://github.com/mharnett/mcp-gtm-ga4#readme)