Your credentials stay local
Most server-side tracking tools ask for broad access to your Google accounts and hold your credentials on their servers. GetServerSide takes a different approach: your Google OAuth credentials stay on your machine.
The trust boundary
The assistant uses a local component on your machine for all Google API calls. Your Google OAuth credentials stay in your operating system’s keychain — they are never sent to GetServerSide servers. API calls go directly from your machine to Google. The hosted web interface manages your project data, but it has no access to your Google tokens.
This means the trust boundary is not about what the app can do — it’s about where your credentials live.
What the app uses access for
The assistant needs access to your Google accounts to scan your setup, validate your setup, and check health over time:
- GA4: property metadata, settings, data stream details
- GTM: container configuration, tags, triggers, variables, clients
- Cloud Run: service metadata, status, URLs
During setup, the assistant also writes to your GTM containers — creating server-side tags and configuring shadow routes — with your explicit confirmation before any change is published. Write access where it serves you is better than forcing you to copy-paste configuration manually.
What the app cannot do
- Access raw analytics event data
- Make changes without your explicit confirmation
- Send your credentials to GetServerSide servers
Why this matters
The security boundary is where your credentials live, not what permissions they have. A tool that holds your tokens on a remote server has a broader attack surface than one that keeps them in your OS keychain — regardless of whether the scopes are read-only or read-write.
For a tool you’re trusting with your GTM and GA4 setup, that’s the right tradeoff.