Phloz
Sign inStart free
tracking infrastructure11 min readBy Phloz team

GA4 + GTM Admin API for agencies: when to automate, when to skip

The GA4 Admin API and GTM API let agencies automate property creation, conversion-action management, container audits, and tag deployment across portfolios. The 5 operations worth automating, the 4 that aren't, and the auth model that survives 50+ client accounts.

TL;DR

Google publishes Admin APIs for both GA4 and GTM that let agencies automate property + container management programmatically. The GA4 Admin API exposes property creation, data stream management, conversion-event configuration, custom dimension + metric registration, and audience definition. The GTM API exposes container CRUD, tag/trigger/variable management, version creation + publishing, and workspace operations. Both are free; both require service-account or OAuth auth scoped per client. The 5 operations actually worth automating at agency scale: per-client property bootstrap, conversion-action sync from a master template, container audit (read-only), version-pinned promotions across environments, and access-list audits. The 4 operations that aren't worth automating: ad-hoc tag tweaks (use the GUI), one-off audience creation, debugging an active issue, anything where a human review prevents a misconfiguration. Plus: the auth model that scales (service accounts per client, not per agency) and the build-vs-buy framing.

If you've operated 20+ Google Analytics + GTM accounts as an agency, you've felt the pain of manual repetition. Every new client onboarding involves the same 30-step setup: create the GA4 property, configure data streams, register custom dimensions, define audiences, build the GTM container, install tags, link to ad accounts, set up conversions. Most of these steps are programmable — Google ships Admin APIs for both products specifically so this work can be automated.

Most agencies don't use them. The question is whether they should.

The case for using the Admin APIs at agency scale

Three real wins:

  1. Reproducibility. Onboarding a new client takes 4 hours instead of 12 because the property + container + conversion library bootstrap from a versioned template instead of hand-clicked.
  2. Audit-at-scale. A weekly cron compares each client's GTM container state vs the agency's standard + flags drift. Without this, drift compounds invisibly between manual audits.
  3. Cross-client consistency. The same conversion-action definition exists across every relevant client because it's deployed from one source of truth, not hand-recreated per account.

Three real costs:

  1. API surface complexity. GA4 Admin API has ~40 entity types; GTM API has ~20. Learning curve is real.
  2. Auth + access management. Each client account needs a service account or OAuth grant; managing 50 of them is its own administrative load.
  3. Failure-mode debugging. When the API does something unexpected, you debug from the API response — not the GUI you'd normally inspect. Rare but expensive when it happens.

The break-even point: roughly 10-15 active client GA4 properties + GTM containers. Below that, manual + the GUI is faster end-to-end. Above that, the manual cost compounds enough that automation pays back in months.

GA4 Admin API: what it does

Reference: https://developers.google.com/analytics/devguides/config/admin/v1

The Admin API (analyticsadmin.googleapis.com) exposes most of the GA4 admin surface. The major entity types:

  • Properties — create / update / delete / list. The GA4 property is the top-level container.
  • Data streams — web, iOS, Android per property. Configure measurement IDs, internal-traffic exclusion rules, enhanced-measurement settings.
  • Custom dimensions + metrics — register at property level, scope to event or user.
  • Conversion events (now "key events") — mark events as conversions, set count rules.
  • Audiences — define + share to ad platforms.
  • Google Ads links + Search Console links — connect properties to other Google products.
  • Account access bindings — manage who has what role on the property.
  • Data retention settings — how long event data is retained (default 2 months; should be 14 minimum).

What's NOT exposed: the Google Signals + IDFA / advertising-personalization toggles (UI-only); the consent-mode-v2 settings (those live in the data stream config but the API access is partial); some of the newer advertising-features settings.

GTM Admin API: what it does

Reference: https://developers.google.com/tag-platform/tag-manager/api/v2

The GTM API (tagmanager.googleapis.com) exposes the entire GTM admin surface:

  • Accounts — top-level GTM accounts (your agency's MCC equivalent for tag management).
  • Containers — per-client web + server-side containers.
  • Workspaces — the staging area where changes accumulate before publish.
  • Tags, triggers, variables — full CRUD per workspace.
  • Versions — snapshot a workspace; promote to live; rollback.
  • Environments — dev / staging / prod targeting per container.
  • Built-in variables — toggle the standard set (page URL, click element, form classes, etc.).
  • Permissions — user-level + container-level access management.

The GTM API is more complete than the GA4 Admin API. Almost everything in the GTM UI has a programmatic equivalent.

The 5 operations worth automating

1. Per-client property + container bootstrap

The single highest-ROI automation. Instead of hand-clicking through 30 steps per new client:

bootstrap_client(client_slug, industry):
  1. Create GA4 property (name = "Client - YYYY-MM").
  2. Create web data stream + record measurement ID.
  3. Set data retention to 14 months.
  4. Register custom dimensions (your standard set: page_category, user_segment, etc).
  5. Create the conversion library (purchase, lead-form-submission, qualified-lead).
  6. Link to client's Google Ads account.
  7. Create GTM web container; record container ID.
  8. Install standard tags (GA4 config, page-view triggers, conversion forwarding).
  9. Create initial workspace + version + publish.
  10. Document everything in the tracking-infrastructure map.

Time savings: 12 hours → 2 hours per onboarding (the 2 hours is the human-review + client-specific configuration that shouldn't auto-bootstrap). Pays back the script-writing time after 5-6 onboardings.

2. Conversion-action sync from a master template

Define your canonical set of conversion actions once. Per-client, sync the relevant subset down via API. Updates to the master propagate.

This is what Google's MCC-level conversion library does for Google Ads (see Google Ads MCC for agencies). For GA4, the equivalent doesn't exist natively — you have to build it via API.

The pattern:

  • Master config: a YAML / JSON file in your repo with the canonical conversion definitions.
  • Sync script: pulls master, diffs against each client's GA4 property, applies changes.
  • CI: runs on master-config push so updates propagate without manual triggers.

The complexity: GA4 doesn't deduplicate by name automatically. You have to track entity IDs returned at create-time + use them on update. Standard CRUD-with-state-tracking pattern; not exotic, just non-zero work.

3. Container audit (read-only)

Weekly cron pulls every client's GTM container via API + diffs against your standard structure. Output: a punchlist per client of "tags that should exist but don't", "tags that exist but shouldn't (orphans from previous agency)", "triggers firing on dead URLs", etc.

This is observable-only — doesn't mutate. Safe to run on production containers. Output feeds into your weekly account-health review.

The standardization input is your agency's "what every well-formed GTM container looks like." Most agencies don't have this written down formally; building it is part of the value of the audit script. Once you have it, you can apply it everywhere.

4. Version-pinned promotions across environments

GTM's environments feature: dev → staging → prod per container. Most agencies don't use this; they edit live + hope. Better:

  • Tag changes go to dev workspace.
  • QA in dev.
  • API promotes the version to staging (tied to a staging URL).
  • QA in staging against real ad-platform conversions.
  • API promotes the version to prod.

This eliminates the "we made a change yesterday and now ROAS is half what it was" pattern. Every prod change has a versioned predecessor that can be rolled back via API.

The trade-off: this requires the client's site to support staging environments. Most agencies have at least 2-3 clients on tooling that supports this (Webflow, Shopify, Vercel-hosted sites); roll out there first.

5. Access-list audits

Pull the user list from every GA4 property + GTM container monthly. Compare to your team roster. Flag stale Admin permissions from off-boarded contractors.

This is the same audit pattern from the Google Ads MCC post but for GA4 + GTM. The catch: GA4 access-list APIs are more limited than GTM's — you can list bindings but the workflow for revoking is partial. GTM's permissions API is more complete.

The 4 operations not worth automating

1. Ad-hoc tag tweaks

Editing a tag's parameter to fix a one-off issue is faster in the GUI. Building API tooling for "change this trigger's URL pattern" is over-engineering. The GUI exists for this.

Rule of thumb: if you'd do it once and never again, don't automate.

2. One-off audience creation

Audience definitions are usually client-specific + iteratively tuned. The first version of an audience is rarely the right one. Automating "create this audience" forces you to pre-think the right definition; iterating in the GUI lets you tune.

Once an audience definition is stable + you want to reuse the SHAPE across clients (e.g. "users who visited /pricing in the last 30 days"), then template + automate.

3. Debugging an active issue

When something is broken in production right now, the API isn't the right tool. The GA4 / GTM debug consoles + the browser dev tools are. Don't reach for the API mid-incident.

4. Anything where human review prevents a misconfiguration

The Admin APIs let you do dangerous things at scale (bulk-delete properties, mass-update tags, change retention settings on every account simultaneously). Some of these dangerous things are exactly what you want; others are how you wipe a client's historical data by accident. The friction of clicking through the GUI is sometimes the right rate-limiter on dangerous operations.

Specific examples to NEVER automate without a human-in-the-loop:

  • Property deletion
  • Data retention reduction (irreversible — already-expired data can't be recovered)
  • User access revocation (lockout risk)
  • Mass-publishing tag changes across 50 clients without per-client QA

Build vs buy

The Admin APIs are programming primitives. To turn them into operational tools, someone writes the scripts + maintains them.

Build it yourself if:

  • Your agency has 1-2 engineers who can write + maintain the scripts. Maintenance is real — Google ships breaking changes occasionally + the API surface evolves.
  • You want full customization. Off-the-shelf tools encode someone else's standardization opinion; your own scripts encode yours.
  • You're treating the tracking-infrastructure layer as a competitive advantage.

Use an off-the-shelf tool if:

  • You don't have engineering capacity. Buying time matters more than custom standardization.
  • You're at 5-15 clients, not 50. Off-the-shelf at small scale is fine; build-it-yourself at small scale is over-investment.

The hybrid: use a tool for the audit + reporting layer (read-only, low risk) + write your own scripts for the bootstrap + sync layer (where your agency's specific standards matter). Most agencies that scale past 20 clients end up here.

The auth model that survives 50+ clients

Two patterns:

Service-account-per-client

For each client account: create a Google Cloud project, generate a service account, grant that service account access to the client's GA4 property + GTM container. The service-account email looks like phloz-tracking@client-acme-foods.iam.gserviceaccount.com.

Pros: clean access boundaries. Off-boarding a client = revoke their service account, no agency-wide blast radius. Cons: 50 service accounts to manage. Need a tracking system (your CRM or tracking infrastructure map).

OAuth-on-behalf-of-agency-user

One Google Cloud project owned by the agency. OAuth flow grants access tokens scoped to a specific user. The user's account has access to all client properties.

Pros: simpler to set up; one Google project for everything. Cons: agency-wide blast radius if the access token leaks. User off-boarding = the off-boarded user retains access until you remember to revoke.

The right answer for most agencies: service-account-per-client at scale (20+ clients), OAuth at smaller scale. Migrating from OAuth to per-client service accounts is doable but tedious.

The Phloz angle

Phloz today doesn't ship the Admin API integration — node-types are documented manually in the tracking infrastructure map. The user enters "GA4 property: G-XYZ" and updates the health status manually after verification.

The V2 plan (per ARCHITECTURE.md §1 V2 scope) includes Admin API mirrors for GA4 + GTM + the major ad platforms. The mirror would auto-sync property metadata, container structure, conversion-action definitions, and health states — turning the tracking-infrastructure map from a documented model into a live observation layer.

We deliberately haven't built this yet. The reason: the manual model is the right starting point because it forces the agency to articulate "what's the structure I want here" before the API auto-syncs reality. Auto-syncing first is a recipe for the tool reflecting the chaos that already exists, not standardizing it.

When the V2 mirror ships, it'll mirror INTO the typed model — preserving the standardization layer. Until then, the manual model + the patterns in this post are the agency-shape answer.

Closing

The GA4 + GTM Admin APIs are powerful primitives. Most agencies should not build directly on them at scale; the cost of writing + maintaining bespoke scripts adds up. Most agencies should also not avoid them entirely; the read-only audit cron alone is worth a few engineering hours to build.

The right framing: automate where standardization compounds (per-client bootstrap, master conversion-action library, weekly audit), keep manual where flexibility matters (audience iteration, ad-hoc tweaks, debugging). Pair with a human-in-the-loop for any operation that could blast-radius across the portfolio.

If your agency is past 20 client accounts and tracking-infrastructure work is consuming more than 15% of senior team hours, the Admin API automation conversation is worth having seriously this quarter. Below that scale, manual + the GUI + a documented tracking-infrastructure map is enough.

Try Phloz free for the manual tracking-infrastructure model that V2 will eventually auto-sync, or see pricing for the per-active-client breakdown.