diff --git a/crates/common/src/integrations/google_tag_manager.rs b/crates/common/src/integrations/google_tag_manager.rs
new file mode 100644
index 00000000..b1946042
--- /dev/null
+++ b/crates/common/src/integrations/google_tag_manager.rs
@@ -0,0 +1,1031 @@
+//! Google Tag Manager integration for first-party tag delivery.
+//!
+//! Proxies GTM scripts and Google Analytics beacons through the publisher's
+//! domain, improving tracking accuracy and ad-blocker resistance.
+//!
+//! # Endpoints
+//!
+//! | Method | Path | Description |
+//! |--------|------|-------------|
+//! | `GET` | `.../gtm.js` | Proxies and rewrites the GTM script |
+//! | `GET` | `.../gtag/js` | Proxies the gtag script |
+//! | `GET/POST` | `.../collect` | Proxies GA analytics beacons |
+//! | `GET/POST` | `.../g/collect` | Proxies GA4 analytics beacons |
+
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use error_stack::{Report, ResultExt};
+use fastly::http::{Method, StatusCode};
+use fastly::{Request, Response};
+use once_cell::sync::Lazy;
+use regex::Regex;
+use serde::{Deserialize, Serialize};
+use validator::Validate;
+
+use crate::error::TrustedServerError;
+use crate::integrations::{
+    AttributeRewriteAction, IntegrationAttributeContext, IntegrationAttributeRewriter,
+    IntegrationEndpoint, IntegrationProxy, IntegrationRegistration, IntegrationScriptContext,
+    IntegrationScriptRewriter, ScriptRewriteAction,
+};
+use crate::proxy::{proxy_request, ProxyRequestConfig};
+use crate::settings::{IntegrationConfig, Settings};
+
+const GTM_INTEGRATION_ID: &str = "google_tag_manager";
+const DEFAULT_UPSTREAM: &str = "https://www.googletagmanager.com";
+
+/// Regex pattern for matching and rewriting GTM and Google Analytics URLs.
+///
+/// Handles full and protocol-relative URL variants:
+/// - `https://www.googletagmanager.com/gtm.js?id=...`
+/// - `//www.googletagmanager.com/gtm.js?id=...`
+/// - `https://www.google-analytics.com/collect`
+/// - `//www.google-analytics.com/g/collect`
+///
+/// **Requires `//` prefix** — bare domain strings like `"www.googletagmanager.com"`
+/// are intentionally NOT matched. gtag.js stores domains as bare strings and
+/// constructs URLs dynamically (`"https://" + domain + "/path"`). Rewriting
+/// the bare domain produces broken URLs like
+/// `https://integrations/google_tag_manager/path` because the script still
+/// prepends `"https://"`.
+///
+/// **Does NOT include `analytics.google.com`** — same dynamic URL construction
+/// issue. Full URLs containing `analytics.google.com` are handled by
+/// [`is_rewritable_url`] for HTML attribute rewriting where we see the
+/// complete URL.
+///
+/// Captures a trailing delimiter (`/` or `"`) in group 2 to prevent false matches
+/// on subdomains (e.g., `www.googletagmanager.com.evil.com`).
+///
+/// The replacement target is `/integrations/google_tag_manager` + the captured delimiter.
+static GTM_URL_PATTERN: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(r#"(?:https?:)?//www\.(googletagmanager|google-analytics)\.com([/"])"#)
+        .expect("GTM URL regex should compile")
+});
+
+#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
+pub struct GoogleTagManagerConfig {
+    #[serde(default = "default_enabled")]
+    pub enabled: bool,
+    /// GTM Container ID (e.g., "GTM-XXXXXX").
+    #[validate(length(min = 1))]
+    pub container_id: String,
+    /// Upstream URL for GTM (defaults to <https://www.googletagmanager.com>).
+    #[serde(default = "default_upstream")]
+    #[validate(url)]
+    pub upstream_url: String,
+    /// Cache max-age in seconds for the rewritten GTM script (default: 900 to match Google's default).
+    #[serde(default = "default_cache_max_age")]
+    #[validate(range(min = 60, max = 86400))]
+    pub cache_max_age: u32,
+}
+
+impl IntegrationConfig for GoogleTagManagerConfig {
+    fn is_enabled(&self) -> bool {
+        self.enabled
+    }
+}
+
+fn default_enabled() -> bool {
+    false
+}
+
+fn default_upstream() -> String {
+    DEFAULT_UPSTREAM.to_string()
+}
+
+fn default_cache_max_age() -> u32 {
+    900 // Match Google's default
+}
+
+pub struct GoogleTagManagerIntegration {
+    config: GoogleTagManagerConfig,
+}
+
+impl GoogleTagManagerIntegration {
+    fn new(config: GoogleTagManagerConfig) -> Arc<Self> {
+        Arc::new(Self { config })
+    }
+
+    fn error(message: impl Into<String>) -> TrustedServerError {
+        TrustedServerError::Integration {
+            integration: GTM_INTEGRATION_ID.to_string(),
+            message: message.into(),
+        }
+    }
+
+    fn upstream_url(&self) -> &str {
+        if self.config.upstream_url.is_empty() {
+            DEFAULT_UPSTREAM
+        } else {
+            &self.config.upstream_url
+        }
+    }
+
+    /// Rewrite GTM and Google Analytics URLs to first-party proxy paths.
+    ///
+    /// Uses [`GTM_URL_PATTERN`] to handle all URL variants (https, protocol-relative)
+    /// for `googletagmanager.com` and `google-analytics.com`.
+    fn rewrite_gtm_urls(content: &str) -> String {
+        let replacement = format!("/integrations/{}$2", GTM_INTEGRATION_ID);
+        GTM_URL_PATTERN
+            .replace_all(content, replacement.as_str())
+            .into_owned()
+    }
+
+    /// Whether an attribute value URL should be rewritten to first-party.
+    /// Only matches URLs for which we have corresponding proxy routes
+    /// (gtm.js, gtag/js, collect, g/collect). Excludes ns.html and other
+    /// GTM endpoints we don't proxy.
+    fn is_rewritable_url(url: &str) -> bool {
+        // Match googletagmanager.com URLs for scripts we proxy
+        if url.contains("googletagmanager.com") {
+            return url.contains("/gtm.js") || url.contains("/gtag/js") || url.contains("/gtag.js");
+        }
+        // Match google-analytics.com and analytics.google.com URLs for beacons we proxy
+        if url.contains("google-analytics.com") || url.contains("analytics.google.com") {
+            return url.contains("/collect") || url.contains("/g/collect");
+        }
+        false
+    }
+
+    /// Both `/gtag/js` (canonical) and `/gtag.js` (alternate) are accepted;
+    /// upstream always normalizes to `/gtag/js`.
+    fn is_rewritable_script(&self, path: &str) -> bool {
+        path.ends_with("/gtm.js") || path.ends_with("/gtag/js") || path.ends_with("/gtag.js")
+    }
+
+    fn build_target_url(&self, req: &Request, path: &str) -> Option<String> {
+        let upstream_base = self.upstream_url();
+
+        let mut target_url = if path.ends_with("/gtm.js") {
+            format!("{}/gtm.js", upstream_base)
+        } else if path.ends_with("/gtag/js") || path.ends_with("/gtag.js") {
+            format!("{}/gtag/js", upstream_base) // Always normalize to /gtag/js upstream as it's canonical
+        } else if path.ends_with("/collect") {
+            if path.contains("/g/") {
+                "https://www.google-analytics.com/g/collect".to_string()
+            } else {
+                "https://www.google-analytics.com/collect".to_string()
+            }
+        } else {
+            return None;
+        };
+
+        if let Some(query) = req.get_url().query() {
+            target_url = format!("{}?{}", target_url, query);
+        } else if path.ends_with("/gtm.js") {
+            target_url = format!("{}?id={}", target_url, self.config.container_id);
+        }
+
+        Some(target_url)
+    }
+
+    fn build_proxy_config<'a>(
+        &self,
+        path: &str,
+        req: &mut Request,
+        target_url: &'a str,
+    ) -> ProxyRequestConfig<'a> {
+        let mut proxy_config = ProxyRequestConfig::new(target_url);
+        proxy_config.forward_synthetic_id = false;
+
+        // If it's a POST request (e.g. /collect beacon), we must manually attach the body
+        // because ProxyRequestConfig doesn't automatically copy it from the source request.
+        if req.get_method() == Method::POST {
+            let body_bytes = req.take_body_bytes();
+            proxy_config.body = Some(body_bytes);
+        }
+
+        // Explicitly strip X-Forwarded-For to prevent client IP leakage to Google.
+        // The empty value will override any existing header during proxy forwarding.
+        proxy_config = proxy_config.with_header(
+            crate::constants::HEADER_X_FORWARDED_FOR,
+            fastly::http::HeaderValue::from_static(""),
+        );
+
+        if self.is_rewritable_script(path) {
+            proxy_config = proxy_config.with_header(
+                fastly::http::header::ACCEPT_ENCODING,
+                fastly::http::HeaderValue::from_static("identity"),
+            );
+        }
+
+        proxy_config
+    }
+}
+
+fn build(settings: &Settings) -> Option<Arc<GoogleTagManagerIntegration>> {
+    let config = match settings.integration_config::<GoogleTagManagerConfig>(GTM_INTEGRATION_ID) {
+        Ok(Some(config)) => config,
+        Ok(None) => return None,
+        Err(err) => {
+            log::error!("Failed to load GTM integration config: {err:?}");
+            return None;
+        }
+    };
+
+    Some(GoogleTagManagerIntegration::new(config))
+}
+
+#[must_use]
+pub fn register(settings: &Settings) -> Option<IntegrationRegistration> {
+    let integration = build(settings)?;
+    Some(
+        IntegrationRegistration::builder(GTM_INTEGRATION_ID)
+            .with_proxy(integration.clone())
+            .with_attribute_rewriter(integration.clone())
+            .with_script_rewriter(integration)
+            .build(),
+    )
+}
+
+#[async_trait(?Send)]
+impl IntegrationProxy for GoogleTagManagerIntegration {
+    fn integration_name(&self) -> &'static str {
+        GTM_INTEGRATION_ID
+    }
+
+    fn routes(&self) -> Vec<IntegrationEndpoint> {
+        vec![
+            // Proxy for the main GTM script
+            self.get("/gtm.js"),
+            // Proxy for the gtag script (if used)
+            self.get("/gtag/js"),
+            self.get("/gtag.js"),
+            // Analytics beacons (GA4/UA)
+            // The GTM script is rewritten to point these beacons to our proxy.
+            self.get("/collect"),
+            self.post("/collect"),
+            self.get("/g/collect"),
+            self.post("/g/collect"),
+        ]
+    }
+
+    async fn handle(
+        &self,
+        settings: &Settings,
+        mut req: Request,
+    ) -> Result<Response, Report<TrustedServerError>> {
+        let path = req.get_path().to_string();
+        let method = req.get_method();
+        log::debug!("Handling GTM request: {} {}", method, path);
+
+        let Some(target_url) = self.build_target_url(&req, &path) else {
+            return Ok(Response::from_status(StatusCode::NOT_FOUND));
+        };
+
+        log::debug!("Proxying to upstream: {}", target_url);
+
+        let proxy_config = self.build_proxy_config(&path, &mut req, &target_url);
+
+        let mut response = proxy_request(settings, req, proxy_config)
+            .await
+            .change_context(Self::error("Failed to proxy GTM request"))?;
+
+        // If we are serving gtm.js or gtag.js, rewrite internal URLs to route beacons through us.
+        if self.is_rewritable_script(&path) {
+            if !response.get_status().is_success() {
+                log::warn!("GTM upstream returned status {}", response.get_status());
+                return Ok(response);
+            }
+            log::debug!("Rewriting GTM/gtag script content");
+            let body_str = response.take_body_str();
+            let rewritten_body = Self::rewrite_gtm_urls(&body_str);
+
+            response = Response::from_body(rewritten_body)
+                .with_header(
+                    fastly::http::header::CONTENT_TYPE,
+                    "application/javascript; charset=utf-8",
+                )
+                .with_header(
+                    fastly::http::header::CACHE_CONTROL,
+                    format!("public, max-age={}", self.config.cache_max_age),
+                );
+        }
+
+        Ok(response)
+    }
+}
+
+impl IntegrationAttributeRewriter for GoogleTagManagerIntegration {
+    fn integration_id(&self) -> &'static str {
+        GTM_INTEGRATION_ID
+    }
+
+    fn handles_attribute(&self, attribute: &str) -> bool {
+        matches!(attribute, "src" | "href")
+    }
+
+    fn rewrite(
+        &self,
+        _attr_name: &str,
+        attr_value: &str,
+        _ctx: &IntegrationAttributeContext<'_>,
+    ) -> AttributeRewriteAction {
+        if Self::is_rewritable_url(attr_value) {
+            AttributeRewriteAction::replace(Self::rewrite_gtm_urls(attr_value))
+        } else {
+            AttributeRewriteAction::keep()
+        }
+    }
+}
+
+impl IntegrationScriptRewriter for GoogleTagManagerIntegration {
+    fn integration_id(&self) -> &'static str {
+        GTM_INTEGRATION_ID
+    }
+
+    fn selector(&self) -> &'static str {
+        "script" // Match all scripts to find inline GTM snippets
+    }
+
+    fn rewrite(&self, content: &str, _ctx: &IntegrationScriptContext<'_>) -> ScriptRewriteAction {
+        // Look for the GTM snippet pattern.
+        // Standard snippet contains: "googletagmanager.com/gtm.js"
+        // Note: analytics.google.com is intentionally excluded — gtag.js stores
+        // that domain as a bare string and constructs URLs dynamically, so
+        // rewriting it in scripts produces broken URLs.
+        if content.contains("googletagmanager.com") || content.contains("google-analytics.com") {
+            return ScriptRewriteAction::replace(Self::rewrite_gtm_urls(content));
+        }
+
+        ScriptRewriteAction::keep()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::html_processor::{create_html_processor, HtmlProcessorConfig};
+    use crate::integrations::{
+        AttributeRewriteAction, IntegrationAttributeContext, IntegrationAttributeRewriter,
+        IntegrationDocumentState, IntegrationRegistry, IntegrationScriptContext,
+        IntegrationScriptRewriter, ScriptRewriteAction,
+    };
+    use crate::settings::Settings;
+    use crate::streaming_processor::{Compression, PipelineConfig, StreamingPipeline};
+
+    use crate::test_support::tests::crate_test_settings_str;
+    use fastly::http::Method;
+    use std::io::Cursor;
+
+    #[test]
+    fn test_rewrite_gtm_urls() {
+        // All URL patterns should be rewritten via the shared regex
+        let input = r#"
+            var a = "https://www.googletagmanager.com/gtm.js";
+            var b = "//www.googletagmanager.com/gtm.js";
+            var c = "https://www.google-analytics.com/collect";
+            var d = "//www.google-analytics.com/g/collect";
+            var e = "http://www.googletagmanager.com/gtm.js";
+        "#;
+
+        let result = GoogleTagManagerIntegration::rewrite_gtm_urls(input);
+
+        assert!(result.contains("/integrations/google_tag_manager/gtm.js"));
+        assert!(result.contains("/integrations/google_tag_manager/collect"));
+        assert!(result.contains("/integrations/google_tag_manager/g/collect"));
+        assert!(!result.contains("www.googletagmanager.com"));
+        assert!(!result.contains("www.google-analytics.com"));
+    }
+
+    #[test]
+    fn test_rewrite_does_not_touch_analytics_google_com() {
+        // analytics.google.com must NOT be rewritten in scripts — gtag.js stores
+        // the bare domain string and constructs URLs dynamically with
+        // "https://" + domain + "/g/collect", so rewriting the domain produces
+        // the broken URL https://integrations/google_tag_manager/g/collect.
+        let input = r#"var f = "https://analytics.google.com/g/collect";"#;
+        let result = GoogleTagManagerIntegration::rewrite_gtm_urls(input);
+        assert_eq!(
+            input, result,
+            "analytics.google.com should not be rewritten by regex"
+        );
+    }
+
+    #[test]
+    fn test_rewrite_preserves_non_gtm_urls() {
+        let input = r#"var x = "https://example.com/script.js";"#;
+        let result = GoogleTagManagerIntegration::rewrite_gtm_urls(input);
+        assert_eq!(input, result);
+    }
+
+    #[test]
+    fn test_rewrite_rejects_subdomain_spoofing() {
+        // Should NOT rewrite URLs where the GTM domain is a subdomain of another domain
+        let input = r#"var x = "https://www.googletagmanager.com.evil.com/collect";"#;
+        let result = GoogleTagManagerIntegration::rewrite_gtm_urls(input);
+        assert_eq!(input, result, "should not rewrite spoofed subdomain URLs");
+    }
+
+    #[test]
+    fn test_rewrite_does_not_touch_bare_domain_strings() {
+        // Bare domain strings (without // prefix) must NOT be rewritten.
+        // gtag.js stores domains as bare strings and constructs URLs dynamically:
+        //   "https://" + domain + "/g/collect"
+        // Rewriting the bare domain produces broken URLs like:
+        //   https://integrations/google_tag_manager/g/collect
+        let input = r#"var d = "www.googletagmanager.com";"#;
+        let result = GoogleTagManagerIntegration::rewrite_gtm_urls(input);
+        assert_eq!(input, result, "bare domain strings should not be rewritten");
+
+        let input2 = r#"var d = "www.google-analytics.com";"#;
+        let result2 = GoogleTagManagerIntegration::rewrite_gtm_urls(input2);
+        assert_eq!(
+            input2, result2,
+            "bare google-analytics domain should not be rewritten"
+        );
+    }
+
+    #[test]
+    fn test_attribute_rewriter() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-TEST".to_string(),
+            upstream_url: "https://www.googletagmanager.com".to_string(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+
+        let ctx = IntegrationAttributeContext {
+            attribute_name: "src",
+            request_host: "example.com",
+            request_scheme: "https",
+            origin_host: "origin.example.com",
+        };
+
+        // Case 1: Standard HTTPS URL
+        let action = IntegrationAttributeRewriter::rewrite(
+            &*integration,
+            "src",
+            "https://www.googletagmanager.com/gtm.js?id=GTM-TEST",
+            &ctx,
+        );
+        if let AttributeRewriteAction::Replace(val) = action {
+            assert_eq!(val, "/integrations/google_tag_manager/gtm.js?id=GTM-TEST");
+        } else {
+            panic!("Expected Replace action for HTTPS URL, got {:?}", action);
+        }
+
+        // Case 2: Protocol-relative URL
+        let action = IntegrationAttributeRewriter::rewrite(
+            &*integration,
+            "src",
+            "//www.googletagmanager.com/gtm.js?id=GTM-TEST",
+            &ctx,
+        );
+        if let AttributeRewriteAction::Replace(val) = action {
+            assert_eq!(val, "/integrations/google_tag_manager/gtm.js?id=GTM-TEST");
+        } else {
+            panic!(
+                "Expected Replace action for protocol-relative URL, got {:?}",
+                action
+            );
+        }
+
+        // Case 3: gtag/js URL in href (preload link)
+        let action = IntegrationAttributeRewriter::rewrite(
+            &*integration,
+            "href",
+            "https://www.googletagmanager.com/gtag/js?id=G-DQMZGMPHXN",
+            &ctx,
+        );
+        if let AttributeRewriteAction::Replace(val) = action {
+            assert_eq!(
+                val,
+                "/integrations/google_tag_manager/gtag/js?id=G-DQMZGMPHXN"
+            );
+        } else {
+            panic!(
+                "Expected Replace action for gtag/js preload href, got {:?}",
+                action
+            );
+        }
+
+        // Case 4: google-analytics.com URL in href
+        let action = IntegrationAttributeRewriter::rewrite(
+            &*integration,
+            "href",
+            "https://www.google-analytics.com/g/collect",
+            &ctx,
+        );
+        if let AttributeRewriteAction::Replace(val) = action {
+            assert_eq!(val, "/integrations/google_tag_manager/g/collect");
+        } else {
+            panic!(
+                "Expected Replace action for google-analytics href, got {:?}",
+                action
+            );
+        }
+
+        // Case 5: Other URL (should be kept)
+        let action = IntegrationAttributeRewriter::rewrite(
+            &*integration,
+            "src",
+            "https://other.com/script.js",
+            &ctx,
+        );
+        assert!(matches!(action, AttributeRewriteAction::Keep));
+    }
+
+    #[test]
+    fn test_script_rewriter() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-TEST".to_string(),
+            upstream_url: "https://www.googletagmanager.com".to_string(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+        let doc_state = IntegrationDocumentState::default();
+
+        let ctx = IntegrationScriptContext {
+            selector: "script",
+            request_host: "example.com",
+            request_scheme: "https",
+            origin_host: "origin.example.com",
+            is_last_in_text_node: true,
+            document_state: &doc_state,
+        };
+
+        // Case 1: Inline GTM snippet
+        let snippet = r#"(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+})(window,document,'script','dataLayer','GTM-XXXX');"#;
+
+        let action = IntegrationScriptRewriter::rewrite(&*integration, snippet, &ctx);
+        if let ScriptRewriteAction::Replace(val) = action {
+            assert!(val.contains("/integrations/google_tag_manager/gtm.js"));
+            assert!(!val.contains("https://www.googletagmanager.com/gtm.js"));
+        } else {
+            panic!("Expected Replace action for GTM snippet, got {:?}", action);
+        }
+
+        // Case 2: Protocol relative
+        let snippet_proto = r#"j.src='//www.googletagmanager.com/gtm.js?id='+i+dl;"#;
+        let action = IntegrationScriptRewriter::rewrite(&*integration, snippet_proto, &ctx);
+        if let ScriptRewriteAction::Replace(val) = action {
+            assert!(val.contains("/integrations/google_tag_manager/gtm.js"));
+            assert!(!val.contains("//www.googletagmanager.com/gtm.js"));
+        } else {
+            panic!(
+                "Expected Replace action for proto-relative snippet, got {:?}",
+                action
+            );
+        }
+
+        // Case 3: Irrelevant script
+        let other_script = "console.log('hello');";
+        let action = IntegrationScriptRewriter::rewrite(&*integration, other_script, &ctx);
+        assert!(matches!(action, ScriptRewriteAction::Keep));
+    }
+
+    #[test]
+    fn test_default_configuration() {
+        let config = GoogleTagManagerConfig {
+            enabled: default_enabled(),
+            container_id: "GTM-DEFAULT".to_string(),
+            upstream_url: default_upstream(),
+            cache_max_age: default_cache_max_age(),
+        };
+
+        assert!(!config.enabled);
+        assert_eq!(config.upstream_url, "https://www.googletagmanager.com");
+    }
+
+    #[test]
+    fn test_upstream_url_logic() {
+        // Default upstream
+        let config_default = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-123".to_string(),
+            upstream_url: "".to_string(), // Empty string should fallback to default in accessor
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration_default = GoogleTagManagerIntegration::new(config_default);
+        assert_eq!(
+            integration_default.upstream_url(),
+            "https://www.googletagmanager.com"
+        );
+
+        // Custom upstream
+        let config_custom = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-123".to_string(),
+            upstream_url: "https://gtm.example.com".to_string(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration_custom = GoogleTagManagerIntegration::new(config_custom);
+        assert_eq!(integration_custom.upstream_url(), "https://gtm.example.com");
+    }
+
+    #[test]
+    fn test_routes_registered() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-TEST".to_string(),
+            upstream_url: default_upstream(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+        let routes = integration.routes();
+
+        // GTM.js, Gtag.js (/js and .js), and 4 Collect endpoints (GET/POST for standard & dual-tagging)
+        assert_eq!(routes.len(), 7);
+
+        assert!(routes
+            .iter()
+            .any(|r| r.path == "/integrations/google_tag_manager/gtm.js"));
+        assert!(routes
+            .iter()
+            .any(|r| r.path == "/integrations/google_tag_manager/gtag/js"));
+        assert!(routes
+            .iter()
+            .any(|r| r.path == "/integrations/google_tag_manager/gtag.js"));
+        assert!(routes
+            .iter()
+            .any(|r| r.path == "/integrations/google_tag_manager/collect"));
+        assert!(routes
+            .iter()
+            .any(|r| r.path == "/integrations/google_tag_manager/g/collect"));
+    }
+
+    #[test]
+    fn test_post_collect_proxy_config_includes_payload() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-TEST".to_string(),
+            upstream_url: default_upstream(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+
+        let payload = b"v=2&tid=G-TEST&cid=123&en=page_view".to_vec();
+        let mut req = Request::new(
+            Method::POST,
+            "https://edge.example.com/integrations/google_tag_manager/g/collect?v=2&tid=G-TEST",
+        );
+        req.set_body(payload.clone());
+
+        let path = req.get_path().to_string();
+        let target_url = integration
+            .build_target_url(&req, &path)
+            .expect("should resolve collect target URL");
+        let proxy_config = integration.build_proxy_config(&path, &mut req, &target_url);
+
+        assert_eq!(
+            proxy_config.body.as_deref(),
+            Some(payload.as_slice()),
+            "collect POST should forward payload body"
+        );
+    }
+
+    #[test]
+    fn test_collect_proxy_config_strips_client_ip_forwarding() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GTM-TEST".to_string(),
+            upstream_url: default_upstream(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+
+        let mut req = Request::new(
+            Method::GET,
+            "https://edge.example.com/integrations/google_tag_manager/collect?v=2",
+        );
+        req.set_header(crate::constants::HEADER_X_FORWARDED_FOR, "198.51.100.42");
+
+        let path = req.get_path().to_string();
+        let target_url = integration
+            .build_target_url(&req, &path)
+            .expect("should resolve collect target URL");
+        let proxy_config = integration.build_proxy_config(&path, &mut req, &target_url);
+
+        // We check if X-Forwarded-For is explicitly overridden with an empty string,
+        // which effectively strips it during proxy forwarding due to header override logic.
+        let has_header_override = proxy_config.headers.iter().any(|(name, value)| {
+            name.as_str()
+                .eq_ignore_ascii_case(crate::constants::HEADER_X_FORWARDED_FOR.as_str())
+                && value.is_empty()
+        });
+
+        assert!(
+            has_header_override,
+            "collect routes should strip client IP by overriding X-Forwarded-For with empty string"
+        );
+    }
+
+    #[test]
+    fn test_gtag_proxy_config_requests_identity_encoding() {
+        let config = GoogleTagManagerConfig {
+            enabled: true,
+            container_id: "GT-123".to_string(),
+            upstream_url: default_upstream(),
+            cache_max_age: default_cache_max_age(),
+        };
+        let integration = GoogleTagManagerIntegration::new(config);
+
+        let mut req = Request::new(
+            Method::GET,
+            "https://edge.example.com/integrations/google_tag_manager/gtag/js?id=G-123",
+        );
+
+        let path = req.get_path().to_string();
+        let target_url = integration
+            .build_target_url(&req, &path)
+            .expect("should resolve gtag target URL");
+        let proxy_config = integration.build_proxy_config(&path, &mut req, &target_url);
+
+        let has_identity = proxy_config.headers.iter().any(|(name, value)| {
+            name == fastly::http::header::ACCEPT_ENCODING && value == "identity"
+        });
+
+        assert!(
+            has_identity,
+            "gtag/js requests should force Accept-Encoding: identity for rewriting"
+        );
+    }
+
+    #[test]
+    fn test_handle_response_rewriting() {
+        let original_body = r#"
+            var x = "https://www.google-analytics.com/collect";
+            var y = "https://www.googletagmanager.com/gtm.js";
+        "#;
+
+        let rewritten = GoogleTagManagerIntegration::rewrite_gtm_urls(original_body);
+
+        assert!(rewritten.contains("/integrations/google_tag_manager/collect"));
+        assert!(rewritten.contains("/integrations/google_tag_manager/gtm.js"));
+        assert!(!rewritten.contains("https://www.google-analytics.com"));
+    }
+
+    fn make_settings() -> Settings {
+        Settings::from_toml(&crate_test_settings_str()).expect("should parse settings")
+    }
+
+    fn config_from_settings(
+        settings: &Settings,
+        registry: &IntegrationRegistry,
+    ) -> HtmlProcessorConfig {
+        HtmlProcessorConfig::from_settings(
+            settings,
+            registry,
+            "origin.example.com",
+            "test.example.com",
+            "https",
+        )
+    }
+
+    #[test]
+    fn test_config_parsing() {
+        let toml_str = r#"
+[publisher]
+domain = "test-publisher.com"
+cookie_domain = ".test-publisher.com"
+origin_url = "https://origin.test-publisher.com"
+proxy_secret = "test-secret"
+
+[synthetic]
+counter_store = "test-counter-store"
+opid_store = "test-opid-store"
+secret_key = "test-secret-key"
+template = "{{client_ip}}:{{user_agent}}"
+
+[integrations.google_tag_manager]
+enabled = true
+container_id = "GTM-PARSED"
+upstream_url = "https://custom.gtm.example"
+"#;
+        let settings = Settings::from_toml(toml_str).expect("should parse TOML");
+        let config = settings
+            .integration_config::<GoogleTagManagerConfig>(GTM_INTEGRATION_ID)
+            .expect("should get config")
+            .expect("should be enabled");
+
+        assert!(config.enabled);
+        assert_eq!(config.container_id, "GTM-PARSED");
+        assert_eq!(config.upstream_url, "https://custom.gtm.example");
+    }
+
+    #[test]
+    fn test_config_defaults() {
+        let toml_str = r#"
+[publisher]
+domain = "test-publisher.com"
+cookie_domain = ".test-publisher.com"
+origin_url = "https://origin.test-publisher.com"
+proxy_secret = "test-secret"
+
+[synthetic]
+counter_store = "test-counter-store"
+opid_store = "test-opid-store"
+secret_key = "test-secret-key"
+template = "{{client_ip}}:{{user_agent}}"
+
+[integrations.google_tag_manager]
+container_id = "GTM-DEFAULT"
+"#;
+        let settings = Settings::from_toml(toml_str).expect("should parse TOML");
+        let config = settings
+            .integration_config::<GoogleTagManagerConfig>(GTM_INTEGRATION_ID)
+            .expect("should get config");
+
+        // Default is now false, so integration_config returns None for disabled
+        // When we explicitly parse the config with container_id but no enabled field,
+        // the config is present but disabled
+        assert!(
+            config.is_none(),
+            "Config with default enabled=false should return None from integration_config"
+        );
+    }
+
+    #[test]
+    fn test_html_processor_pipeline_rewrites_gtm() {
+        let html = r#"<html><head>
+            <script src="https://www.googletagmanager.com/gtm.js?id=GTM-TEST"></script>
+        </head><body></body></html>"#;
+
+        let mut settings = make_settings();
+        // Enable GTM
+        settings
+            .integrations
+            .insert_config(
+                "google_tag_manager",
+                &serde_json::json!({
+                    "enabled": true,
+                    "container_id": "GTM-TEST",
+                    "upstream_url": "https://www.googletagmanager.com"
+                }),
+            )
+            .expect("should update gtm config");
+
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
+        let config = config_from_settings(&settings, &registry);
+        let processor = create_html_processor(config);
+        let pipeline_config = PipelineConfig {
+            input_compression: Compression::None,
+            output_compression: Compression::None,
+            chunk_size: 8192,
+        };
+        let mut pipeline = StreamingPipeline::new(pipeline_config, processor);
+
+        let mut output = Vec::new();
+        let result = pipeline.process(Cursor::new(html.as_bytes()), &mut output);
+        assert!(result.is_ok());
+
+        let processed = String::from_utf8_lossy(&output);
+
+        // Verify rewrite happened
+        assert!(processed.contains("/integrations/google_tag_manager/gtm.js?id=GTM-TEST"));
+        assert!(!processed.contains("https://www.googletagmanager.com/gtm.js"));
+    }
+
+    #[test]
+    fn test_html_processing_with_fixture() {
+        // 1. Configure Settings with GTM enabled
+        let mut settings = make_settings();
+
+        // Use the ID from the fixture: GTM-522ZT3X6
+        settings
+            .integrations
+            .insert_config(
+                "google_tag_manager",
+                &serde_json::json!({
+                    "enabled": true,
+                    "container_id": "GTM-522ZT3X6",
+                    "upstream_url": "https://www.googletagmanager.com"
+                }),
+            )
+            .expect("should update gtm config");
+
+        // 2. Setup Pipeline
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
+        let config = config_from_settings(&settings, &registry);
+        let processor = create_html_processor(config);
+        let pipeline_config = PipelineConfig {
+            input_compression: Compression::None,
+            output_compression: Compression::None,
+            chunk_size: 8192,
+        };
+        let mut pipeline = StreamingPipeline::new(pipeline_config, processor);
+
+        // 3. Load Fixture
+        // Path is relative to this file: ../html_processor.test.html
+        let html_content = include_str!("../html_processor.test.html");
+
+        // 4. Run Pipeline
+        let mut output = Vec::new();
+        let result = pipeline.process(Cursor::new(html_content.as_bytes()), &mut output);
+        assert!(
+            result.is_ok(),
+            "Pipeline processing failed: {:?}",
+            result.err()
+        );
+
+        let processed = String::from_utf8_lossy(&output);
+
+        // 5. Assertions
+
+        // a. Link Preload Rewrite:
+        // Original: <link rel="preload" href="https://www.googletagmanager.com/gtm.js?id=GTM-522ZT3X6" ...
+        // Expected: href="/integrations/google_tag_manager/gtm.js?id=GTM-522ZT3X6"
+        let expected_link = "/integrations/google_tag_manager/gtm.js?id=GTM-522ZT3X6";
+
+        assert!(
+            processed.contains(expected_link),
+            "Link preload tag not rewritten correctly"
+        );
+
+        assert!(
+            !processed.contains("href=\"https://www.googletagmanager.com/gtm.js?id=GTM-522ZT3X6\""),
+            "Original link preload tag should not exist"
+        );
+
+        // b. Noscript Iframe Rewrite
+        // Should NOT be rewritten for ns.html
+        assert!(
+            processed.contains("src=\"https://www.googletagmanager.com/ns.html?id=GTM-522ZT3X6\""),
+            "Noscript iframe src should NOT be rewritten (only gtm.js is targeted)"
+        );
+    }
+
+    #[test]
+    fn test_inline_script_rewriting() {
+        let mut settings = make_settings();
+        settings
+            .integrations
+            .insert_config(
+                "google_tag_manager",
+                &serde_json::json!({
+                    "enabled": true,
+                    "container_id": "GTM-12345",
+                    "upstream_url": "https://www.googletagmanager.com"
+                }),
+            )
+            .expect("should update config");
+
+        // Inlined Pipeline Creation
+        let registry = IntegrationRegistry::new(&settings).expect("should create registry");
+        let config = config_from_settings(&settings, &registry);
+        let processor = create_html_processor(config);
+        let pipeline_config = PipelineConfig {
+            input_compression: Compression::None,
+            output_compression: Compression::None,
+            chunk_size: 8192,
+        };
+        let mut pipeline = StreamingPipeline::new(pipeline_config, processor);
+
+        // Synthetic HTML with inline script
+        let html_input = r#"
+            <html>
+            <head>
+                <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+                new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+                j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+                'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+                })(window,document,'script','dataLayer','GTM-12345');</script>
+            </head>
+            <body></body>
+            </html>
+        "#;
+
+        let mut output = Vec::new();
+        pipeline
+            .process(Cursor::new(html_input.as_bytes()), &mut output)
+            .expect("should process");
+        let processed = String::from_utf8_lossy(&output);
+
+        let expected_src = "/integrations/google_tag_manager/gtm.js";
+
+        assert!(
+            processed.contains(expected_src),
+            "Inline script src not rewritten"
+        );
+
+        assert!(
+            !processed.contains("j.src='https://www.googletagmanager.com/gtm.js"),
+            "Original src should be gone"
+        );
+    }
+
+    #[test]
+    fn test_error_helper() {
+        let err = GoogleTagManagerIntegration::error("test failure");
+        match err {
+            TrustedServerError::Integration {
+                integration,
+                message,
+            } => {
+                assert_eq!(integration, "google_tag_manager");
+                assert_eq!(message, "test failure");
+            }
+            other => panic!("Expected Integration error, got {:?}", other),
+        }
+    }
+}
diff --git a/crates/common/src/integrations/mod.rs b/crates/common/src/integrations/mod.rs
index 464c36dd..7d577577 100644
--- a/crates/common/src/integrations/mod.rs
+++ b/crates/common/src/integrations/mod.rs
@@ -6,6 +6,7 @@ pub mod adserver_mock;
 pub mod aps;
 pub mod datadome;
 pub mod didomi;
+pub mod google_tag_manager;
 pub mod lockr;
 pub mod nextjs;
 pub mod permutive;
@@ -31,6 +32,7 @@ pub(crate) fn builders() -> &'static [IntegrationBuilder] {
         permutive::register,
         lockr::register,
         didomi::register,
+        google_tag_manager::register,
         datadome::register,
     ]
 }
diff --git a/crates/js/lib/src/integrations/google_tag_manager/index.ts b/crates/js/lib/src/integrations/google_tag_manager/index.ts
new file mode 100644
index 00000000..ca73f248
--- /dev/null
+++ b/crates/js/lib/src/integrations/google_tag_manager/index.ts
@@ -0,0 +1,31 @@
+import { log } from '../../core/log';
+
+import { installGtmBeaconGuard } from './script_guard';
+import { installGtmGuard } from './script_guard';
+
+/**
+ * Google Tag Manager integration for tsjs
+ *
+ * Installs guards to intercept GTM and Google Analytics traffic:
+ *
+ * 1. **Script guard** — intercepts dynamically inserted `<script>` and
+ *    `<link>` elements and rewrites their URLs to the first-party proxy.
+ *
+ * 2. **Beacon guard** — intercepts `navigator.sendBeacon()` and `fetch()`
+ *    calls to Google Analytics domains (www.google-analytics.com,
+ *    analytics.google.com) and rewrites them to the first-party proxy.
+ *    This is necessary because gtag.js constructs beacon URLs dynamically
+ *    from bare domain strings, which can't be safely rewritten at the
+ *    script level.
+ *
+ * URLs are rewritten to preserve the original path:
+ * - https://www.googletagmanager.com/gtm.js?id=GTM-XXXX -> /integrations/google_tag_manager/gtm.js?id=GTM-XXXX
+ * - https://www.google-analytics.com/g/collect -> /integrations/google_tag_manager/g/collect
+ * - https://analytics.google.com/g/collect -> /integrations/google_tag_manager/g/collect
+ */
+
+if (typeof window !== 'undefined') {
+  installGtmGuard();
+  installGtmBeaconGuard();
+  log.info('Google Tag Manager integration initialized');
+}
diff --git a/crates/js/lib/src/integrations/google_tag_manager/script_guard.ts b/crates/js/lib/src/integrations/google_tag_manager/script_guard.ts
new file mode 100644
index 00000000..0657c2ae
--- /dev/null
+++ b/crates/js/lib/src/integrations/google_tag_manager/script_guard.ts
@@ -0,0 +1,91 @@
+import { createBeaconGuard } from '../../shared/beacon_guard';
+import { createScriptGuard } from '../../shared/script_guard';
+
+/**
+ * Google Tag Manager Script Interception Guard
+ *
+ * Intercepts dynamically inserted script tags that load GTM or Google Analytics
+ * and rewrites their URLs to use the first-party proxy endpoint. This catches
+ * scripts inserted via appendChild, insertBefore, or any other dynamic DOM
+ * manipulation (e.g. Next.js dynamic imports).
+ *
+ * Built on the shared script_guard factory with custom URL rewriting to preserve
+ * the original path and query string.
+ */
+
+/** Regex to match GTM/GA domains: www.googletagmanager.com, www.google-analytics.com, analytics.google.com */
+const GTM_URL_PATTERN =
+  /^(?:https?:)?(?:\/\/)?(www\.(googletagmanager|google-analytics)\.com|analytics\.google\.com)(?:\/|$)/i;
+
+/**
+ * Check if a URL is a GTM or Google Analytics URL.
+ * Matches the logic from google_tag_manager.rs GTM_URL_PATTERN.
+ *
+ * Valid patterns:
+ * - https://www.googletagmanager.com/gtm.js?id=GTM-XXXX
+ * - https://www.google-analytics.com/g/collect
+ * - https://analytics.google.com/g/collect
+ * - //www.googletagmanager.com/gtm.js?id=GTM-XXXX
+ *
+ * Invalid:
+ * - https://googletagmanager.com/gtm.js (missing www.)
+ * - https://example.com/www.googletagmanager.com (domain mismatch)
+ */
+function isGtmUrl(url: string): boolean {
+  return !!url && GTM_URL_PATTERN.test(url);
+}
+
+/**
+ * Extract the path and query string from a GTM/GA URL.
+ * e.g., "https://www.googletagmanager.com/gtm.js?id=GTM-XXXX" -> "/gtm.js?id=GTM-XXXX"
+ *       "https://www.google-analytics.com/g/collect?v=2" -> "/g/collect?v=2"
+ */
+function extractGtmPath(url: string): string {
+  try {
+    const normalizedUrl = url.startsWith('//')
+      ? `https:${url}`
+      : url.startsWith('http')
+        ? url
+        : `https://${url}`;
+
+    const parsed = new URL(normalizedUrl);
+    return parsed.pathname + parsed.search;
+  } catch {
+    // Fallback: extract path after the domain
+    console.debug('[GTM Guard] URL parsing failed, using fallback for:', url);
+    const match = url.match(
+      /(?:www\.(?:googletagmanager|google-analytics)\.com|analytics\.google\.com)(\/[^'"\s]*)/i
+    );
+    return match?.[1] || '/gtm.js';
+  }
+}
+
+/**
+ * Rewrite a GTM/GA URL to the first-party proxy path.
+ */
+function rewriteGtmUrl(originalUrl: string): string {
+  return `${window.location.origin}/integrations/google_tag_manager${extractGtmPath(originalUrl)}`;
+}
+
+const guard = createScriptGuard({
+  name: 'GTM',
+  isTargetUrl: isGtmUrl,
+  rewriteUrl: rewriteGtmUrl,
+});
+
+const beaconGuard = createBeaconGuard({
+  name: 'GTM',
+  isTargetUrl: isGtmUrl,
+  rewriteUrl: rewriteGtmUrl,
+});
+
+export const installGtmGuard = guard.install;
+export const isGuardInstalled = guard.isInstalled;
+export const resetGuardState = guard.reset;
+
+export const installGtmBeaconGuard = beaconGuard.install;
+export const isBeaconGuardInstalled = beaconGuard.isInstalled;
+export const resetBeaconGuardState = beaconGuard.reset;
+
+// Export for testing
+export { isGtmUrl, extractGtmPath, rewriteGtmUrl };
diff --git a/crates/js/lib/src/shared/beacon_guard.ts b/crates/js/lib/src/shared/beacon_guard.ts
new file mode 100644
index 00000000..5942209f
--- /dev/null
+++ b/crates/js/lib/src/shared/beacon_guard.ts
@@ -0,0 +1,123 @@
+import { log } from '../core/log';
+
+/**
+ * Shared Beacon Guard Factory
+ *
+ * Creates a network interception guard that patches `navigator.sendBeacon`
+ * and `window.fetch` to intercept outgoing beacon/analytics requests whose
+ * URLs match an integration's target domains. Matched URLs are rewritten to
+ * a first-party proxy endpoint.
+ *
+ * This complements the script_guard (which intercepts DOM insertions) by
+ * handling the _runtime_ network calls that analytics SDKs use to send data.
+ *
+ * Each call to createBeaconGuard() produces an independent guard with its
+ * own installation state, so multiple integrations can coexist.
+ */
+
+export interface BeaconGuardConfig {
+  /** Integration name used in log messages (e.g. "GTM"). */
+  name: string;
+  /** Return true if the URL belongs to this integration's analytics domain. */
+  isTargetUrl: (url: string) => boolean;
+  /** Rewrite the original URL to a first-party proxy URL. */
+  rewriteUrl: (url: string) => string;
+}
+
+export interface BeaconGuard {
+  /** Patch sendBeacon/fetch to intercept matching beacon requests. */
+  install: () => void;
+  /** Whether the guard has already been installed. */
+  isInstalled: () => boolean;
+  /** Reset installation state (primarily for testing). */
+  reset: () => void;
+}
+
+/**
+ * Extract a URL string from the various input types that fetch() accepts.
+ * Returns null if the input can't be resolved to a URL string.
+ */
+function extractUrl(input: RequestInfo | URL): string | null {
+  if (typeof input === 'string') {
+    return input;
+  }
+  if (input instanceof URL) {
+    return input.href;
+  }
+  if (input instanceof Request) {
+    return input.url;
+  }
+  return null;
+}
+
+/**
+ * Create an independent beacon guard for a specific integration.
+ */
+export function createBeaconGuard(config: BeaconGuardConfig): BeaconGuard {
+  let installed = false;
+  const prefix = `${config.name} beacon guard`;
+
+  function install(): void {
+    if (installed) {
+      log.debug(`${prefix}: already installed, skipping`);
+      return;
+    }
+
+    if (typeof window === 'undefined') {
+      log.debug(`${prefix}: not in browser environment, skipping`);
+      return;
+    }
+
+    log.info(`${prefix}: installing network interception`);
+
+    // --- Patch navigator.sendBeacon ---
+    if (typeof navigator !== 'undefined' && typeof navigator.sendBeacon === 'function') {
+      const originalSendBeacon = navigator.sendBeacon.bind(navigator);
+
+      navigator.sendBeacon = function (url: string, data?: BodyInit | null): boolean {
+        if (config.isTargetUrl(url)) {
+          const rewritten = config.rewriteUrl(url);
+          log.info(`${prefix}: rewriting sendBeacon`, { original: url, rewritten });
+          return originalSendBeacon(rewritten, data);
+        }
+        return originalSendBeacon(url, data);
+      };
+    }
+
+    // --- Patch window.fetch ---
+    if (typeof window.fetch === 'function') {
+      const originalFetch = window.fetch.bind(window);
+
+      window.fetch = function (input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
+        const url = extractUrl(input);
+
+        if (url && config.isTargetUrl(url)) {
+          const rewritten = config.rewriteUrl(url);
+          log.info(`${prefix}: rewriting fetch`, { original: url, rewritten });
+
+          // If the input was a Request, create a new one with the rewritten URL
+          if (input instanceof Request) {
+            const newRequest = new Request(rewritten, input);
+            return originalFetch(newRequest, init);
+          }
+          return originalFetch(rewritten, init);
+        }
+
+        return originalFetch(input, init);
+      };
+    }
+
+    installed = true;
+    log.info(`${prefix}: network interception installed successfully`);
+  }
+
+  function isInstalled(): boolean {
+    return installed;
+  }
+
+  function reset(): void {
+    installed = false;
+  }
+
+  return { install, isInstalled, reset };
+}
diff --git a/crates/js/lib/test/integrations/google_tag_manager/script_guard.test.ts b/crates/js/lib/test/integrations/google_tag_manager/script_guard.test.ts
new file mode 100644
index 00000000..7b7d70b6
--- /dev/null
+++ b/crates/js/lib/test/integrations/google_tag_manager/script_guard.test.ts
@@ -0,0 +1,402 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import {
+  installGtmGuard,
+  isGuardInstalled,
+  resetGuardState,
+  isGtmUrl,
+  extractGtmPath,
+  rewriteGtmUrl,
+  installGtmBeaconGuard,
+  isBeaconGuardInstalled,
+  resetBeaconGuardState,
+} from '../../../src/integrations/google_tag_manager/script_guard';
+
+describe('GTM Script Interception Guard', () => {
+  let originalAppendChild: typeof Element.prototype.appendChild;
+  let originalInsertBefore: typeof Element.prototype.insertBefore;
+
+  beforeEach(() => {
+    originalAppendChild = Element.prototype.appendChild;
+    originalInsertBefore = Element.prototype.insertBefore;
+    resetGuardState();
+  });
+
+  afterEach(() => {
+    Element.prototype.appendChild = originalAppendChild;
+    Element.prototype.insertBefore = originalInsertBefore;
+    resetGuardState();
+  });
+
+  describe('isGtmUrl', () => {
+    it('should detect www.googletagmanager.com URLs', () => {
+      expect(isGtmUrl('https://www.googletagmanager.com/gtm.js?id=GTM-XXXX')).toBe(true);
+      expect(isGtmUrl('https://www.googletagmanager.com/gtag/js?id=G-XXXX')).toBe(true);
+      expect(isGtmUrl('//www.googletagmanager.com/gtm.js?id=GTM-XXXX')).toBe(true);
+      expect(isGtmUrl('http://www.googletagmanager.com/gtm.js?id=GTM-XXXX')).toBe(true);
+    });
+
+    it('should detect www.google-analytics.com URLs', () => {
+      expect(isGtmUrl('https://www.google-analytics.com/collect')).toBe(true);
+      expect(isGtmUrl('https://www.google-analytics.com/g/collect')).toBe(true);
+      expect(isGtmUrl('//www.google-analytics.com/collect')).toBe(true);
+    });
+
+    it('should be case-insensitive', () => {
+      expect(isGtmUrl('https://WWW.GOOGLETAGMANAGER.COM/gtm.js')).toBe(true);
+      expect(isGtmUrl('https://WWW.GOOGLE-ANALYTICS.COM/collect')).toBe(true);
+    });
+
+    it('should not match without www prefix', () => {
+      expect(isGtmUrl('https://googletagmanager.com/gtm.js')).toBe(false);
+      expect(isGtmUrl('https://google-analytics.com/collect')).toBe(false);
+    });
+
+    it('should not match non-Google URLs', () => {
+      expect(isGtmUrl('https://example.com/gtm.js')).toBe(false);
+      expect(isGtmUrl('https://cdn.example.com/www.googletagmanager.com.js')).toBe(false);
+    });
+
+    it('should handle empty and null values', () => {
+      expect(isGtmUrl('')).toBe(false);
+      expect(isGtmUrl(null as unknown as string)).toBe(false);
+      expect(isGtmUrl(undefined as unknown as string)).toBe(false);
+    });
+  });
+
+  describe('extractGtmPath', () => {
+    it('should extract path from GTM URLs', () => {
+      expect(extractGtmPath('https://www.googletagmanager.com/gtm.js')).toBe('/gtm.js');
+      expect(extractGtmPath('https://www.googletagmanager.com/gtag/js')).toBe('/gtag/js');
+    });
+
+    it('should extract path from GA URLs', () => {
+      expect(extractGtmPath('https://www.google-analytics.com/collect')).toBe('/collect');
+      expect(extractGtmPath('https://www.google-analytics.com/g/collect')).toBe('/g/collect');
+    });
+
+    it('should extract path from protocol-relative URLs', () => {
+      expect(extractGtmPath('//www.googletagmanager.com/gtm.js')).toBe('/gtm.js');
+      expect(extractGtmPath('//www.google-analytics.com/g/collect')).toBe('/g/collect');
+    });
+
+    it('should preserve query strings', () => {
+      expect(extractGtmPath('https://www.googletagmanager.com/gtm.js?id=GTM-XXXX')).toBe(
+        '/gtm.js?id=GTM-XXXX'
+      );
+      expect(extractGtmPath('https://www.google-analytics.com/g/collect?v=2&tid=G-TEST')).toBe(
+        '/g/collect?v=2&tid=G-TEST'
+      );
+    });
+
+    it('should handle bare domain', () => {
+      expect(extractGtmPath('https://www.googletagmanager.com')).toBe('/');
+      expect(extractGtmPath('https://www.googletagmanager.com/')).toBe('/');
+    });
+  });
+
+  describe('rewriteGtmUrl', () => {
+    it('should rewrite GTM script URL to first-party', () => {
+      const rewritten = rewriteGtmUrl('https://www.googletagmanager.com/gtm.js?id=GTM-XXXX');
+      expect(rewritten).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(rewritten).toContain(window.location.host);
+    });
+
+    it('should rewrite GA collect URL to first-party', () => {
+      const rewritten = rewriteGtmUrl('https://www.google-analytics.com/g/collect?v=2');
+      expect(rewritten).toContain('/integrations/google_tag_manager/g/collect?v=2');
+    });
+
+    it('should preserve query strings', () => {
+      const rewritten = rewriteGtmUrl(
+        'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX&l=dataLayer'
+      );
+      expect(rewritten).toContain(
+        '/integrations/google_tag_manager/gtm.js?id=GTM-XXXX&l=dataLayer'
+      );
+    });
+  });
+
+  describe('installGtmGuard', () => {
+    it('should install the guard successfully', () => {
+      expect(isGuardInstalled()).toBe(false);
+      installGtmGuard();
+      expect(isGuardInstalled()).toBe(true);
+    });
+
+    it('should not install twice', () => {
+      installGtmGuard();
+      const firstInstall = Element.prototype.appendChild;
+      installGtmGuard();
+      const secondInstall = Element.prototype.appendChild;
+      expect(firstInstall).toBe(secondInstall);
+    });
+
+    it('should patch Element.prototype.appendChild', () => {
+      installGtmGuard();
+      expect(Element.prototype.appendChild).not.toBe(originalAppendChild);
+    });
+
+    it('should patch Element.prototype.insertBefore', () => {
+      installGtmGuard();
+      expect(Element.prototype.insertBefore).not.toBe(originalInsertBefore);
+    });
+  });
+
+  describe('appendChild interception', () => {
+    it('should rewrite GTM script URL', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.appendChild(script);
+
+      expect(script.src).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(script.src).not.toContain('googletagmanager.com');
+    });
+
+    it('should rewrite Google Analytics script URL', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.src = 'https://www.google-analytics.com/g/collect';
+
+      container.appendChild(script);
+
+      expect(script.src).toContain('/integrations/google_tag_manager/g/collect');
+      expect(script.src).not.toContain('google-analytics.com');
+    });
+
+    it('should not rewrite non-GTM scripts', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.src = 'https://example.com/some-script.js';
+
+      container.appendChild(script);
+
+      expect(script.src).toBe('https://example.com/some-script.js');
+    });
+
+    it('should not affect non-script elements', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const img = document.createElement('img');
+      img.src = 'https://www.googletagmanager.com/image.png';
+
+      container.appendChild(img);
+
+      expect(img.src).toBe('https://www.googletagmanager.com/image.png');
+    });
+
+    it('should preserve other script attributes', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.setAttribute('async', '');
+      script.setAttribute('data-nscript', 'afterInteractive');
+      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.appendChild(script);
+
+      expect(script.getAttribute('async')).toBe('');
+      expect(script.getAttribute('data-nscript')).toBe('afterInteractive');
+    });
+  });
+
+  describe('insertBefore interception', () => {
+    it('should rewrite GTM script URL', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const reference = document.createElement('div');
+      container.appendChild(reference);
+
+      const script = document.createElement('script');
+      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.insertBefore(script, reference);
+
+      expect(script.src).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(script.src).not.toContain('googletagmanager.com');
+    });
+
+    it('should work with null reference node', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.insertBefore(script, null);
+
+      expect(script.src).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+    });
+  });
+
+  describe('link preload interception', () => {
+    it('should rewrite GTM preload link', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const link = document.createElement('link');
+      link.setAttribute('rel', 'preload');
+      link.setAttribute('as', 'script');
+      link.href = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.appendChild(link);
+
+      expect(link.href).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(link.href).not.toContain('googletagmanager.com');
+    });
+
+    it('should not rewrite preload links without as="script"', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const link = document.createElement('link');
+      link.setAttribute('rel', 'preload');
+      link.setAttribute('as', 'style');
+      link.href = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.appendChild(link);
+
+      expect(link.href).toBe('https://www.googletagmanager.com/gtm.js?id=GTM-XXXX');
+    });
+
+    it('should not rewrite non-GTM preload links', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+      const link = document.createElement('link');
+      link.setAttribute('rel', 'preload');
+      link.setAttribute('as', 'script');
+      link.href = 'https://example.com/other-script.js';
+
+      container.appendChild(link);
+
+      expect(link.href).toBe('https://example.com/other-script.js');
+    });
+  });
+
+  describe('integration scenarios', () => {
+    it('should handle the standard GTM snippet pattern (dynamic script creation)', () => {
+      installGtmGuard();
+
+      // Simulates the standard GTM snippet: j.src='https://www.googletagmanager.com/gtm.js?id='+i
+      const container = document.createElement('div');
+      const script = document.createElement('script');
+      script.async = true;
+      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      container.appendChild(script);
+
+      expect(script.src).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(script.async).toBe(true);
+    });
+
+    it('should handle multiple script insertions', () => {
+      installGtmGuard();
+
+      const container = document.createElement('div');
+
+      const script1 = document.createElement('script');
+      script1.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXX';
+
+      const script2 = document.createElement('script');
+      script2.src = 'https://example.com/other.js';
+
+      container.appendChild(script1);
+      container.appendChild(script2);
+
+      expect(script1.src).toContain('/integrations/google_tag_manager/gtm.js?id=GTM-XXXX');
+      expect(script2.src).toBe('https://example.com/other.js');
+    });
+  });
+});
+
+describe('GTM Beacon Guard', () => {
+  let originalSendBeacon: typeof navigator.sendBeacon;
+  let originalFetch: typeof window.fetch;
+  let sendBeaconSpy: ReturnType<typeof vi.fn>;
+  let fetchSpy: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    originalSendBeacon = navigator.sendBeacon;
+    originalFetch = window.fetch;
+
+    sendBeaconSpy = vi.fn((_url: string | URL, _data?: BodyInit | null) => true);
+    navigator.sendBeacon = sendBeaconSpy;
+
+    fetchSpy = vi.fn((_input: RequestInfo | URL, _init?: RequestInit) =>
+      Promise.resolve(new Response('', { status: 200 }))
+    );
+    window.fetch = fetchSpy;
+
+    resetBeaconGuardState();
+  });
+
+  afterEach(() => {
+    navigator.sendBeacon = originalSendBeacon;
+    window.fetch = originalFetch;
+    resetBeaconGuardState();
+  });
+
+  it('should install the beacon guard', () => {
+    expect(isBeaconGuardInstalled()).toBe(false);
+    installGtmBeaconGuard();
+    expect(isBeaconGuardInstalled()).toBe(true);
+  });
+
+  it('should rewrite sendBeacon to www.google-analytics.com', () => {
+    installGtmBeaconGuard();
+
+    navigator.sendBeacon('https://www.google-analytics.com/g/collect?v=2&tid=G-JGPCNWGVHC', '');
+
+    const calledUrl = sendBeaconSpy.mock.calls[0][0];
+    expect(calledUrl).toContain('/integrations/google_tag_manager/g/collect');
+    expect(calledUrl).not.toContain('google-analytics.com');
+  });
+
+  it('should rewrite sendBeacon to analytics.google.com', () => {
+    installGtmBeaconGuard();
+
+    navigator.sendBeacon('https://analytics.google.com/g/collect?v=2&tid=G-DQMZGMPHXN', '');
+
+    const calledUrl = sendBeaconSpy.mock.calls[0][0];
+    expect(calledUrl).toContain('/integrations/google_tag_manager/g/collect');
+    expect(calledUrl).not.toContain('analytics.google.com');
+  });
+
+  it('should rewrite fetch to www.google-analytics.com', async () => {
+    installGtmBeaconGuard();
+
+    await window.fetch('https://www.google-analytics.com/g/collect?v=2&tid=G-TEST');
+
+    const calledUrl = fetchSpy.mock.calls[0][0];
+    expect(calledUrl).toContain('/integrations/google_tag_manager/g/collect');
+    expect(calledUrl).not.toContain('google-analytics.com');
+  });
+
+  it('should not rewrite non-GA URLs', () => {
+    installGtmBeaconGuard();
+
+    navigator.sendBeacon('https://other-analytics.com/track', 'data');
+
+    expect(sendBeaconSpy).toHaveBeenCalledWith('https://other-analytics.com/track', 'data');
+  });
+
+  it('should preserve query parameters', () => {
+    installGtmBeaconGuard();
+
+    navigator.sendBeacon('https://www.google-analytics.com/g/collect?v=2&tid=G-TEST&cid=123', '');
+
+    const calledUrl = sendBeaconSpy.mock.calls[0][0];
+    expect(calledUrl).toContain('v=2&tid=G-TEST&cid=123');
+  });
+});
diff --git a/crates/js/lib/test/shared/beacon_guard.test.ts b/crates/js/lib/test/shared/beacon_guard.test.ts
new file mode 100644
index 00000000..9ade2338
--- /dev/null
+++ b/crates/js/lib/test/shared/beacon_guard.test.ts
@@ -0,0 +1,168 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { createBeaconGuard, BeaconGuardConfig } from '../../src/shared/beacon_guard';
+
+describe('Beacon Guard', () => {
+  let originalSendBeacon: typeof navigator.sendBeacon;
+  let originalFetch: typeof window.fetch;
+  let sendBeaconSpy: ReturnType<typeof vi.fn>;
+  let fetchSpy: ReturnType<typeof vi.fn>;
+  let config: BeaconGuardConfig;
+
+  beforeEach(() => {
+    // Save originals
+    originalSendBeacon = navigator.sendBeacon;
+    originalFetch = window.fetch;
+
+    // Create spies that simulate real sendBeacon/fetch behaviour
+    sendBeaconSpy = vi.fn((_url: string | URL, _data?: BodyInit | null) => true);
+    navigator.sendBeacon = sendBeaconSpy;
+
+    fetchSpy = vi.fn((_input: RequestInfo | URL, _init?: RequestInit) =>
+      Promise.resolve(new Response('', { status: 200 }))
+    );
+    window.fetch = fetchSpy;
+
+    config = {
+      name: 'Test',
+      isTargetUrl: (url: string) => url.includes('analytics.example.com'),
+      rewriteUrl: (url: string) =>
+        url.replace(/https?:\/\/analytics\.example\.com/, 'http://localhost/proxy'),
+    };
+  });
+
+  afterEach(() => {
+    navigator.sendBeacon = originalSendBeacon;
+    window.fetch = originalFetch;
+  });
+
+  describe('createBeaconGuard', () => {
+    it('should return install/isInstalled/reset interface', () => {
+      const guard = createBeaconGuard(config);
+      expect(guard).toHaveProperty('install');
+      expect(guard).toHaveProperty('isInstalled');
+      expect(guard).toHaveProperty('reset');
+    });
+
+    it('should start as not installed', () => {
+      const guard = createBeaconGuard(config);
+      expect(guard.isInstalled()).toBe(false);
+    });
+
+    it('should mark as installed after install()', () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+      expect(guard.isInstalled()).toBe(true);
+    });
+
+    it('should be idempotent', () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+      const patchedSendBeacon = navigator.sendBeacon;
+      guard.install(); // second install
+      // Should not double-patch
+      expect(navigator.sendBeacon).toBe(patchedSendBeacon);
+    });
+  });
+
+  describe('sendBeacon interception', () => {
+    it('should rewrite matching sendBeacon URLs', () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      navigator.sendBeacon('https://analytics.example.com/g/collect?v=2', '');
+
+      expect(sendBeaconSpy).toHaveBeenCalledWith('http://localhost/proxy/g/collect?v=2', '');
+    });
+
+    it('should pass through non-matching sendBeacon URLs', () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      navigator.sendBeacon('https://other.example.com/track', 'data');
+
+      expect(sendBeaconSpy).toHaveBeenCalledWith('https://other.example.com/track', 'data');
+    });
+
+    it('should forward body data', () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      const body = JSON.stringify({ event: 'page_view' });
+      navigator.sendBeacon('https://analytics.example.com/collect', body);
+
+      expect(sendBeaconSpy).toHaveBeenCalledWith('http://localhost/proxy/collect', body);
+    });
+  });
+
+  describe('fetch interception', () => {
+    it('should rewrite matching fetch URLs (string input)', async () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      await window.fetch('https://analytics.example.com/g/collect?v=2');
+
+      expect(fetchSpy).toHaveBeenCalledWith('http://localhost/proxy/g/collect?v=2', undefined);
+    });
+
+    it('should pass through non-matching fetch URLs', async () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      await window.fetch('https://other.example.com/api');
+
+      expect(fetchSpy).toHaveBeenCalledWith('https://other.example.com/api', undefined);
+    });
+
+    it('should forward RequestInit options', async () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      const init: RequestInit = { method: 'POST', body: 'payload' };
+      await window.fetch('https://analytics.example.com/collect', init);
+
+      expect(fetchSpy).toHaveBeenCalledWith('http://localhost/proxy/collect', init);
+    });
+
+    it('should handle Request object input', async () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      const request = new Request('https://analytics.example.com/g/collect?tid=G-TEST');
+      await window.fetch(request);
+
+      // The spy should receive a new Request with the rewritten URL
+      const calledArg = fetchSpy.mock.calls[0][0];
+      expect(calledArg).toBeInstanceOf(Request);
+      expect(calledArg.url).toContain('/proxy/g/collect?tid=G-TEST');
+    });
+
+    it('should handle URL object input', async () => {
+      const guard = createBeaconGuard(config);
+      guard.install();
+
+      const url = new URL('https://analytics.example.com/g/collect');
+      await window.fetch(url);
+
+      expect(fetchSpy).toHaveBeenCalledWith('http://localhost/proxy/g/collect', undefined);
+    });
+  });
+
+  describe('multiple guards', () => {
+    it('should allow independent guards to coexist', () => {
+      const config2: BeaconGuardConfig = {
+        name: 'Other',
+        isTargetUrl: (url: string) => url.includes('other-tracker.com'),
+        rewriteUrl: (url: string) => url.replace(/https?:\/\/other-tracker\.com/, '/other-proxy'),
+      };
+
+      const guard1 = createBeaconGuard(config);
+      const guard2 = createBeaconGuard(config2);
+
+      guard1.install();
+      guard2.install();
+
+      expect(guard1.isInstalled()).toBe(true);
+      expect(guard2.isInstalled()).toBe(true);
+    });
+  });
+});
diff --git a/docs/guide/integrations/google_tag_manager.md b/docs/guide/integrations/google_tag_manager.md
new file mode 100644
index 00000000..d69718be
--- /dev/null
+++ b/docs/guide/integrations/google_tag_manager.md
@@ -0,0 +1,181 @@
+# Google Tag Manager Integration
+
+**Category**: Tag Management
+**Status**: Production
+**Type**: First-Party Tag Gateway
+
+## Overview
+
+The Google Tag Manager (GTM) integration enables Trusted Server to act as a first-party proxy for GTM scripts and analytics beacons. This improves performance, tracking accuracy, and privacy control by serving these assets from your own domain.
+
+## What is the Tag Gateway?
+
+The Tag Gateway intercepts requests for GTM scripts (`gtm.js`) and Google Analytics beacons (`collect`). Instead of the user's browser connecting directly to Google content servers, it connects to your Trusted Server. Trusted Server then fetches the content from Google and serves it back to the user.
+
+**Benefits**:
+
+- **Bypass Ad Blockers**: Serving scripts from a first-party domain can prevent them from being blocked by some ad blockers and privacy extensions.
+- **Extended Cookie Life**: First-party cookies set by these scripts are more durable in environments like Safari (ITP).
+- **Performance**: Utilize edge caching for scripts.
+- **Privacy Enhancement**: Does not forward client IP to Google (Google sees edge server IP, not user IP).
+
+## Configuration
+
+Add the GTM configuration to `trusted-server.toml`:
+
+```toml
+[integrations.google_tag_manager]
+enabled = true
+container_id = "GTM-XXXXXX"
+# upstream_url = "https://www.googletagmanager.com" # Optional override
+```
+
+### Configuration Options
+
+| Field          | Type    | Required | Description                                   |
+| -------------- | ------- | -------- | --------------------------------------------- |
+| `enabled`      | boolean | No       | Enable/disable integration (default: `false`) |
+| `container_id` | string  | Yes      | Your GTM Container ID (e.g., `GTM-A1B2C3`)    |
+| `upstream_url` | string  | No       | Custom upstream URL (advanced usage)          |
+
+## How It Works
+
+```mermaid
+flowchart TD
+  user["User Browser"]
+  server["Trusted Server"]
+  google["Google Servers<br/>(gtm.js, collect)"]
+
+  user -- "1. Request HTML" --> server
+  server -- "2. Rewrite HTML<br/>(src=/integrations/...)" --> user
+  user -- "3. Request Script<br/>(gtm.js w/ ID)" --> server
+  server -- "4. Fetch Script" --> google
+  google -- "5. Return Script" --> server
+  server -- "6. Rewrite Script Content<br/>(replace www.google-analytics.com)" --> user
+  user -- "7. Send Beacon<br/>(/collect w/ data)" --> server
+  server -- "8. Proxy Beacon" --> google
+```
+
+### 1. Script Rewriting
+
+When Trusted Server processes an HTML response, it automatically rewrites GTM script tags to point to the local proxy:
+
+**Before:**
+
+```html
+<script src="https://www.googletagmanager.com/gtm.js?id=GTM-XXXXXX"></script>
+```
+
+**After:**
+
+```html
+<script src="/integrations/google_tag_manager/gtm.js?id=GTM-XXXXXX"></script>
+```
+
+### 2. Script Proxying
+
+The proxy intercepts requests for the GTM library and modifies it on-the-fly. This is critical for First-Party context.
+
+1.  **Fetch**: Retrieves the original `gtm.js` from Google.
+2.  **Rewrite**: Replaces hardcoded references to `www.google-analytics.com` and `www.googletagmanager.com` with the local proxy path.
+3.  **Serve**: Returns the modified script with correct caching headers.
+
+### 3. Beacon Proxying
+
+Analytics data (events, pageviews) normally sent to `google-analytics.com/collect` are now routed to:
+
+`https://your-server.com/integrations/google_tag_manager/collect`
+
+Trusted Server acts as a privacy-enhancing gateway. Client IP addresses are not forwarded to Google — Google sees only the edge server IP, not the actual user IP.
+
+## Core Endpoints
+
+### `GET .../gtm.js` - Script Proxy
+
+Proxies the Google Tag Manager library.
+
+**Request**:
+
+```
+GET /integrations/google_tag_manager/gtm.js?id=GTM-XXXXXX
+```
+
+**Behavior**:
+
+- Proxies to `https://www.googletagmanager.com/gtm.js`
+- Rewrites internal URLs to use the first-party proxy
+- Sets `Accept-Encoding: identity` during fetch to ensure rewriteable text response
+
+### `GET .../gtag/js` - GA4 Tag Proxy
+
+Proxies the Google Analytics 4 tag library (gtag.js).
+
+**Request**:
+
+```
+GET /integrations/google_tag_manager/gtag/js?id=G-XXXXXXXX
+```
+
+**Behavior**:
+
+- Proxies to `https://www.googletagmanager.com/gtag/js`
+- Rewrites internal URLs to use the first-party proxy
+- Sets `Accept-Encoding: identity` during fetch to ensure rewriteable text response
+
+### `GET/POST .../collect` - Analytics Beacon
+
+Proxies analytics events (GA4/UA).
+
+**Request**:
+
+```
+POST /integrations/google_tag_manager/g/collect?v=2&...
+```
+
+**Behavior**:
+
+- Proxies to `https://www.google-analytics.com/g/collect`
+- Forwarding: User-Agent, Referer, Payload
+- Privacy: Does NOT forward client IP (Google sees Trusted Server IP)
+
+## Performance & Caching
+
+### Compression
+
+The integration requires the upstream `gtm.js` to be uncompressed to perform string replacement. Trusted Server fetches it with `Accept-Encoding: identity`.
+
+_Note: Trusted Server will re-compress the response (gzip/brotli) before sending it to the user if the `compression` feature is enabled._
+
+### Direct Proxying
+
+Beacon requests (`/collect`) are proxied directly using streaming, minimizing latency overhead.
+
+## Manual Verification
+
+You can verify the integration using `curl`:
+
+**Test Script Result**:
+
+```bash
+curl -v "http://localhost:8080/integrations/google_tag_manager/gtm.js?id=GTM-XXXXXX"
+```
+
+_Expected_: `200 OK`. Body should contain `/integrations/google_tag_manager` instead of `google-analytics.com`.
+
+**Test Beacon Result**:
+
+```bash
+curl -v -X POST "http://localhost:8080/integrations/google_tag_manager/g/collect?v=2&tid=G-TEST"
+```
+
+_Expected_: `200 OK` (or 204).
+
+## Implementation Details
+
+See [crates/common/src/integrations/google_tag_manager.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/google_tag_manager.rs).
+
+## Next Steps
+
+- Review [Prebid Integration](/guide/integrations/prebid) for header bidding.
+- Check [Configuration Guide](/guide/configuration) for other integration settings.
+- Learn more about [Synthetic IDs](/guide/synthetic-ids) which are generated alongside this integration.
diff --git a/trusted-server.toml b/trusted-server.toml
index 5ad18888..1d3de4bd 100644
--- a/trusted-server.toml
+++ b/trusted-server.toml
@@ -116,6 +116,11 @@ pub_id = "your-aps-publisher-id"
 endpoint = "https://origin-mocktioneer.cdintel.com/e/dtb/bid"
 timeout_ms = 1000
 
+[integrations.google_tag_manager]
+enabled = false
+container_id = "GTM-XXXXXX"
+# upstream_url = "https://www.googletagmanager.com"
+
 [integrations.adserver_mock]
 enabled = false
 endpoint = "https://origin-mocktioneer.cdintel.com/adserver/mediate"