Architecture · Draft
First-Party Tag Relay (Kobi Relay) — Phase 2+
Status: Deferred — not v1 scope. v1 uses API-provisioned pixels/CAPI plus implementation guide. This doc captures the recommended later architecture, cloud choice, and cost bands for planning.
Problem
| Issue | v1 approach | Relay approach (later) |
|---|---|---|
| Third-party cookie limits | CAPI + manual/GTM guide | First-party subdomain cookies |
| Client installs many pixels | Per-platform guide | One DNS + one script |
| Ad blockers | Platform domains blocked | Requests to metrics.client.com |
| Ops at scale | Per-tenant GTM publish | Kobi-operated fan-out |
Client effort (target)
| Step | Who | Once per tenant? |
|---|---|---|
CNAME metrics.{client-domain} → Kobi edge |
Client DNS | Yes |
| One loader snippet (or GTM import that loads it) | Client site / CMS | Yes |
| Consent (existing CMP or Kobi banner) | Client approves copy; Kobi implements gating | Yes for EEA/UK/TR — see Consent management |
Not required: Meta pixel, TikTok pixel, separate GTM publish per platform, client payment or platform billing.
Architecture options
A — Kobi Relay (preferred product path)
- Browser: thin loader collects page context, click IDs, consent,
event_id - Edge: TLS for client hostname, rate limit, WAF
- Relay: normalize vertical templates, dedup, hash PII, fan-out (same APIs as v1 CAPI relay)
B — Hosted server-side GTM (alternative SKU)
Same CNAME; origin runs GTM server container instead of custom relay. Industry-standard; heavier to automate multi-tenant.
| Kobi Relay (A) | Hosted sGTM (B) | |
|---|---|---|
| Client install | CNAME + one script | CNAME + GTM web snippet |
| Kobi maintains | Code + templates | GTM container versions |
| Agent/QC integration | Native | Indirect |
| Google ecosystem | Via MP / EC APIs | Native GTM tags |
Recommendation: Build A as default SKU; offer B only for GTM-mature clients.
API / scope compatibility
Relay fan-out uses the same endpoints as v1 — no special “server-side tagging scope”:
| Destination | API | Already in onboarding? |
|---|---|---|
| Meta | Conversions API (/{pixel-id}/events) |
✅ Pixel + system user token |
| TikTok | Events API (/event/track/) |
✅ Pixel + OAuth |
| GA4 | Measurement Protocol | ✅ If client grants Admin / measurement ID |
| Google Ads | Enhanced Conversions / offline upload | ✅ Conversion actions |
| Internal CRM | Webhook / CTS | ✅ Phase 4 |
GTM Tag Manager API is only needed for option B (container publish) — not for Kobi Relay.
Consent management — required for Relay
Yes. If Kobi Relay sets first-party cookies and fans out events to Meta, TikTok, GA4, and Google Ads, consent must be enforced before non-essential processing. A DNS record and loader alone do not satisfy GDPR, UK GDPR, or KVKK — the relay becomes part of the client’s tracking stack and must respect visitor choice.
This is separate from portal consents (ToS, data-sharing, Meta OAuth) in onboarding provisioning spec §7. Relay needs website visitor cookie consent in addition.
Responsibility split
| Party | Role |
|---|---|
| Client | Privacy policy, lawful basis, banner copy approval, DPA with Kobi — per vision & scope |
| Kobi | Implement consent gating in k.js + relay; Consent Mode v2; block fan-out when denied; audit-friendly logs |
| End user | Accept / reject / customize via banner or existing CMP |
Relay must not treat server-side fan-out as a loophole: if marketing consent is denied in the browser, the relay drops or anonymizes ad-personalization payloads (CAPI with restricted parameters, no new marketing cookies).
Consent categories (default taxonomy)
| Category | Examples | Default (EEA/UK) | Fan-out when denied |
|---|---|---|---|
| Necessary | Relay session, security, consent storage | Always on | N/A — no ad platforms |
| Analytics | GA4 page views, key events | Opt-in | Skip GA4 MP; optional aggregate internal metrics only |
| Marketing | Meta CAPI, TikTok Events API, Google Ads EC, remarketing cookies | Opt-in | Block platform fan-out; no _fbp / ad cookies |
Tenant config: consent_profile on tenant_registry — eea_strict | uk_strict | tr_kvkk | row_light (still document; no silent opt-in where law requires opt-in).
Three deployment modes (pick per tenant at onboarding)
| Mode | Client has | Kobi delivers | Best for |
|---|---|---|---|
| 1 — Client CMP | Cookiebot, OneTrust, iubenda, CookieYes, etc. | k.js listens to CMP API / dataLayer / TCF __tcfapi |
Mature sites, legal already owns CMP |
| 2 — Kobi CMP | Nothing reliable | Lightweight Kobi banner (hosted with k.js, styled per tenant) |
SMB clients, fastest Relay rollout |
| 3 — Hybrid | GTM loads CMP + Kobi loader | GTM import: CMP first, then k.js on consent update |
Agencies already on GTM |
Default recommendation: Mode 1 when CMP exists; Mode 2 as Relay SKU default for TR/EU SMB; document Mode 3 in implementation guide v2.
Consent banner game plan (implementation)
Phase A — Tenant config (onboarding Relay SKU)
| Field | Purpose |
|---|---|
consent_profile |
eea_strict / uk_strict / tr_kvkk / row_light |
cmp_mode |
client_cmp | kobi_cmp | gtm_hybrid |
cmp_vendor |
e.g. cookiebot, onetrust, kobi |
privacy_policy_url |
Required — linked from banner |
banner_locale |
tr, en, de, … |
google_consent_mode |
v2 enabled (default true for EEA/UK) |
Store website consent config on onboarding_record.tracking_relay; link to portal consent_record for contractual data-sharing — two layers, one audit trail.
Phase B — Loader (k.js) behavior
- Default denied for analytics + marketing in EEA/UK until CMP fires
consent_update. - Expose
window.kobiConsentbridge for client CMP integrations. - Set Google Consent Mode v2 defaults (
ad_storage,analytics_storage,ad_user_data,ad_personalization) before any hit. - Set first-party cookies only when category allows (e.g.
_fbponly if marketing granted). - Queue events in memory until consent known; flush or purge on deny.
- Attach
consent_snapshot(categories + CMP version + timestamp) on each relay POST — relay logs, does not re-interpret legal text.
Phase C — Relay server gates
| Check | Action if fail |
|---|---|
consent.marketing !== true |
Drop Meta / TikTok / Ads fan-out; return 204 |
consent.analytics !== true |
Drop GA4 MP |
Missing consent_snapshot on EEA tenant |
Treat as denied (strict) |
| Event contains PII + marketing denied | Strip / hash per data & tracking privacy rules |
Optional: persist anonymized consent metrics to BigQuery (relay_consent_events) for ops — not a substitute for CMP records.
Phase D — Platform-specific signals
| Platform | Relay behavior |
|---|---|
Consent Mode v2 in loader; Enhanced Conversions only if ad_user_data granted |
|
| Meta | CAPI data_processing_options / LDU where required; no pixel-equivalent cookies without marketing consent |
| TikTok | Events API with consent flags per TikTok docs for region |
| GA4 | MP with consent-aware parameters; respect analytics_storage |
Pin exact parameter names at implementation — platform docs change; QC checker validates consent fields present for EEA tenants.
Phase E — Client CMP integration cookbook (Mode 1)
Document in implementation guide v2 — one snippet per major CMP:
| CMP | Integration hook |
|---|---|
| Cookiebot | Cookiebot.consent + CookieConsent event |
| OneTrust | OnetrustActiveGroups + OneTrustGroupsUpdated |
| iubenda | _iub.cs.api |
| TCF v2 | __tcfapi('getTCData') → map purposes to analytics/marketing |
Kobi maintains a compatibility matrix; unknown CMP → fallback Mode 2 or HITL onboarding step.
Phase F — Kobi CMP (Mode 2) MVP scope
| In scope | Out of scope (v2 Relay MVP) |
|---|---|
| TR + EN banner strings (legal review) | Full IAB TCF registration as CMP |
| Accept all / reject non-essential / customize (3 categories) | Geo-IP auto-law detection (use tenant consent_profile first) |
Consent cookie on metrics.client.com or registrable domain |
Replacing enterprise CMP for Fortune 500 clients |
| Re-open preferences link in implementation guide footer snippet |
Banner UI: small bundle served from same subdomain as k.js; theme tokens from tenant brand colors.
Phase G — Ops, QC, and HITL
| Signal | Threshold | Action |
|---|---|---|
| EEA tenant with zero consent grants but high event volume | Any | Block relay — config bug; System Ops alert |
| Consent grant rate unusually low | < 5% over 7d | Notify client — banner placement/copy |
| Relay fan-out without snapshot (EEA) | > 0 | QC fail; do not mark tracking healthy |
| Client changes privacy policy URL | — | Re-acknowledge in portal (lightweight) |
Add ONB-14 (future): Relay enabled but privacy_policy_url or consent_profile missing → block tracking_relay.active.
Consent + engineering cost add-on
| Workstream | Duration | Notes |
|---|---|---|
| Consent gating in loader + relay | +1.5 weeks | Included in Relay MVP row — now explicit |
| Client CMP integration matrix | +1 week | Top 4 CMPs + TCF stub |
| Kobi minimal CMP (Mode 2) | +1.5–2 weeks | UI + locales + legal copy templates |
| Consent health dashboard | +0.5 week | Overlap with relay health row |
Infra: Kobi CMP adds negligible cost (static assets on same edge as k.js). No separate CMP SaaS fee unless Kobi later resells a third-party CMP.
Cloud provider recommendation
Default: GCP for compute + Cloudflare for edge (hybrid).
| Layer | Service | Why |
|---|---|---|
| Relay logic | GCP Cloud Run | Same as orchestrator, connectors, CTS, Secret Manager, logging → BQ — one IAM and ops model (GCP topology) |
| Multi-tenant custom hostnames | Cloudflare (SSL for SaaS / proxied CNAME) | Cheap per-client TLS at 50–200+ tenants; global edge; DDoS; cache static k.js |
| Certificates (pilot only) | GCP Certificate Manager + Global HTTPS LB | OK for <15 tenants all-GCP pilot — fewer vendors |
| Secrets / tokens | GCP Secret Manager | Pixel tokens already planned here |
| Telemetry | Cloud Logging → BigQuery | Aligns with System Ops + QC |
Why not AWS / Azure as primary?
- Rest of Kobi Digital Ads is GCP-illustrative (Vertex, Cloud Run, BQ).
- Splitting relay to Lambda@Edge or Azure Front Door adds second billing, IAM, and runbooks for marginal savings at pilot scale.
- Revisit only if entire Kobi platform standardizes elsewhere.
Why not Workers-only (no GCP)?
- Cloudflare Workers can host the full relay (very cost-effective).
- Downside: platform tokens, CTS, and tenant registry live on GCP — cross-cloud latency, dual deploy, harder trace from ad event → agent QC.
- Compromise: Cloudflare edge (SSL, cache, WAF) → GCP Cloud Run origin — best performance/cost/ops balance.
Region
- Relay origin:
europe-west1(match GCP topology) unless tenant data residency requires otherwise. - Cloudflare: automatic anycast edge (client-facing latency minimized globally).
Cost estimation
Planning bands only. Verify against Cloud Run, Cloud Load Balancing, Cloudflare plans, and Certificate Manager before build. Prices USD, order-of-magnitude, relay infra only (excludes Vertex, ads APIs, ERP).
Traffic assumptions
| Profile | Tenants | Page views / tenant / month | Relay requests / tenant / month¹ |
|---|---|---|---|
| Pilot | 5 | 25,000 | ~100,000 |
| Growth | 50 | 50,000 | ~200,000 |
| Scale | 200 | 100,000 | ~400,000 |
¹ Loader load + page/events + retries. Fan-out to Meta/TikTok/GA4 is outbound from Cloud Run (small payloads; egress cost negligible vs ingress).
Monthly infrastructure (USD)
| Profile | Total requests/mo | Hybrid (CF + GCP Run) | All-GCP (LB + Run + certs) |
|---|---|---|---|
| Pilot (5 tenants) | ~0.5M | $25–45 | $40–70 |
| Growth (50 tenants) | ~10M | $80–150 | $180–320 |
| Scale (200 tenants) | ~80M | $350–650 | $900–1,600 |
Hybrid breakdown (Growth example, ~10M requests/mo):
| Line item | Est. monthly |
|---|---|
| Cloud Run (relay + fan-out CPU) | $35–70 |
| Cloudflare Pro/Business + custom hostnames (~50) | $25–55 |
| GCP logging / BQ relay telemetry (light) | $10–25 |
| Secret Manager, Pub/Sub (optional async buffer) | $5–15 |
| Total | ~$80–150 |
All-GCP premium drivers: Global HTTPS LB (~$18+ base + LCU), Certificate Manager per hostname, no edge cache for k.js unless Cloud CDN added.
Marginal cost per tenant (steady state, hybrid)
| Tenant traffic | Est. infra / tenant / month |
|---|---|
| Low (25k page views) | $1–3 |
| Medium (50k page views) | $2–5 |
| High (200k page views) | $6–12 |
Pass-through pricing to clients (optional SKU): media-tech fee €5–15 / site / month easily covers infra at Growth scale.
One-time engineering (build)
| Workstream | Duration | Notes |
|---|---|---|
| Relay service (ingest, dedup, fan-out) | 4–5 weeks | Cloud Run, vertical templates |
| Consent (loader gates + CMP modes + Kobi banner MVP) | 2–3 weeks | See Consent management |
| Edge onboarding (CNAME verify, TLS, tenant routing) | 2 weeks | Cloudflare for SaaS or GCP certs |
k.js loader + implementation guide v2 |
1–2 weeks | SPA hooks, dataLayer optional |
| Dashboard health (volume, EMQ proxy, consent) | 1 week | Ties to data & tracking |
| Hosted sGTM path (optional B) | +2 weeks | Only if product requires |
| Total MVP (path A) | ~10–12 weeks | 1–2 engineers; consent is on critical path for EEA/TR |
Opportunity cost vs v1 guide: v1 avoids this build; relay pays off at ~20+ active sites or when client IT friction dominates onboarding SLA.
Multi-tenant design notes
| Concern | Approach |
|---|---|
| Host routing | Host: metrics.client.com → tenant_id in registry |
| Isolation | Per-tenant rate limits; no cross-tenant tokens in memory |
k.js delivery |
Immutable versioned URL; long cache at edge |
| Consent | cmp_mode per tenant; loader + relay gates — Consent management |
| Dedup | Browser event_id + server id → Meta/TikTok requirements |
| Domain verify (platform) | Still separate from CNAME — onboarding |
Phasing
| Phase | Tracking delivery |
|---|---|
| v1 | API pixels + CAPI + implementation guide (manual / GTM import template) |
| v2+ | Optional Kobi Relay SKU: CNAME + k.js |
| v2+ alt | Hosted sGTM for GTM-native clients |
See Roadmap — Phase 2+ optional.
Related documents
- Data & tracking
- GCP deployment topology
- Onboarding provisioning spec
- Platform access & API readiness
- Security & governance — GDPR / KVKK
- GA4 source of truth — Consent Mode v2 sign-off