The goal of this solution is to set the Tealium TAPID as a first-party cookie using a reverse proxy. The TAPID cookie is normally set as a third-party cookie, but due to new restrictions in browsers, these cookies are becoming more difficult to rely on. Using a reverse proxy is one way to have requests to Tealium Collect directed through your own subdomain to ensure that the resulting cookie remains in the first-party context.

Related Topics

In this article:

How It Works

If you're using the Tealium Collect tag to collect data in Tealium EventStream or AudienceStream then you might be familiar with the endpoint . This endpoint that collects all incoming requests to the Tealium Customer Data Hub and it sets a third-party cookie called TAPID that is used for identity resolution in AudienceStream. The cookie is set in the domain If you want the TAPID to be set as a first-party cookie, then requests to Tealium Collect must use an endpoint that matches your domain.

One way to accomplish this is by using a reverse proxy. A reverse proxy solution requires the following:

  • Reverse Proxy: a server that can run a reverse proxy configuration.
  • Tealium Collect: an instance of the Tealium Collect tag in Tealium iQ Tag Management or the Collect module in a Tealium for Mobile installation.

Reverse Proxy

A reverse proxy allows you to effectively serve requests from your domain while continuing to benefit from the enterprise scale of the Tealium Customer Data Hub. Instead of sending requests to, you would send them to an endpoint of your own, such as .

A reverse proxy can be implemented in several ways, but they all require the following:

  • A web server that can handle the network traffic generated by your Tealium installations.
  • DNS entry for your new endpoint, such as
  • SSL Certificate for the new subdomain

Region Hostnames

If your data collection is restricted to a specific geographic region, then your reverse proxy configuration should direct traffic to one of the following regional endpoints:


Tealium Collect

After your new endpoint and reverse proxy is in place, you must change the URL that Tealium Collect uses. The default endpoint has your Tealium account and profile in the pathname. Your new endpoint will be the same except for the hostname.

Default Endpoint:

Reverse Proxy Endpoint:

Tealium Collect Tag

Your new reverse proxy endpoint must be set in the Tealium Collect configuration. Set the Server field to your new URL:



Example: Nginx

Nginx is a light-weight server that is ideal to use as a reverse proxy. It can handle large amounts of network traffic and, with a simple configuration, can pass those requests onto the Tealium endpoints for processing.

This solution would take all traffic coming to your new endpoint ( and forward it to the Tealium collect endpoint (collect* It will also set header cookies in your domain, ensuring that they remain first-party. 

Sample Nginx server block configuration:

server {
listen 443 ssl;
# TODO: Your subdomain

ssl on;
# TODO: Your SSL certificates
ssl_certificate <path_to_fullchain>.pem;
ssl_certificate_key <path_to_privatekey>.pem;

location / {
# TODO: Only change this if you use a regional Tealium Collect hostname
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
# TODO: Your cookie domain for Set-Cookie header
proxy_cookie_domain $http_host;