Key takeaways
- Server-to-server (S2S) postback tracking attributes conversions using a server-side click ID instead of a browser cookie.
- It survives third-party cookie deprecation, Safari ITP, and ad blockers because nothing depends on a cookie persisting.
- The flow is: log a click and mint a click ID, carry that ID to conversion, then fire a postback back to the tracker.
- S2S is more accurate and more fraud-resistant than pixel-and-cookie tracking.
- Afflio's tracking is cookieless S2S by design, so attribution holds even in privacy-restricted browsers.
For two decades, affiliate attribution leaned on a third-party cookie: a click set a cookie, a later purchase read it, and the affiliate got credit. That model is dying. Browsers block third-party cookies by default, Safari's tracking prevention caps cookie lifetimes, and ad blockers strip tracking pixels. Server-to-server postback tracking is how attribution works in that world — and it is more accurate and harder to game than the cookie it replaces.
What is server-to-server postback tracking?
Server-to-server postback tracking is a method where your server records a click and assigns it a unique click ID, then the advertiser's server reports the eventual conversion back to your server using that same ID. Attribution lives entirely between servers — no cookie has to survive in the user's browser for the match to work, which is why it is called cookieless.
How does the postback flow work?
The flow has three steps, and the click ID is the thread running through all of them.
- Click: a user clicks an affiliate link, your tracker logs the click server-side and generates a unique click ID.
- Pass-through: the click ID travels with the user to the destination — appended to the landing URL and captured by the advertiser so it can be returned later.
- Postback: when the user converts, the advertiser's server makes a server-to-server HTTP request (the postback) to your tracker's endpoint, including the click ID, the conversion value, and an order reference.
Your tracker receives the postback, looks up the click ID, and credits the conversion to the affiliate who owned that click. The whole match happens server to server, so it does not matter whether the user's browser kept any cookie at all.
The click ID is the whole system
Everything in S2S tracking hinges on one identifier surviving the round trip: minted at click, passed to the destination, and returned at conversion. Lose the click ID and you lose the attribution — so the integration work is mostly about making sure it is captured and echoed back faithfully.
Why is cookieless tracking more reliable?
It is more reliable because it removes every point where a cookie could be blocked, expired, or deleted. Pixel-and-cookie tracking fails silently in a dozen ways the user controls; S2S fails only if the server integration itself is wrong, which you can test and monitor.
- No third-party cookie means browser cookie deprecation has nothing to break.
- Safari ITP and similar policies that shorten or wall off cookies don't affect a server-side click ID.
- Ad blockers that strip client pixels can't reach a server-to-server request between two backends.
- Attribution windows can be as long as your business needs, since they live in your database, not in a cookie's expiry.
How does S2S reduce fraud?
S2S reduces fraud by making attribution something a fraudster cannot forge from the browser. Cookie stuffing relies on planting a cookie without a real click; when credit only exists for a click ID your server actually minted, there is nothing to plant. You can also sign or validate the postback so only your verified advertiser endpoint can report conversions, closing off spoofed conversion reports.
Moving attribution from the browser to the server doesn't just survive privacy changes — it takes the cookie, the one thing a fraudster could touch, off the table entirely.
Afflio's tracking is cookieless S2S out of the box. Clicks are logged server-side with a click ID, conversions are reported back via postback, and attribution holds in Safari, in incognito, and with cookies fully disabled — the same conditions that quietly break legacy pixel tracking.
Does cookieless tracking still work if the user blocks all cookies?
Yes. Server-to-server postback tracking attributes conversions using a click ID exchanged between servers, so it does not depend on any cookie being stored in the user's browser. A user with cookies fully disabled is still tracked correctly.
What is a click ID?
A click ID is a unique identifier your tracker generates when an affiliate link is clicked. It is passed to the destination URL and returned in the conversion postback, allowing the tracker to match the conversion back to the original click and the affiliate who owned it.
What is a postback URL?
A postback URL is the endpoint on your tracker that the advertiser's server calls when a conversion happens. The advertiser appends the click ID, conversion value, and order reference to it, and the tracker uses those to credit the right affiliate.