What is a postback?
A postback (also called server-to-server tracking or S2S) is an HTTP request your server sends to Trcker when a conversion happens. It tells Trcker "this click just turned into a sale."
Postbacks are more reliable than tracking pixels because they run server-side, can't be blocked by ad blockers, and are harder to fake.
Your postback URL
Every offer has a postback URL in this format:
https://app.trcker.io/api/postback/your-brand/offer-slug?secret={postback_secret}&click_id={click_id}&amount={amount}
Replace your-brand and offer-slug with your actual brand and offer slugs, and {postback_secret} with the secret shown in Offers → [your offer] → Settings → Postback secret.
Authentication
Every offer ships with a unique 64-character postback_secret. The postback endpoint requires the secret on every call — without it, your conversion is rejected with 401. This stops anyone who has scraped your tracking links from forging conversions.
You can pass the secret in either of two ways:
- URL parameter (recommended for static URLs in advertiser admin panels):
?secret={postback_secret}&click_id=... - HTTP header (recommended for programmatic senders — keeps the secret out of access logs):
X-Postback-Secret: {postback_secret}
The header takes precedence if both are supplied.
The secret rotates only when you regenerate it in the dashboard. Treat it like an API key — anyone with it can fire conversions on this offer.
> Legacy offers: Offers created before May 11, 2026 may have postback_secret = null, in which case the endpoint accepts unauthenticated postbacks but logs a deprecation warning. Generate a secret in Settings to flip enforcement on. After flipping, every postback must include the secret.
Required parameters
| Parameter | Description | Example |
|-----------|-------------|---------|
| click_id | The click ID from the original redirect. Passed as a URL parameter when the user clicked the affiliate link. | a1b2c3d4-e5f6-... |
Optional parameters
| Parameter | Description | Example |
|-----------|-------------|---------|
| amount | Revenue amount in dollars | 49.99 |
| payout | Override the payout for this conversion | 7.50 |
| txn_id | Your internal transaction ID (used for deduplication) | order-12345 |
| event | Event type | sale, lead, install |
| currency | Currency code | USD |
| coupon_code | Coupon used (for coupon-based attribution) | PARTNER20 |
How to pass the click_id
When a user clicks an affiliate link, Trcker redirects them to your destination URL with a click_id parameter appended:
https://yoursite.com/landing?click_id=a1b2c3d4-e5f6-...
You need to:
- Capture the
click_idfrom the URL when the user lands on your site - Store it (in a session, cookie, or database) so it's available when they convert
- Send it back in the postback when the conversion happens
Example postback call
When a user completes a purchase on your site:
GET https://app.trcker.io/api/postback/your-brand/offer-slug?click_id=a1b2c3d4-e5f6-...&amount=49.99&txn_id=order-12345
Trcker will:
- Match the click_id to the original affiliate click
- Attribute the conversion to the correct partner
- Calculate the payout based on your offer settings
- Return
{"data": {"status": "ok", "conversionId": "..."}}
Deduplication
If you include a txn_id, Trcker automatically deduplicates. Sending the same txn_id twice returns {"data": {"status": "duplicate"}} instead of creating a second conversion.
IP whitelisting
For extra security, you can restrict which IPs can fire postbacks. Go to the offer detail page and add your server IPs under Advanced Settings.
Testing
You can test your postback integration by firing a test request with curl:
curl "https://app.trcker.io/api/postback/your-brand/offer-slug?click_id=test&amount=10&txn_id=test-123"
The response will confirm whether the postback was processed successfully.
Full macro reference
For a complete list of all postback macros (both inbound and outbound), see Postback Macros Reference.