Conversion APIs · CAPI + Enhanced Conversions

Server-to-server tracking that ad blockers can't stop.

Browser-based tracking is broken. iOS Intelligent Tracking Prevention, Safari's 7-day cookie limit, ad blockers, EU consent gating, and privacy extensions collectively blind 30–50% of your conversion data. Conversion APIs fix this — your server sends events directly to Meta, Google, TikTok server-to-server. No cookies, no browsers in the middle, no data loss. Your ads finally see what's actually happening.

User action on your site →

PageView· €0

Race · event 1/4

Browser Pixel only

Client-side · cookies

LEGACY

PageView

Ad blocker

iOS ITP / Safari

Cookie consent

Network / firewall

Meta Events

Delivery rate

67%

Server-side + CAPI

Backend → Meta

2026 STANDARD

PageView

Your server

/api/track

Hash PII (SHA256)

em, ph, fn, ln

Event dedup (event_id)

Match browser+server

Encrypted POST

graph.facebook.com

Meta Events

Delivery rate

100%

Event Match Quality

After proper PII hashing

4.2

/ 10

Not just Meta

Three server-side tracking stacks worth owning.

Every major ad platform now offers a server-side alternative to browser pixels. Here's how they compare + which you actually need.

CAPI

Meta Conversions API

Required

Server → Meta endpoint. Events deduplicated with browser Pixel via event_id. PII (email, phone, name, address) hashed client-side with SHA256. Advantage+ campaigns lean heavily on this.

Used for

Meta Ads optimisation, Advantage+ Shopping, retargeting accuracy

Google Enhanced Conversions

Required

Extension to Google Ads conversion tracking. First-party data (email, phone) passed with each conversion. Dramatically improves cross-device + iOS attribution. Works with GA4 + gtag directly.

Used for

Google Ads performance, cross-device attribution, GA4 match rate

EAPI

TikTok Events API

Recommended

TikTok's equivalent of CAPI. Server posts events to TikTok Ads endpoint. Match Quality score tracks PII hashing completeness. Newer stack; gotchas with legacy TikTok Pixels still common.

Used for

TikTok Ads optimisation, TikTok Shop attribution, younger-audience campaigns

What went wrong with browser tracking

Five forces killing browser-based attribution.

iOS Intelligent Tracking Prevention

Apple's ITP caps all client-side cookies at 7 days (1 day for some). Attribution windows collapse. Cross-device tracking breaks. Introduced 2017, tightened continuously. This alone accounts for most of the attribution gap.

Ad blockers + privacy extensions

20–30% of EU desktop users run uBlock Origin, AdGuard, Brave's built-in blocker, or equivalent. Facebook Pixel and Google Ads scripts are on every blocker's default list. Zero events. Zero attribution.

GDPR + consent gating

GDPR-compliant cookie banners require opt-in before marketing cookies fire. Realistic consent rates: 40–60%. The other 40–60% of your traffic leaves no Pixel trace — legally, correctly, permanently.

Third-party cookie deprecation

Safari blocks third-party cookies by default. Firefox blocks tracking cookies. Chrome's rollout has been postponed but restrictions are tightening. Browser-only stacks are on a clock.

Corporate + ISP-level blocking

Enterprise networks block Facebook and Google tracking domains. Some ISPs (Vodafone, certain telecoms) filter tracking scripts at the DNS layer. Rare individually, cumulative in aggregate.

JavaScript execution failures

Slow connections abandon pages before JS runs. Browser crashes. Race conditions between Pixel load + user action. Even on ideal conditions, ~3–5% of intended Pixel fires never happen due to timing + performance issues.

The cumulative effect: most SMB sites running browser Pixel alone receive 55–70% of actual conversions back at Meta / Google. Ads optimise on incomplete data. Lookalike audiences train on biased samples. Attribution reports underreport by 30–45%. Every week, more.

Three ways to deploy

Your implementation options ranked.

From easiest (1-click app) to most powerful (custom server-side). Pick the one that matches your stack + attribution ambitions.

Native platform integration

Effort Low

Control Low

EMQ 6–7

Official CAPI apps maintained by the platform. Install, authenticate, done. Pros: zero dev work. Cons: limited customisation; you're stuck with what the app passes. Good enough for 70% of DTC stores.

Shopify → Meta app, WooCommerce → PixelYourSite, BigCommerce native CAPI

Server-side Google Tag Manager

Effort Medium

Control High

EMQ 7–8

Container running on your own subdomain proxies all tag fires — Meta CAPI, Google Ads EC, TikTok, analytics — from one place. Full transformation control. Requires tagging strategy + ongoing GTM management. The sensible middle-ground for most mid-market e-commerce.

sGTM on Cloud Run / Stape / Addingwell

Direct API from your backend

Effort High

Control Total

EMQ 8–9+

Events fire directly from your server on purchase / form submit / lead capture. Highest match quality. Full hashing + dedup logic you own. Requires dev resource + monitoring. Used by serious e-commerce + SaaS operations where attribution is a bottom-line issue.

Node / PHP / Python backend posting to Meta Graph API + Google Ads API

Conversions API Gateway (self-hosted)

Effort Very high

Control Absolute

EMQ 9+

Meta-provided gateway deployed in your AWS / GCP / Azure. Events flow browser → your server → gateway → Meta, never leaving your infrastructure. Data sovereignty maximised. Overkill for SMBs; standard for regulated industries + enterprises.

Meta's CAPI Gateway deployed on your infrastructure

Privacy is the whole point

PII hashing + GDPR — what you must get right.

Server-side tracking isn't a loophole around privacy law. Done wrong, it's a bigger GDPR risk than browser tracking. Done right, it's better-for-users + better-for-you. Here's the non-negotiable stuff.

SHA256 hash all PII before sending

Email, phone, first/last name, address — never transmit in plaintext. Hash client-side before POSTing to your server, or hash server-side before forwarding. Meta / Google reject unhashed PII + flag your account.

Normalise before hashing

Emails: lowercased, trimmed. Phones: E.164 format (+353...). Names: lowercased, stripped of punctuation. Inconsistent normalisation = hashes don't match = attribution breaks even though data was sent.

Honour consent state server-side too

If user rejected marketing cookies, don't send their server-side events either. Server-side doesn't bypass consent law — it just bypasses browser restrictions. Consent mode flag must flow through to your backend.

No event_id = duplicate counting

Both browser Pixel AND CAPI fire for the same purchase. Without a matching event_id on both, Meta counts it twice. Conversions inflate 2x. Algorithm learns from bad data. Always pair browser+server with identical event_id.

Document + publish your DPIA

Data Protection Impact Assessment required under GDPR for any new tracking system. Server-side setup + the PII sent = a processing activity. DPC (Irish Data Protection Commission) has fined for missing DPIAs. €€€€€.

Keep an audit log

Log every event your server sends, what fields, what user (pseudonymised). Required for DSAR compliance (user can ask 'what did you send about me?'). Keep for 12+ months. Part of running server-side correctly.

What actually changes

Measurable outcomes after going server-side.

+30–50%

Events seen by Meta / Google

vs browser Pixel only

+15–35%

Attributed ROAS

within 4–6 weeks of deployment

−20–40%

Reported CPA

same spend, more attributed conversions

Event Match Quality score

vs typical 4–6 for browser-only

7→90

Attribution window (days)

first-party cookies vs hashed email

100%

Ad-blocker resistance

server → server, never touches browser

Realistic timing: attribution improvements show up in dashboards within days. Algorithmic gains (Meta's Advantage+ / Google's Smart Bidding learning from better data) take 2–4 weeks. ROAS uplift compounds over months as lookalike audiences improve.

Frequently asked

Conversion API questions.

Yes — full stack setup: Meta CAPI + Google Enhanced Conversions + TikTok Events API if relevant. Flat fee €2,000–6,000 depending on platform + approach (native app install → sGTM → custom server-side). Includes PII hashing, event dedup, consent-mode integration, EMQ optimisation, test + verification in Events Manager + Google Ads + TikTok Ads Manager. Plus a handover doc so your team understands what's firing + why.

Mostly, not entirely. CAPI + Enhanced Conversions recover most lost iOS 14 attribution via hashed PII matching (email / phone pass through even when cookies don't). Expect 80–95% recovery — not 100%. Some in-app → web journeys still have gaps. But 85% is dramatically better than 50%.

Can be — if done properly. You control what data leaves your server + to whom. You can enforce consent server-side. You can log + audit every event. But server-side without proper hashing + consent respect is actually a bigger GDPR risk than browser Pixel. Done wrong, it's worse. We set things up so it's actually better-for-users — including respecting opt-outs end-to-end.

Consent Mode v2 is the umbrella — it signals to Google whether to collect data or use modelled conversions instead. Enhanced Conversions operates inside that framework. Setup includes CMP (CookieYes / Cookiebot / OneTrust) → Consent Mode v2 → gtag + server-side all respecting consent state. We configure end-to-end.

Shopify + native app route: 1 week. sGTM via Stape: 2–3 weeks. Custom server-side on non-standard stack: 3–6 weeks. Enhanced Conversions alone (Google Ads): 3–5 days. Full multi-platform setup across Meta + Google + TikTok: typically 4–8 weeks depending on ecommerce platform and dev availability.

For most Shopify stores under €1M/year, yes — Meta's official Shopify integration handles CAPI + events correctly out of the box. Enable it in Settings. Above €1M or running complex attribution (multi-domain, custom checkout, non-standard events), move to sGTM or custom for more control + better EMQ.

Related tracking stack

Meta Pixel

Browser-side event tracking

Looker Studio

Dashboard your tracking data

Analytics Platforms

GA4 + broader analytics stack

Stop losing conversions to privacy tech.

60-minute tracking audit. Share your Meta + Google + TikTok accounts; we inspect Events Manager, Tag Assistant, Enhanced Conversions status + EMQ scores. You'll leave with a prioritised implementation plan — and a rough estimate of how much attribution you're currently losing.