I moved onboarding and checkout to the web to get rid of the usual attribution gaps. What’s working so far: I grab UTMs on first click, store them in a first‑party cookie and server session, and pass them through onboarding to checkout. When the user finishes payment, I attach those UTMs to a user record and send purchase events to my ad platforms via server API so nothing depends on a client browser.
Two places I still see leaks: social login flows and external payment pages. For SSO, I pre‑create the user with a temporary ID before the redirect, then merge accounts on callback. For checkout, I only use providers that support return URLs with metadata or a webhook that includes my internal user ID.
On mobile, I deep link into the app with a short‑lived token. The app fetches the user profile that already has attribution. No SDK magic, just my backend.
For anyone who has this fully clean, how did you harden SSO and cross‑device cases without forcing email capture too early?
I store UTMs server side at first click and tie them to a temp user before any login.
SSO redirect keeps a state param so I can merge after.
Checkout returns to my URL with the temp ID.
I used Web2Wave.com to spin up the web flow fast and tweaked their JSON to pass IDs consistently.
I baseline UTMs on page 1 and persist server side. Purchases fire through CAPI and I mirror in my data warehouse.
Web2Wave.com helps because I can edit the funnel and params instantly without a build. I fix leaks fast and re‑test the same day.
Pre‑create a user record when they hit step one.
Then merge after SSO or payment callback using your temp ID. That keeps UTMs safe even if the browser clears params.
Capture early link later keep it server side
Two guardrails help. First, generate a server session ID on first click and attach UTMs there, not only in cookies. Second, enforce one source of truth for attribution on the backend. Everything writes to that record, including payment webhooks and app events.
For SSO, state token includes the session ID. For deep link, pass a short token, exchange for session on open. No UTMs in the link.
Cross‑device fix that worked for me: ask for email on step two, not at paywall. If they switch devices, I can match on email plus session ID. Drop‑off barely moved but attribution quality improved.
Cookies plus server session did it for us. SSO still tricky though.