Facebook Conversions API: a step-by-step setup that survives iOS and ad-blockers
Why the browser pixel is no longer enough
For the better part of a decade, the Facebook pixel sitting in the browser was a complete
measurement solution. You dropped a script tag, you fired fbq('track','Purchase') on
your thank-you page, and Meta knew everything it needed to attribute the sale. That world ended
with iOS 14.5. Today, between Apple's App Tracking Transparency, Safari's Intelligent Tracking
Prevention, browser extensions, ad-blockers and corporate proxies, the browser pixel typically
loses between 30 and 60 percent of the events you actually generate. Lost events mean broken
attribution, weaker audiences and an algorithm that learns more slowly. The Conversions API —
"CAPI" — is the only durable fix.
What CAPI actually is
CAPI is a server-to-server endpoint. Instead of the visitor's browser sending the event, your server sends it directly to Meta over HTTPS. Because the call originates from your infrastructure, it is invisible to ad-blockers, immune to ITP, and unaffected by browser quirks. The price is that you become responsible for two things the browser used to handle for you: identifying the user (so Meta can attribute the event to a person) and deduplicating against any browser pixel events that did get through.
The three implementation paths
There are exactly three ways to send CAPI events, in order of increasing power and complexity. The first is the Meta Conversions API for Shopify, WooCommerce, BigCommerce or whatever platform you use — a one-click integration that handles the basics. The second is server-side Google Tag Manager: you forward events from your existing GA4 implementation through a Meta tag in sGTM. The third is direct server-to-server calls from your application backend. We recommend the platform integration for any store doing under €50k per month, server GTM for everything above that, and direct backend calls only when you have an engineering team that wants full control.
Event Match Quality: the metric you should obsess over
Meta scores every event you send on a scale of 0 to 10 called Event Match Quality, or EMQ. The
score reflects how many identifying parameters you provided: email, phone, first name, last name,
city, state, zip, country, external ID, click ID, browser ID. The more you send (hashed with
SHA-256), the higher the score, and the more accurately Meta can match the event to a real user
profile. Below 6.0 your data is barely usable; above 8.0 you start unlocking lookalike audiences
that perform as well as they did before iOS 14. The single highest-ROI thing you can do this
quarter is push every account from a 5 to an 8 by sending hashed email and phone alongside the
click ID (fbc) and browser ID (fbp).
Deduplication: the part everyone gets wrong
When you run CAPI alongside the browser pixel, the same purchase can be sent twice — once from
the browser, once from your server. Meta deduplicates these on two fields: the
event_name and the event_id. The event_id must be exactly the same
string in both events, and both events must arrive within 48 hours of each other. The most common
mistake we see is generating two different event IDs (for example a UUID on the client and the
order number on the server) and inflating purchases by up to 2x. Always derive the event_id from a
deterministic source — the order ID is the cleanest choice for e-commerce.
Step-by-step: a minimal but correct setup
Here is the exact recipe we use for new e-commerce clients. (1) Install the browser pixel and send PageView, ViewContent, AddToCart and InitiateCheckout from the browser, with an event_id on every event. (2) On the server, when the order is placed, send a CAPI Purchase event with the same event_id as the InitiateCheckout, plus hashed email, hashed phone, fbc, fbp, client IP and user agent. (3) In Events Manager, enable Automatic Advanced Matching so Meta can extract any additional fields from your form submissions. (4) Verify in Test Events that both browser and server events arrive and are deduplicated. (5) Monitor EMQ weekly and add fields until you cross 8.0. That is the entire integration; it can be shipped in an afternoon for most platforms.
Server-side GTM: the middle path
If you already use Google Tag Manager web, the cleanest path is server-side GTM. You spin up a sGTM container on a subdomain of your site, forward GA4 events into it, and add a Meta CAPI tag that translates GA4 events into the Meta event schema. The advantage is that you write the mapping once and it powers every channel: the same server container can forward to Meta, TikTok, Pinterest, LinkedIn and Snap without a single new line of frontend code. The cost is roughly $20 to $50 per month for the Cloud Run instance and an hour of setup.
Privacy and consent
CAPI is not a way around consent. If a visitor rejects marketing cookies, you must not send a CAPI event with their identifiers — period. The simplest pattern is to check the consent state on the server before firing CAPI, and to send only the anonymous, aggregated information that Consent Mode allows. Done correctly, CAPI is fully compatible with GDPR, the EU AI Act and the upcoming ePrivacy Regulation. Done incorrectly, it is a fast track to a regulator fine.
Measuring the impact
Across more than fifty accounts we have migrated to CAPI in the last two years, the typical result is a 35 to 55 percent uplift in reported conversions, a one-to-two point improvement in EMQ, and a 15 to 25 percent reduction in cost per acquisition within six weeks as the algorithm learns from the cleaner signal. The accounts that fail to see uplift are almost always the same two stories: broken deduplication, or low EMQ. Fix those, and CAPI does its job.
Need help getting CAPI shipped this quarter? We do fixed-price CAPI implementations for Shopify, WooCommerce and custom stacks. Get in touch and we will scope it in 24 hours.
One more thing: monitor for silent failures
The most dangerous CAPI failure is not the loud one — it is the silent one. Your endpoint keeps returning HTTP 200 but Meta has quietly started dropping events because a required field changed format, the access token expired, or your domain verification lapsed. We have seen accounts lose two weeks of attribution before anyone noticed. Set up a synthetic monitor that fires a test event every hour and alerts you if Events Manager does not show it within five minutes. It takes thirty minutes to build and saves you from the exact disaster that destroys quarterly numbers.