Affiliate System and S2S Postbacks: Exact Attribution

1) Why all this and what is "exact attribution"

Affiliates cite traffic and expect transparent payment for targeted activities (registration/deposit/jealousy). The operator wants fraud protection, consistent reports and a predictable economy. "Exact attribution" means:

unambiguous link click → session → event (FTD/deposit/revenue);
Deterministic rules (windows, priorities, multi-touch)
idempotent S2S postbacks and reconciled reports;
single currency/settlement timezone and clear statuses.

2) Payment models and key definitions

CPA (Cost per Acquisition): fixed per event (usually FTD - first deposit) when conditions are met (LCC/min. deposit/NGR> 0).

RevShare: Percentage of NGR/Net Gaming Revenue player for period/entire LTV (with ceilings/floor).

Hybrid: CPA + RevShare.

CPL/CTR/RS metrics: CR to register, CR to FTD, ARPU/ARPPU, eCPA/eRPS.

FTD - first time depositor, Qualified FTD - FTD after anti-fraud/vaping.

3) Traffic marking: links, UTM and sub-parameters

Affiliate tracking link (example):


https://brand. com/track? aff_id=42&campaign_id=uk_oct&click_id={CLICK_ID}
&sub_id1={SOURCE}&sub_id2={ADGROUP}&sub_id3={CREATIVE}&t=slot-promo

Recommended ontology:

'aff _ id '- partner,' campaign _ id '- offer/country,' click _ id '- unique click identifier (GUID/ULID),' sub _ id1.. 5 '- free fields (source/ad/creative/placement/A/B).
On the landing, create a click session and set the cookie 'aff _ click _ id' (HTTP-only, same-site), simultaneously save it to the server rack (anti-cookie-loss).

4) Attribution windows and priorities

Click-through window: 30 days (registration/FTD).

Engagement window (after registration before FTD): 7-14 days.

Priorities: last-click among affiliates (inside the last promotion), but does not overlap direct brand search according to internal rules (document).

Multi-touch: keep a chain of clicks, but pay according to the "payout rule" (for example, last-click). For analytics, show the contribution of all touches.

5) S2S Postbacks: Events and Contracts

Why S2S: the browser pixel is unreliable (adblock/browser policy). The S2S postback → the webhook to the affiliate/tracker side without the client's participation.

Events that usually send

`registration` (sign-up)

'ftd '(first deposit)
'qualified _ ftd '(after CCR/waking)
'deposit '(each deposit)
'revenue '(RevShare: NGR/GGR for the period)

`chargeback	refund	self_exclusion' (negative adjustments)

Example of S2S postback (HTTP POST, JSON)


POST https://aff-network. com/postback
Headers: X-Signature: sha256=ab12..., X-Timestamp: 1730000000
Body:
{
"aff_id": "42," "click_id": "clk_9f23", "event": "ftd," "user_id": "u_12345" ,//alias, not PII
"amount_minor": 2000,  "currency": "EUR",  "market": "DE",  "ts": "2025-10-23T17:41:26Z",  "session_id": "s_77",  "sub_id1": "fb",  "sub_id2": "adg_12",  "sub_id3": "cr_88"
}

Safety and idempotence

HMAC signature: 'sig = HMAC_SHA256 (secret, body + timestamp)', reject if '	now - ts	> 5m`.
Idempotency-Key in header/body = 'event _ id'. Repeat - return the previous result.
429/5xx → retras with exponent and jitter; DLQ after N attempts.
IP/ASN allow-list, mTLS for critical partners.

6) Click binding: how not to lose attribution

At registration: match 'aff _ click _ id' from cookie/server session with 'user _ id' (+ device fingerprint as backup, but GDPR-sensitive, use only with consent).

With FTD: search for the last valid click session in the window; if not, return 'organic/direct'.

Dedup: if two FTDs went on the same day due to PSP retrays, we pay once (unique FTD flag on 'user _ id').

7) Antifraud and vaping

Lifetime: FTD → status' PENDING'for 24-72 hours, qualified after CCD/no chargeback.

Signals: "burst" from hosting-ASN, VPN/Proxy, high registration speed, cookie-stuffing (click without a real session), mis-match geo/currency.

Weighting: Reduce CPA payouts by quality thresholds (e.g. NGR <0, retention

List of exceptions: branded SEM, prohibited sources, incident traffic - ban/0-payments.

8) Economics and formulas

NGR = GGR − bonuses − jackpots − provider fi − PSP fi − chargebacks.

RevShare payout = NGR × RS% (с min/max cap).

Hybrid payout = CPA + NGR × RS%.

eCPA = Payout/Number of FTDs, Affiliate ROI = Payout − TrafficCost.

Document the settlement currency (for example, EUR) and the daily FX rate (ERU/provider).

9) Data diagrams (simplified)

sql
-- Clicks/Sessions aff_clicks (
click_id text primary key,  aff_id int, campaign_id text,  sub1 text, sub2 text, sub3 text, sub4 text, sub5 text,  ts timestamptz, ip inet, asn int, ua text, landing text
);

-- User binding aff_attribution (
user_id bigint primary key,  click_id text references aff_clicks(click_id),  aff_id int, campaign_id text,  attributed_at timestamptz,  window_days int, rule text -- e. g. 'last_click'
);

-- Postback Events aff_events (
event_id uuid primary key,  user_id bigint, click_id text,  event_type text,     -- registration/ftd/deposit/revenue/adjustment amount_minor bigint, currency char(3),  ngr_minor bigint,     -- для revenue occurred_at timestamptz,  status text,       -- pending/sent/acked/failed retries int default 0
);

-- aff_payouts Affiliate Financial Accounting (
payout_id uuid primary key,  aff_id int, period month, currency char(3),  model text,        -- CPA/RevShare/Hybrid cpa_minor bigint, rs_minor bigint, adjustments_minor bigint,  total_minor bigint, status text   -- draft/issued/paid
);

10) Reporting and panels

Performance (day/market/offer): clicks, registrations, FTD, CR, depositors, GGR/NGR, payouts, eCPA.

Cohort slice: D1/D7/D30 retention, NGR/deposits per player, share of chargebacks.

Discrepancy panel: discrepancies between clicks/registrations/FTD and affiliate tracker (± X%).

Fraud heatmap: ASN/countries/sites with anomalies.

11) Calculation and reconciliation procedure

1. Daily - raw events in slices (clicks/reg/FTD/deposits/NGR), CSV/S2S unloading.

2. Once per period (week/month) - invoice draft with decoding and adjustments (chargeback/returns).

3. Arbitration: dispute window (usually 5-10 working days), documented reasons for deviations (fraud, non-compliance with the offer, incident).

4. Final account → payout (SEPA/SWIFT/crypto) with period reference; 'issued/paid'statuses.

5. Audit: WORM snapshots of reports, signature/hash.

12) Privacy and compliance

Parties do not need PII: use aliases ('user _ id', 'hash (email)' if necessary with salt).

DPA with affiliate networks, specifying roles (controller/processor), retention periods for clicks/events.

Consent for cookie/UTM; fingerprinting - only on legal grounds.

Geo-restrictions of offers (countries of license), age filters.

13) API Examples

13. 1. Click registration (server-side, optional)

http
POST /v1/aff/click
{"aff_id":42,"campaign_id":"uk_oct","click_id":"clk_9f23","sub1":"fb","sub2":"adg12"}
→ 202 {"status":"ok"}

13. 2. User Registration Binding

http
POST /v1/aff/attach
{"user_id":12345,"click_id":"clk_9f23","ip":"1. 2. 3. 4","ua":"..."}
→ 201 {"attributed": true, "rule":"last_click","window_days":30}

13. 3. Postback to the network side (our "outgoing")

http
POST https://aff. example/postback
Headers: X-Idempotency-Key: evt_7a1, X-Signature: sha256=...
Body: {"event":"ftd","click_id":"clk_9f23","amount_minor":2000,"currency":"EUR","ts":"..."}
→ 200 {"ok":true}

14) Anti-traps and incidents

A. Cookie-stuffing

Signs: many clicks without session/scroll/time on the page.

Measures: server click-log + threshold of "valid session" (minimum activity), ignore the last clicks if suspected.

B. Different Timezones/Currencies → Report Discrepancies

Measures: unified settlement TZ (for example, UTC or Europe/Kyiv) and currency (EUR); conversion on a fixed course source with a daily snapshot.

C. Postback doubles

Measures: Idempotency-Key + unique index 'event _ id', status machine 'pending→acked'.

D. Splash of fraud from hosting-ASN

Measures: WAF/bot manager, stop offers by segment, FTD trading, 0-payments by disputed sources before the proceedings.

15) Dashboards for daily work

Affiliate Overview: FTD/depositors/NGR/payments for the top 10 partners for 7/30 days.

Funnel: clicks → register → KYC → FTD (CR in steps, time to FTD).

Quality: hold/ARPPU/chargeback rate by offers.

Tech Health: p95 postback delay, HMAC error, retrai, DLQ.

Finance: acts/invoices, status of payments, accounts receivable.

16) Delivery checklist

Unified UTM/' sub _ id '+ mandatory' click _ id '.
Linking a click to a user with server insurance (session store).
Attribution windows and priority rule are documented; multi-touch is stored for analytics.
S2S postbacks: HMAC, timestamp-sliding window, Idempotency-Key, retrays + DLQ.
Antifraud: weitings FTD, ASN/Proxy filters, cookie-stuffing protection, quality-weights.
Reconciliation: daily uploads, periodic invoices, dispute window, acts.
The time zone/settlement currency is the same; FX sources are fixed.
Privacy: aliases instead of PII, DPA/retention.
Observability: dashboards, alerts on delay/postback errors, discrepancy panel.
Offer documentation: geo/qualification conditions/payment rules.

Resume Summary

A reliable affiliate system is deterministic attribution rules, secure S2S postbacks with idempotency, anti-fraud circuits and strict reconciliation. Standardize link parameters, store clicks and touch chains, pay according to an understandable model (CPA/RevShare/Hybrid), fix windows and timezones, protect webhooks and automate invoicing. Then you will have clean reports, less controversy and a sustainable unit economy for the operator and partners.