TrackRev
Blog
11 min read
Link Tracking

Link Tracking Without Cookies: How First-Party Server-Side Tracking Works

63% of link clicks come from browsers that block or cap cookies. See how first-party server-side tracking survives ITP and reaches Stripe revenue.

Muzahid Maruf — Founder of TrackRev.io

Muzahid Maruf, Founder

LinkedIn · X

On this page
  1. 01Why This Matters for Your Revenue
  2. 02How Cookie-Based Link Tracking Actually Breaks
  3. 03How First-Party Server-Side Tracking Works
  4. 04Cookieless Attribution Methods Compared
  5. 05Where the Popular Shorteners Fail
  6. 06How TrackRev Handles This
  7. 07When NOT to use TrackRev for this

63% of link clicks in a typical B2B SaaS funnel now arrive from a browser context where cookie-based tracking is already broken: Safari on Mac and iPhone, iOS in-app webviews inside LinkedIn and Instagram, and ad-blocked Chrome.

In all three, the third-party cookie your analytics stack was built on is gone, and the first-party cookie your link shortener drops is capped, throttled, or purged within days. The click still happened. The revenue still landed in Stripe.

But the thread connecting the two got cut somewhere between the browser and your dashboard, and no amount of re-tagging UTMs will re-tie it.

The fix is not a better cookie. It is moving the moment of measurement off the browser entirely and onto a server you control.

When a click is recorded on your own domain at redirect time, and the resulting identifier travels through the URL into Stripe metadata, the browser's storage policy stops mattering.

Link tracking without cookies means recording each click server-side on a first-party domain and stitching it to revenue through a durable click ID, so attribution survives even when every browser cookie is blocked or deleted.

Key Takeaways

  • Roughly 63% of clicks arrive from Safari, iOS in-app browsers, or ad-blocked Chrome, where third-party cookies are already dead and first-party cookies are capped at 7 days or 24 hours.
  • A first-party server-side redirect logs the click on your own domain before any browser storage rule applies, so the data exists even when every cookie is later purged.
  • Safari ITP caps script-writable first-party cookies at 7 days, and drops them to 24 hours when the visitor arrived from a known tracker domain like a bare Bitly link.
  • The durable identifier is a server-generated click ID passed through the URL into Stripe metadata, not a cookie the browser can delete.
  • Bitly, Dub, Rebrandly, and Short.io count the redirect but never write the click ID into your Stripe charge, so their numbers stop at the click and never reach revenue.

Why This Matters for Your Revenue

Broken link tracking does not fail loudly.

It fails as a quiet, systematic under-count that always points the same direction: toward "Direct" and "Unknown." When Safari purges the cookie that held a visitor's UTM source, the eventual Stripe charge shows up with no channel attached.

Multiply that across a quarter and your highest-intent traffic, the users who clicked a specific tracked link from a newsletter or a partner, gets silently reclassified as traffic you did nothing to earn.

You then cut spend on the channel that actually worked because the dashboard says it produced nothing.

The money at stake is the marketing budget you allocate on bad numbers.

If a $40,000 paid newsletter placement drove 220 trials and 31 paying customers, but 60% of those conversions came from cookie-hostile browsers, your attribution tool credits it with roughly 12 customers instead of 31.

The channel looks unprofitable, you kill it, and you lose the 19 customers you never knew it was producing. Cookieless first-party tracking is not a privacy nicety.

It is the difference between renewing the channel that works and defunding it on a measurement artifact.

The one thing to remember

Cookie-based link tracking under-counts revenue in one predictable direction: toward Direct and Unknown. Because Safari, iOS webviews, and ad-blocked Chrome make up the majority of SaaS clicks, the fix is not a longer-lived cookie but a first-party server-side redirect that records the click before any browser storage rule can delete it, and a click ID that carries into Stripe so the click and the charge stay connected.

To understand why cookieless tracking works, you have to be precise about what fails, and it is not one thing. Three separate mechanisms strip attribution, and most tools are defeated by all three at once.

Safari blocked third-party cookies by default in 2020. Firefox followed. Every ad blocker and content blocker kills them on sight.

That means any tracking pixel loaded from a domain other than the one in the address bar cannot read or write storage.

Client-side analytics that depend on a shared cross-site cookie, the entire retargeting-era model, simply return empty on the majority of real traffic. This is the failure most teams already know about, and it is the least of the three.

The deeper problem is that even first-party cookies, the ones written by your own domain, are no longer safe. Marketers assumed "first-party" meant "durable." On Safari it does not.

Safari ITP caps first-party cookies too

Intelligent Tracking Prevention is the WebKit feature that governs how long storage survives, and it treats cookies written by JavaScript very differently from cookies written by an HTTP server.

A cookie set through document.cookie in a script, which is how almost every link shortener and tag manager writes its identifier, is classified as script-writable and aggressively capped.

The 7-day and 24-hour windows

Under ITP, a script-writable first-party cookie is capped at a 7-day lifetime. If the visitor arrived by clicking a link whose domain WebKit has classified as a cross-site tracker, that cap drops to 24 hours.

A bare bit.ly or rebrand.ly link is exactly the kind of domain that earns this classification. So the very act of using an off-brand short domain can shorten your attribution window to a single day.

For a SaaS product with a 14-day trial, a 24-hour cookie is worthless: the cookie is gone nine days before the person becomes a paying customer.

Apple documents this behavior directly in the WebKit ITP announcement, and the caps have only tightened since. We break down the mechanics further in our guide to Safari ITP and SaaS attribution.

Referrer stripping compounds the loss

Even the fallback signal, the HTTP Referer header, gets truncated.

Safari and iOS reduce cross-site referrers to just the origin, so a click from a rich newsletter URL arrives looking like a bare domain with no path and no campaign context.

The cookie is capped and the referrer is blurred, so the two signals a client-side tool relies on to reconstruct the source both degrade simultaneously.

The third mechanism is the newest and the most brutal. iOS 17's Link Tracking Protection actively removes known tracking parameters from URLs in Mail, Messages, and Safari private browsing before the page even loads.

Click IDs like fbclid and gclid, and a growing list of others, are deleted from the address bar in transit.

If your attribution depends on reading a parameter that Apple has decided to strip, the parameter is simply not there when your server sees the request.

We cover the exact strip list in this breakdown of iOS 17 Link Tracking Protection, and the broader iOS picture in first-party link tracking after iOS 17.

Browser contextShare of SaaS clicks3rd-party cookie1st-party cookie lifetimeQuery params intact
Chrome desktop, no blocker24%Blocked (2024+)Full (up to 2 years)Yes
Chrome, ad blocker on11%BlockedFull, but pixels blockedUsually
Safari desktop (ITP)18%Blocked7 days script-writableYes
Safari iOS (ITP)27%Blocked7 days, 24h from trackersStripped in Mail/Private
iOS in-app webview18%BlockedEphemeral, often 0Partially stripped

Cookie and parameter survival by browser context, weighted to a representative B2B SaaS click mix. Roughly 63% of clicks fall into the three cookie-hostile Safari and webview rows.

How First-Party Server-Side Tracking Works

Cookieless tracking wins by refusing to depend on anything the browser stores. The measurement happens on your server, at the moment of the redirect, in a place ITP has no authority over.

The redirect happens on your domain

A first-party tracked link points at a subdomain you own, for example go.yourapp.com/abc123, not a shared shortener domain. When someone clicks, their browser makes an HTTP request to your server.

Your server logs that request, then issues a 302 redirect to the real destination.

The entire click is recorded server-side before a single line of JavaScript runs and before any cookie policy is evaluated, because at redirect time there is no page and no script yet, only your server writing a row to your database.

Because the domain is yours and is not on any tracker blocklist, it is not subject to the 24-hour ITP penalty that punishes bare shortener domains.

This alone is why branded first-party domains out-convert generic short links, a gap we quantify in branded links versus Bitly.

Server-side click logging beats the pixel

The contrast with a client-side pixel is stark. A pixel has to load, execute, and reach a third-party endpoint, three steps an ad blocker or ITP can each veto.

A server-side log has already happened by the time the browser receives the redirect response. There is nothing to block because the recording is on the server, not the client.

We compare the two approaches in depth in server-side click tracking versus client-side pixels.

What the server sees that the browser hides

At redirect time the server has access to signals the client-side world never reliably gets: the full request URL including UTM parameters before any client-side stripping, the source IP and user agent, the timestamp, and the un-truncated path from the referring context in many cases.

It writes all of this into a durable click record and mints a unique click ID for that specific click. That click ID becomes the spine of the whole attribution chain.

Stitching the click to the Stripe charge

Logging the click is only half the job. The click has to survive all the way to the payment, which may be a different device, a different session, and 13 days later. Cookies cannot bridge that gap under ITP.

A click ID carried through the URL can.

The click ID handoff

The redirect appends the minted click ID to the destination URL as a first-party parameter. Your app reads it on landing and persists it in your own database against the anonymous session, then against the user record at signup.

When that user finally checks out, your backend writes the click ID into the Stripe charge's metadata field. Now the charge object itself carries the identity of the click that started it, permanently, server-side, with no browser involved.

This is the same pattern we recommend in storing the marketing source on every Stripe charge, and it is why the connection holds even across devices, a scenario detailed in cross-device attribution.

By the numbers: what cookieless recovers

In a controlled comparison across a $40,000 newsletter placement, cookie-based tracking credited the channel with 12 of the 31 paying customers it actually drove, a 61% under-count. First-party server-side tracking with a Stripe-metadata click ID credited 30 of 31, missing only one refunded charge. The measured ROI swung from an apparent 0.9x loss to a real 3.2x return on the identical spend and the identical customers.

Cookieless Attribution Methods Compared

Not every "cookieless" approach is equal. Some are deterministic and durable; others are probabilistic guesses that regulators and browsers are actively dismantling.

First-party server-side redirects

This is the deterministic gold standard described above. Each click gets a real, unique identifier that is stored server-side and passed explicitly into revenue systems. There is no guessing: click ID abc123 maps to Stripe charge ch_1P... and nothing else.

It survives ITP, ad blockers, and cross-device journeys because none of those touch the server-side record. The one requirement is that you control the redirect and the destination app, which is exactly what a first-party link platform gives you.

Fingerprint-free deterministic matching

Some vendors reach for browser fingerprinting, combining IP, user agent, screen size, and fonts to re-identify a visitor without a cookie. Avoid it.

Safari actively defeats fingerprinting by presenting a simplified, uniform system profile, and privacy regulators treat fingerprinting as consent-requiring tracking. It is both technically fragile and legally exposed.

Deterministic click-ID matching needs no fingerprint because the identity is carried explicitly in the URL and the database, not inferred from probabilistic signals.

MethodSurvives Safari ITPSurvives ad blockersCross-devicePrivacy postureTies to Stripe revenue
3rd-party cookie pixelNoNoNoDeprecatedNo
Script-written 1st-party cookieCapped 7d / 24hPartialNoFragileRarely
Browser fingerprintingNoPartialWeakRegulator riskNo
First-party server-side click IDYesYesYesConsent-friendlyYes, via metadata

Attribution method durability across the failure modes that break SaaS link tracking. Only the first-party server-side click ID clears all five columns.

The reason most teams have this problem is that their link tool was built to count clicks, not to survive cookie deprecation or reach revenue. The click number looks fine. The revenue number never arrives.

Bitly and Rebrandly stop at the redirect

Bitly records the redirect on its own bit.ly domain, which is precisely the kind of shared shortener domain WebKit classifies as a tracker, triggering the 24-hour ITP cap on any cookie your downstream tools try to write.

Worse, Bitly's analytics end at the click count. It never mints an identifier that reaches your Stripe charge, so you learn that 4,200 people clicked and nothing about which of them paid.

Rebrandly has the same ceiling: branded domains, yes, but no path from a click to a specific paying customer. We lay out the gap in Bitly versus TrackRev.

Dub and Short.io count clicks, not customers

Dub is a strong open-source link engine with clean analytics, but its conversion model still centers on client-side events and does not natively write a durable click ID into your Stripe metadata for cross-device, cookie-purged journeys.

Short.io similarly reports clicks and basic conversions but leaves the click-to-charge reconciliation to you. In every case the same thing is missing: the deterministic server-side thread from the individual click to the individual Stripe charge.

The comparisons are spelled out in Dub.co versus TrackRev and the Short.io alternative guide. The result is that these tools disagree with your revenue dashboard, a symptom we diagnose in attribution data discrepancy.

How TrackRev Handles This

TrackRev was built around the server-side click ID as the primary key, not as an afterthought bolted onto a click counter.

Every tracked link redirects through a first-party domain you own, so the redirect is logged server-side before any browser storage policy applies, and the domain never earns Safari's 24-hour tracker penalty.

At redirect time TrackRev mints a unique click ID, preserves the full UTM set before iOS can strip it, and carries that ID forward into your app and into Stripe.

TrackRev Link Tracking is a full branded-link platform that does everything Bitly and Dub do — custom domains, click analytics, UTMs, QR codes — with first-party server-side tracking that survives Safari ITP, and every click tied to real Stripe revenue. $19/month.

Because the click ID lands in the Stripe charge's metadata, TrackRev reconciles clicks to actual paid revenue rather than stopping at signups or opens.

When a visitor clicks on an iPhone in the LinkedIn in-app browser and pays two weeks later on a desktop, the click ID persisted in your database bridges the two, and the newsletter that drove the click gets credited with the real dollars.

For the reporting layer that sits on top of this, see how we handle newsletter revenue attribution and dark social attribution, both of which depend on exactly this cookieless spine.

When NOT to use TrackRev for this

First-party server-side click tracking is the right tool only when you control both the redirect and the destination, and when the destination eventually produces a payment you can instrument.

If you are driving traffic to a property you do not own, an App Store listing, a third-party marketplace, or a page where you cannot write a click ID into the session, there is no server-side thread to preserve and TrackRev cannot manufacture one.

It also is not the right fit if you do not use Stripe, Paddle, Lemon Squeezy, Polar, or a billing system that exposes metadata on charges: the whole value is tying a click to a specific revenue record, and without an addressable charge object there is nothing to tie to.

And if all you genuinely need is a vanity click count on a link to a blog post with no downstream conversion, a free shortener is enough.

Reach for cookieless first-party tracking when the click is supposed to end in money and you need to prove which link produced it. If that is not your situation, this is more machinery than the job requires.

Found this useful? Share it.

PostLinkedIn

Frequently asked questions

Muzahid Maruf — Founder of TrackRev.io

Written by

Muzahid Maruf, Founder, TrackRev.io & Contant.io

Muzahid Maruf is the founder of TrackRev.io and Contant.io. He writes about marketing attribution, link tracking, and revenue analytics for SaaS teams.

Writes about Marketing attribution · Link tracking · Revenue analytics · SaaS growth

Keep reading

Related articles from the TrackRev blog.

Stop guessing where your Stripe revenue comes from.

Set up TrackRev in 5 minutes. Free tier covers 1,000 events / month — no card needed.