Why the Meta Pixel Is No Longer Enough
The Meta Pixel (formerly Facebook Pixel) is a client-side JavaScript tag that tracks user actions on your website and reports them to Meta for ad attribution and optimization. But three forces have severely degraded its reliability:
- iOS 14.5+ App Tracking Transparency (ATT): Apple users who opt out of tracking are invisible to the Pixel
- Ad blockers: Browser extensions like uBlock Origin block the Pixel for 25–40% of desktop users
- GDPR consent: Users who decline cookies in your consent banner block the Pixel entirely
The Meta Conversions API (CAPI) is Meta's solution: a server-to-server integration that sends conversion events directly from your server to Meta, bypassing all client-side blocking.
Meta Pixel vs Conversions API
| Aspect | Meta Pixel (client-side) | Conversions API (server-side) |
|---|---|---|
| Data source | Browser | Your server |
| Ad blocker impact | Blocked for 25–40% of users | Unaffected |
| iOS ATT impact | Major degradation | Minimal — uses hashed emails/phones |
| GDPR/consent | Must wait for user consent | Can send non-PII events without cookie consent |
| Latency | Real-time | Near real-time (seconds) |
| Setup complexity | Simple | Moderate — requires server-side code |
Use Both Together for Best Results
Meta recommends running the Pixel and CAPI simultaneously with event deduplication. The Pixel captures real-time browser events (when consent is given), while CAPI fills in the gaps for blocked or opted-out users. This 'redundancy' approach consistently achieves higher Event Match Quality (EMQ) scores than either alone.
How CAPI Works With Consent
One of the most misunderstood aspects of CAPI is its relationship with consent. Here is the correct approach:
- With consent (analytics/marketing accepted): Send full event data including fbclid, fbc, fbp cookies, hashed PII (email, phone) for better matching
- Without consent: Send only non-PII event data (page view, purchase value without personal data). Meta uses this for aggregated measurement only
CookieBeam's CAPI integration automatically adjusts what data is sent based on the user's current consent state.
Meta CAPI Server-Side Setup
Create a Meta System User and access token
In Meta Business Manager, navigate to Business Settings → System Users. Create a system user with 'Advertiser' role on your Ad Account. Generate an access token with the ads_management and business_management permissions. Copy and securely store this token.
Get your Pixel ID
In Events Manager, select your Pixel and copy the Pixel ID from the top of the page. You'll need this as the pixel_id parameter in every CAPI call.
Connect CAPI in CookieBeam
In your CookieBeam dashboard, navigate to Integrations → Meta Conversions API. Enter your Pixel ID and System User access token. Enable event forwarding and choose which event types to forward server-side.
Configure event deduplication
For each event sent by both the Pixel and CAPI, you must use the same event_id. CookieBeam generates and synchronises event IDs automatically when you use the combined Pixel + CAPI mode.
Test with Meta's Test Events Tool
In Events Manager, click Test Events. Use the test code provided when calling the CAPI in development. Confirm events appear correctly before going live.
Monitor Event Match Quality
After 48 hours, check your Event Match Quality (EMQ) score in Events Manager. A score above 7 is good; below 6 indicates missing customer information fields. Add hashed email or phone number to improve matching.
CAPI Event Payload Example
Here is a standard CAPI purchase event payload. Customer data is hashed using SHA-256 before sending — never send raw PII to Meta.
1 // Node.js example using Meta Business SDK 2 const bizSdk = require('facebook-nodejs-business-sdk'); 3 const { EventRequest, UserData, CustomData, Content } = bizSdk; 4 5 const access_token = process.env.META_ACCESS_TOKEN; 6 const pixel_id = process.env.META_PIXEL_ID; 7 8 // Hash customer data with SHA-256 before sending 9 const crypto = require('crypto'); 10 const sha256 = (str) => crypto.createHash('sha256').update(str.toLowerCase().trim()).digest('hex'); 11 12 const userData = new UserData() 13 .setEmails([sha256('[email protected]')]) 14 .setPhones([sha256('+14155552671')]) 15 .setClientIpAddress(req.ip) 16 .setClientUserAgent(req.headers['user-agent']) 17 .setFbp(req.cookies['_fbp']) // Facebook browser ID 18 .setFbc(req.cookies['_fbc']); // Facebook click ID 19 20 const customData = new CustomData() 21 .setCurrency('EUR') 22 .setValue(99.99) 23 .setOrderId('ORDER-12345'); 24 25 const event = new bizSdk.ServerEvent() 26 .setEventName('Purchase') 27 .setEventTime(Math.floor(Date.now() / 1000)) 28 .setEventId(`evt_${Date.now()}_${Math.random()}`) // Must match Pixel event_id 29 .setEventSourceUrl(`https://yoursite.com/checkout/success`) 30 .setActionSource('website') 31 .setUserData(userData) 32 .setCustomData(customData); 33 34 const eventRequest = new EventRequest(access_token, pixel_id) 35 .setEvents([event]); 36 37 const response = await eventRequest.execute(); 38 console.log('CAPI response:', response);
Always Hash PII Before Sending
Never send raw email addresses, phone numbers, or other personal data to the CAPI endpoint. Meta requires all customer data to be hashed with SHA-256. CookieBeam's CAPI integration handles hashing automatically when you enable PII matching.
CAPI Launch Checklist
System user created with correct permissions
Advertiser role on the Ad Account. Access token generated and stored securely in environment variables.
Event deduplication IDs implemented
Same event_id used for Pixel and CAPI for the same user action to prevent double-counting.
PII hashed with SHA-256
Email, phone, and name must be hashed. IP address and user agent are sent unhashed but not stored by Meta.
Test Events verified in Events Manager
All key events (PageView, AddToCart, Purchase, Lead) appear correctly in the Test Events tool.
Consent signals integrated
CAPI only sends full PII-enriched events when the user has given marketing consent.
EMQ score monitored
Event Match Quality checked after 48 hours. Target score of 7+ for optimal ad performance.
Standard vs Custom Events for CAPI
Meta recognises two categories of events you can send through the Conversions API: Standard Events and Custom Events. Choosing the right event type is critical for optimising ad delivery, building audiences, and maximising Event Match Quality (EMQ).
Standard Events are predefined events that Meta's algorithm understands natively. They power automatic audience creation, value-based bidding, and predictive optimisation. Custom Events are events you define yourself — useful for actions that have no standard equivalent, but they cannot power some of Meta's automated optimisation features.
For most CookieBeam customers running e-commerce or lead generation, the following standard events cover the full conversion funnel:
| Event Name | Triggered When | Required Parameters | Recommended Parameters |
|---|---|---|---|
| PageView | Any page is loaded | event_time, action_source, event_source_url | fbp, fbc, client_ip_address, client_user_agent |
| AddToCart | User adds an item to the shopping cart | event_time, action_source, content_ids, content_type | value, currency, contents (array with id, quantity, item_price) |
| InitiateCheckout | User begins the checkout process | event_time, action_source | value, currency, content_ids, num_items |
| Purchase | Order confirmed / payment completed | event_time, action_source, value, currency, order_id | contents, num_items, hashed email/phone for matching |
| Lead | User submits a lead form or sign-up | event_time, action_source | lead_id, hashed email, hashed phone, content_name |
| CompleteRegistration | User finishes account registration | event_time, action_source | value, currency, status, hashed email |
| ViewContent | User views a product or content page | event_time, action_source, content_ids, content_type | value, currency, content_name, content_category |
| Search | User performs an on-site search | event_time, action_source | search_string, content_ids, value, currency |
Always Use Standard Events Where Possible
Custom events cannot be used to optimise Meta ad campaigns for conversions directly. Stick to standard events for Purchase, Lead, and other primary conversion goals. Use custom events only for intermediate micro-conversions that have no standard equivalent (e.g., 'VideoWatched50Percent' or 'QuizCompleted').
Advanced Matching: Customer Data Fields
Advanced Matching is the mechanism by which CAPI improves attribution by linking events to specific Meta user accounts using hashed customer data. The more customer data fields you provide — all hashed with SHA-256 — the higher your Event Match Quality (EMQ) score and the better your ad performance.
All fields must be normalised before hashing: emails lowercased and trimmed, phone numbers in E.164 format with country code, names lowercased. CookieBeam's server-side CAPI integration handles normalisation and hashing automatically when you provide raw values from your order management system.
Advanced Matching: All Matchable Customer Data Fields
Email address (em)
Highest-impact field. Normalise: lowercase, trim whitespace. Hash with SHA-256. Provides the best match rate of any single field.
Phone number (ph)
Second most impactful. Must include country code in E.164 format (e.g. +447911123456). Remove spaces, dashes, parentheses before hashing.
First name (fn)
Lowercase, remove special characters. Hash with SHA-256. Improves match rate when combined with last name and postal code.
Last name (ln)
Lowercase, remove special characters. Hash with SHA-256. Use together with fn for best results.
Date of birth (db)
Format: YYYYMMDD (e.g. 19901231). Hash with SHA-256. Useful for age-gated products or loyalty programmes.
Gender (ge)
Accepted values: 'f' or 'm' (lowercase). Hash with SHA-256. Minor impact on match rate but adds signal richness.
City (ct)
Lowercase, remove spaces. Hash with SHA-256. Useful when combined with other address fields.
State / Province (st)
Use the 2-letter ISO code for US states (e.g. 'ca' for California). Lowercase. Hash with SHA-256.
Postcode / ZIP (zp)
Include full postcode (e.g. 'sw1a 1aa' → 'sw1a1aa', lowercase, no spaces). Hash with SHA-256.
Country (country)
Lowercase 2-letter ISO country code (e.g. 'gb', 'de', 'fr'). Hash with SHA-256.
External ID (external_id)
Your internal customer or user ID. Hash with SHA-256. Enables consistent attribution for logged-in users across sessions.
Facebook Browser ID (fbp)
Read from the _fbp cookie if present and user has consented. Sent unhashed — it is a browser-generated non-PII identifier.
Facebook Click ID (fbc)
Read from the _fbc cookie or the fbclid URL parameter. Sent unhashed. Directly links the event to a specific ad click.
Troubleshooting CAPI: Common Issues and Fixes
The five most common CAPI implementation problems encountered by CookieBeam users are listed below. Each can significantly degrade your EMQ score or cause events to be rejected by Meta's API entirely.
Troubleshooting CAPI: Common Issues
If your CAPI events are not appearing in Events Manager, or your EMQ score is lower than expected, work through these common issues:
- Duplicate events without deduplication IDs: If you run both the Meta Pixel and CAPI simultaneously without setting the same
event_idon both, Meta will count every conversion twice. Fix: generate a UUID at the time of the event and pass it asevent_idto both the browser Pixel and the CAPI call. CookieBeam stores this ID in a first-party cookie and includes it in every server-side hit automatically. - Missing or incorrect
action_source: Theaction_sourcefield tells Meta where the event occurred. Usingwebsiteincorrectly for offline or phone events leads to data quality warnings. Accepted values are:website,app,phone_call,chat,email,other,physical_store,system_generated. - Sending raw (unhashed) PII: Meta will reject events that contain recognisable PII patterns in customer data fields. Always normalise and hash with SHA-256 before sending. CookieBeam's integration validates hashing automatically before dispatch.
- Stale or wrong access token: System user access tokens do not expire by default, but they can be revoked during Business Manager audits or security reviews. If events suddenly stop arriving, regenerate the token in Business Manager under System Users and update your CookieBeam integration settings.
- Clock skew on the server (event_time): Meta rejects events with an
event_timemore than 7 days in the past or in the future. Ensure your server's clock is synchronised (NTP). If processing events asynchronously from a queue, validateevent_timeis set to the original event time, not the processing time.
CAPI with Google Tag Manager Server Container (sGTM)
One of the most powerful deployment patterns for Meta CAPI is routing it through a Server-Side Google Tag Manager container. This approach lets you manage both GA4 and Meta CAPI events from a single server container, without needing custom backend code for each platform.
Here is how the sGTM + CAPI integration works:
- The GTM web container on your site sends a single request to your sGTM server (e.g.
https://gtm.yourdomain.com) - Inside sGTM, a Meta Conversions API tag template receives the event data
- The sGTM tag transforms and forwards the event to
https://graph.facebook.com/v18.0/{pixel_id}/eventsas a server-to-server call - CookieBeam's consent signals, passed in the sGTM hit, gate the Meta tag — it only fires when
ad_storageis granted
The sGTM approach is particularly valuable because it gives you a single, auditable point of control over everything sent to Meta. You can scrub PII fields, add or remove parameters, and enforce consent rules — all within the server container without touching your application code.
1 // sGTM Server Container: Meta CAPI Tag Template variable mapping 2 // (configured in the GTM Server Container UI, not as code — 3 // this shows the logical mapping for documentation purposes) 4 5 // Event data arriving from web container: 6 const incomingEvent = { 7 event_name: {{Event Name}}, // e.g. 'Purchase' 8 event_id: {{Event ID}}, // dedup UUID from web container 9 value: {{Ecommerce Value}}, 10 currency: {{Ecommerce Currency}}, 11 order_id: {{Transaction ID}}, 12 13 // Customer data — pre-hashed by CookieBeam before dispatch: 14 em: {{Hashed Email}}, 15 ph: {{Hashed Phone}}, 16 fn: {{Hashed First Name}}, 17 ln: {{Hashed Last Name}}, 18 19 // Browser signals (not hashed): 20 fbp: {{FBP Cookie}}, 21 fbc: {{FBC Cookie}}, 22 client_ip_address: {{IP Override}}, // Replace with server IP or anonymise 23 client_user_agent: {{User Agent}}, 24 }; 25 26 // Consent gate in the sGTM tag trigger condition: 27 // Fire ONLY when: consent_ad_storage == 'granted' 28 // This is enforced via CookieBeam's sGTM consent variable
Measuring CAPI Success: Key Metrics to Monitor
Event Match Quality (EMQ)
Scored 0–10 in Meta Events Manager. Reflects how well customer data matches Meta accounts. Target 7+. Improve by adding more hashed PII fields (email, phone, address).
Match Rate
Percentage of CAPI events successfully matched to a Meta user account. Healthy range: 40–70%. Low rates indicate missing or poorly normalised customer data fields.
Deduplication Rate
Shows what % of events were de-duplicated between Pixel and CAPI. A rate of 30–60% is normal when running both. Rates above 80% suggest event_id mismatches.
Incremental Conversions Recovered
The conversions attributed via CAPI that the Pixel alone would have missed. Visible in Events Manager's comparison view. Directly measures the ROI of your CAPI investment.
Event Volume Coverage
Compare CAPI event volume against your CRM or order management system. CAPI should report 95%+ of actual conversions. Gaps indicate infrastructure or consent configuration issues.
Cost per Result (Ads Manager)
The ultimate business metric. Advertisers with EMQ 7+ typically see 15–25% lower CPA compared to Pixel-only setups, as Smart Bidding has higher-quality signals to optimise against.
Frequently Asked Questions: Meta Conversions API
Do I need to remove the Meta Pixel if I implement CAPI?
No — and you should not remove it. Meta's recommended approach is to run both the Pixel and CAPI simultaneously. The Pixel captures real-time browser-side signals (click IDs, fbp cookies) that enhance matching quality, while CAPI fills in the gaps for ad-blocked or non-consenting users. Use event deduplication IDs to prevent double-counting. CookieBeam manages this dual-track setup automatically.
Is CAPI GDPR-compliant without user consent?
CAPI can send a limited set of non-PII events (such as PageView) without consent for aggregated measurement purposes under certain interpretations of legitimate interest. However, sending hashed customer data (email, phone) requires explicit ad_user_data consent under GDPR and Google Consent Mode v2 standards. CookieBeam's CAPI integration enforces this automatically: full customer-data-enriched events are only sent when marketing consent has been granted by the user.
What is the minimum data required for a useful CAPI implementation?
At the absolute minimum, each event needs: event_name, event_time, action_source, and one customer data field for matching (typically em — hashed email). However, a minimum viable implementation will have a low EMQ score. Adding hashed phone, first name, last name, and the fbp/fbc cookie values will push your EMQ above 7 and unlock the full benefits of CAPI.
How quickly do CAPI events appear in Events Manager?
Standard CAPI events appear in Events Manager within a few minutes under normal conditions. However, the match rate and EMQ score take 24–48 hours to fully compute, as Meta needs sufficient event volume to calculate accurate statistics. Test Events (using a test code) appear in near real-time during development.
Can CAPI be used with Shopify, WooCommerce, or other e-commerce platforms?
Yes. CookieBeam provides a dedicated server-side CAPI integration for Shopify via webhook-based event forwarding (no custom code required), and a WooCommerce plugin that hooks into the order completion event. For custom platforms, CookieBeam exposes a REST API that your backend can call to forward events server-side with correct normalisation and hashing applied automatically.
What happens to CAPI data under a GDPR data deletion request?
Meta's data deletion policies mean that once hashed customer data is processed and matched, the raw event data is discarded. However, if a user submits a deletion request under GDPR, you must also notify Meta via the Offline Conversions Data Deletion API to request removal of associated conversion data. CookieBeam documents this requirement in the CAPI integration settings and provides the relevant API reference.
Your CAPI Implementation Is Complete
With CookieBeam's server-side CAPI integration, you benefit from higher EMQ scores, improved Meta ad attribution, and full GDPR compliance — without writing backend hashing logic from scratch. Monitor your Event Match Quality weekly in Meta Events Manager and review the CookieBeam CAPI diagnostics panel for real-time event delivery status.