Conversions API (CAPI): the operator's ultimate guide

Why CAPI exists

For most of digital advertising's history, conversion tracking lived in the browser. A user clicks an ad on Meta, lands on your site, completes a purchase. The Meta Pixel JavaScript on your /thank-you page fires a Purchase event back to Meta. Meta matches the event to the original ad click via a cookie (fbp and fbc). Optimization works.

This worked until roughly 2018. Then ad-blockers got better at blocking tracking pixels. Safari released Intelligent Tracking Prevention, which capped cookie lifetimes and broke cross-site tracking. IOS 14.5 in 2021 required apps to ask permission to track users — and 60-80% of users said no. Chrome announced third-party cookie deprecation. The browser-side tracking model started failing.

Meta launched the Conversions API in 2020 as the response. The conversion event fires from your server, not the browser. Server-to-server traffic isn't blocked by browser-based extensions. IOS opt-outs don't apply to server-side events the same way. The architecture survives the privacy-protection layer that's been added to browsers.

By 2026, every major paid platform has its own version: Meta CAPI, Google Enhanced Conversions and offline conversion import, TikTok Events API, LinkedIn Conversions API, Snap CAPI, Reddit CAPI, Pinterest CAPI. The architecture is universal; the platform-specific implementations vary.

Browser pixel vs CAPI vs hybrid

FIG. 01 — Hybrid pixel + CAPI flow

	Browser Pixel	CAPI	Hybrid (recommended)
Where it fires	User's browser	Your server	Both, with deduplication
Ad-blocker resistance	Low	High	High via CAPI fallback
iOS attribution	Degraded	Recovered	Best
Setup complexity	Low	Medium-High	Medium-High
Conversion match quality	5-7/10 typical	7-9/10 typical	8-10/10 typical

The 2026 standard is hybrid: browser Pixel and CAPI both fire for the same event, with a shared event_id for deduplication. Meta accepts both and counts the conversion once. The browser fires faster (immediate signal) and CAPI fires reliably (no blocking). Together they produce higher match quality than either alone.

Meta CAPI setup

1. Confirm the Pixel is installed and firing correctly. CAPI augments Pixel; it doesn't replace it.
2. Pick a CAPI implementation path. Options:
   • Shopify or BigCommerce native CAPI integration (easiest).
   • Server-side GTM with the Meta CAPI tag (see server-side container).
   • Stape's hosted server-side container.
   • Custom server-side implementation per Meta's API docs.
3. Configure event mapping. Match server-side events to your Pixel events using the same event names (Purchase, AddToCart, Lead, etc.).
4. Configure event_id for deduplication. Generate a unique ID per event (UUID or transaction ID); pass the same ID to both Pixel and CAPI. Meta deduplicates on this field.
5. Pass hashed first-party identifiers. Email, phone, name, address — hashed via SHA-256 on your server before sending to Meta. This is what makes CAPI's match quality higher than Pixel's.
6. Verify Event Match Quality in Events Manager. EMQ is Meta's 0-10 score of how well your events match real users. Target 8+ for production. Below 6 means broken setup.
7. Audit deduplication. Events Manager shows duplicate event rate. Above 5% usually means event_id isn't matching between Pixel and CAPI.

Google Enhanced Conversions (the Google equivalent)

Google's analog to CAPI works differently. Enhanced Conversions hashes first-party data (email, phone, address) at the page level and sends it alongside the standard conversion event. Google matches the hashed data against logged-in Google users on the back end to recover attribution that the cookie alone would have missed.

Two flavors:

• Enhanced Conversions for Web. Configure in Google Ads → Conversions → Diagnostics. Verifies your tag is collecting hashed first-party data.
• Enhanced Conversions for Leads. Pass hashed lead identifiers through offline conversion imports to recover full lead-to-customer attribution. See Enhanced Conversions.

TikTok Events API, LinkedIn CAPI, Snap CAPI, Reddit CAPI, Pinterest CAPI

Each platform has its own server-side conversion API. The mechanics are similar — fire conversion events from your server, pass hashed identifiers, target an event match quality threshold:

• TikTok Events API. Required for accurate Smart+ optimization. Setup via Shopify integration, server-side GTM, or custom.
• LinkedIn Conversions API. Generally available since 2024. Improves attribution in iOS-heavy and ad-blocker-heavy B2B audiences.
• Snap CAPI. For Snapchat ads.
• Reddit CAPI. Launched 2023. Improves Reddit Pixel reliability.
• Pinterest CAPI. Launched 2022. Required for accurate measurement.

The hashed identifier discipline

CAPI's match quality depends on the quality of the first-party data you pass. The standard fields:

Field	Format before hashing
email	lowercase, trimmed
phone	E.164 format with country code, digits only
first_name, last_name	lowercase, trimmed
city, state	lowercase, trimmed
zip	5-digit US zip or country-specific format
country	2-letter ISO code, lowercase
gender	'm' or 'f'
date of birth	YYYYMMDD format

All fields are SHA-256 hashed before sending. Hashing is irreversible — once hashed, the data can't be decoded back to PII. This is what makes the practice GDPR/CCPA-compliant.

EMQ (Event Match Quality) — the score that matters

Meta's Event Match Quality is a 0-10 score reflecting how well your conversion events match real Meta users. The score improves with:

• More identifier fields passed (email + phone + name + address beats email alone).
• Better data quality (real values, not test strings).
• Proper hashing format (SHA-256 with correct normalization).
• Consistent identifier passing across both Pixel and CAPI.

EMQ above 8 means Meta can match most conversions to real users, which means Advantage+ Shopping optimization works well. Below 6 means broken setup — Meta is throwing away conversion data because it can't match it.

Common CAPI mistakes

• Skipping event_id, which causes deduplication failure (double-counted conversions).
• Not hashing identifiers before sending (PII leak + platform rejection).
• Incorrect identifier format (phone without country code, email with leading whitespace).
• Server-side firing without browser-side fallback (loses immediate signal).
• Not configuring Consent Mode v2 alongside CAPI (modeled conversions need both).
• Pretending CAPI replaces the Pixel — they're complements, not substitutes.
• Skipping EMQ audits, leaving setup broken without realizing it.

How CAPI fits the broader stack

• GTM (especially server-side) for the firing layer.
• GA4 with Enhanced Conversions for Google's equivalent.
• Every paid platform's pixel + CAPI pair.
• Consent Mode v2 for compliance and modeled conversion lift.
• CDP or warehouse-side identity resolution to provide rich hashed identifiers.

Does CAPI replace the Pixel?

No. They're complements. The recommended pattern is hybrid — both Pixel and CAPI fire for every event with a shared event_id for deduplication. Hybrid produces higher match quality than either alone.

Is CAPI required?

Effectively yes for any account at meaningful scale. Without CAPI, iOS attribution and Advantage+/Smart+ optimization both degrade materially. CAPI is now standard setup, not advanced.

What's EMQ?

Event Match Quality — Meta's 0-10 score of how well your conversion events match real Meta users. Target 8+ for production. Improves with more hashed identifier fields and correct hashing format.

Do I need server-side GTM for CAPI?

Not strictly. Many platforms offer native integrations (Shopify, BigCommerce) that handle CAPI without server-side GTM. For complex setups with multiple destinations, server-side GTM is the cleanest architecture.

How do I check if CAPI is working?

In Meta Events Manager: (1) check Event Match Quality score, target 8+, (2) check duplicate event rate, should be below 5%, (3) check that both browser and server events are arriving for the same actions.

Is CAPI GDPR-compliant?

Yes, with proper consent. Hashed identifiers can be passed under both legitimate interest and consent bases. Consent Mode v2 layered on top ensures denied-consent users get cookieless treatment.

Operating checklist

1. Define the business outcome before opening the platform.
2. Configure conversion definitions and server-side events.
3. Onboard first-party data and verify match rates.
4. Set bid strategy and target based on real margin economics.
5. Build the campaign taxonomy before launching anything.
6. Launch with controlled budget; monitor daily for 14 days.
7. Pull weekly performance, creative, and audience reports.
8. Document the runbook so the next operator can pick it up.