Attribloom
All integrations

Any platform

One signed webhook away.

Live today

How it works

On a conversion your server fires one HMAC-SHA256-signed POST to our postback endpoint. We verify the signature, attribute the conversion to the affiliate whose link drove it, and record the commission.

We deduplicate on externalId so retries and double-fires are safe. If a sale is later refunded we claw back the commission automatically, within your configured refund window.

Works for web checkout, games, SaaS, marketplaces, or any platform where your server can make an outbound HTTPS request at the moment of conversion.

Setup

01

Grab your signing secret

Log in, go to Integrations, and copy the postback secret for your surface. Keep it server-side only.
02

Sign the request body

HMAC-SHA256 sign the string "${timestamp}.${rawBody}" using the secret. Timestamp is Unix milliseconds as a string.
03

POST to the conversions endpoint

Send the JSON body with three headers: x-ea-surface (your surface ID), x-ea-timestamp (unix-ms string), and x-ea-signature (hex HMAC). Include clickId from the tracking link when available.
04

We attribute, dedupe, and clawback

We respond 200 with attribution status. Retry on network errors: duplicate externalIds are safe.

Sign your postback

Sign `${timestamp}.${rawBody}` with your surface secret (HMAC-SHA256), then POST to https://api.attribloom.com/v1/conversions with the x-ea-surface, x-ea-timestamp (unix-ms), and x-ea-signature (hex) headers.

import crypto from "node:crypto";

const POSTBACK_URL = "https://api.attribloom.com/v1/conversions";
const SURFACE_ID   = "<your-surface-id>";
const SECRET       = "<your-postback-secret>"; // keep server-side only

const timestamp = Date.now().toString(); // unix-ms
const body = JSON.stringify({
  externalId:  "order_12345",          // your stable id for this conversion
  eventType:   "sale",                 // sale | subscribe | install | ...
  grossMinor:  4999,                   // 49.99 in minor units (integer)
  currency:    "USD",
  occurredAt:  new Date().toISOString(),
  clickId:     "<click id from tracking link>", // optional
});

// Sign HMAC-SHA256 of `${timestamp}.${rawBody}` with the surface secret.
const sig = crypto
  .createHmac("sha256", SECRET)
  .update(`${timestamp}.${body}`)
  .digest("hex");

await fetch(POSTBACK_URL, {
  method:  "POST",
  headers: {
    "content-type":   "application/json",
    "x-ea-surface":   SURFACE_ID,
    "x-ea-timestamp": timestamp,        // unix-ms string
    "x-ea-signature": sig,              // hex HMAC-SHA256
  },
  body,
});

Live today. Works for any platform.

Get startedI'm an affiliateTalk to us