Referral tracking is the foundation of any referral program. Without accurate attribution, you cannot pay out rewards correctly, measure program performance, or make informed decisions about program design. Yet many companies implement referral tracking as an afterthought and end up with systems that misattribute conversions, miss mobile installs entirely, or break when users switch devices.
This guide compares the main referral tracking methods, examines where each one works well and where it falls short, and covers what you need to think about when choosing or combining them.
Method 1: Cookie-Based Tracking
Cookie-based tracking is the oldest and most widely used approach for web referral programs. When a user clicks a referral link, a cookie is set in their browser with the referral code and timestamp. When the same user signs up, your server reads the cookie and attributes the conversion.
How It Works
// On referral link click (server-side)
res.cookie('referral_code', 'ABC123', {
maxAge: 30 * 24 * 60 * 60 * 1000, // 30-day attribution window
httpOnly: true,
secure: true,
sameSite: 'lax',
});
// On signup
const referralCode = req.cookies.referral_code;
if (referralCode) {
await attributeReferral(newUserId, referralCode);
res.clearCookie('referral_code');
}
Accuracy and Limitations
Cookie tracking works reliably when the user clicks and converts in the same browser on the same device. That covers a significant portion of web traffic, but not all of it.
Where it breaks down:
- Cross-browser: User clicks the link in Chrome, signs up in Safari. No match.
- Cross-device: User clicks on desktop, signs up on their phone. No match.
- Private/incognito browsing: Cookies set in a private window are discarded when the session ends.
- iOS Safari ITP: Intelligent Tracking Prevention limits third-party cookie lifetime and has progressively restricted first-party cookies in cross-site contexts as well.
- Cookie blocking: Privacy-focused browsers and ad blockers can prevent cookie writes entirely.
- App installs: Cookies have no path into a native mobile app. If a user clicks your referral link and then installs your app, the cookie attribution chain is broken unless you use a different mechanism.
For a pure web product with a short conversion window, cookies are adequate. For mobile apps or anything with a multi-day conversion funnel, they are not sufficient on their own.
Method 2: Deep Link-Based Tracking
Deep link-based tracking is the right approach for mobile apps. Instead of relying on cookies, the referral code is embedded in a specially constructed URL. When the user clicks the link:
- If the app is installed, the link opens the app and passes the referral data directly
- If the app is not installed, the user goes to the App Store or Play Store, and after installing, the app reads the referral data on first launch (deferred deep linking)
See the deferred deep linking explainer for a detailed breakdown of how the install flow works.
How It Works
The link management system stores the referral metadata server-side, keyed to the link. When the app opens, it calls back to the server to retrieve the metadata associated with that install.
// iOS - on app first launch
Tolinku.shared.getDeepLinkData { data in
if let referralCode = data?["referralCode"] as? String {
// attribute this install
AttributionService.shared.recordReferral(code: referralCode)
}
}
// Android - on app first launch
Tolinku.getInstance().getDeepLinkData { data ->
data["referralCode"]?.let { code ->
AttributionService.recordReferral(code)
}
}
Accuracy
Deep link-based tracking is the most accurate method for mobile app installs. The attribution is tied to the actual install event, not to a cookie that may or may not survive the browser session.
Limitations:
- Requires a mobile SDK (adds a dependency to your app)
- Attribution window after click must be configured correctly (how long after a click should an install be attributed?)
- Does not help for web-only products without mobile apps
- Requires careful handling of edge cases: reinstalls, device transfers, family sharing
For the full technical picture on how Tolinku handles this, see the referral links documentation and the deferred deep linking concepts page.
Method 3: Code-Based Tracking
Code-based tracking decouples the referral attribution from the click entirely. Instead of automatically attributing based on a link click, users manually enter a referral code during signup.
How It Works
The referrer shares their unique code (e.g., SARAH25) through any channel. The new user enters it in a field on the signup screen. No cookies, no deep links, no automatic attribution.
Accuracy
Code-based tracking has the highest attribution accuracy because it requires explicit user action. There is no ambiguity about whether a cookie was set or whether a device fingerprint matched.
Limitations:
- Conversion rates are lower because entering a code is friction
- Codes can be shared publicly (in coupon aggregator sites, forums, etc.) in ways you did not intend
- No way to know which channel the code was shared through unless you use unique codes per channel
- Self-referral fraud is easier: users can create multiple accounts and enter their own code
Code-based systems work best as a complement to automatic tracking, not a replacement. Dropbox famously used a hybrid approach: automatic attribution via their referral link, with a manual code entry as a fallback.
Method 4: Device Fingerprinting
Device fingerprinting attempts to match a referral click to a later install by building a probabilistic fingerprint from device signals: IP address, user agent, screen resolution, timezone, and similar attributes.
When a user clicks a referral link, you capture their fingerprint. When a new device installs the app and opens it for the first time, you compare fingerprints and attribute the install if the match probability exceeds a threshold.
Accuracy
Fingerprinting accuracy ranges from around 70% to 95% depending on how unique the device signals are. Accuracy is lower in environments with high NAT reuse (corporate networks, mobile carrier NAT), iOS with privacy-related API restrictions, and markets where devices are less diverse.
Apple has progressively restricted fingerprinting capabilities on iOS. Relying on fingerprinting as a primary method for iOS attribution is not advisable for new systems.
When to Use It
Fingerprinting works as a fallback when neither deep link attribution nor cookie attribution is available. Many link management platforms use it as a secondary signal rather than a primary one.
Cross-Device Tracking
The fundamental challenge with referral tracking is that users switch devices. Someone might:
- See a referral link on desktop
- Click it on their phone later
- Install the app
- Sign up logged into their desktop later
Accurate cross-device tracking requires stitching together these events with a common identifier. The options are:
Logged-in identity graph: If the user is already logged into your service on one device when they click, you can tie the click to their account and attribute the eventual signup on any device. This only works if you can identify the clicking user.
Probabilistic matching: Match events by fingerprint signals even without a deterministic ID. Accuracy degrades as described above.
User-provided linkage: When the new user signs up, ask them to verify their identity or confirm the referral. This is friction but produces accurate data.
For most consumer apps, combining deep link attribution (high accuracy, works for app installs) with cookie attribution (good for web) and a code entry fallback covers the large majority of cases.
Attribution Windows
An attribution window defines how long after a click a conversion can be attributed to that click. Typical values:
- Short window (1-7 days): Reduces false attributions from old clicks, may miss users who research before converting
- Standard window (14-30 days): Industry norm for mobile apps
- Long window (60-90 days): Appropriate for high-consideration products where the sales cycle is longer
Most fraud involves clicks that are far outside the organic conversion window. Setting a sensible attribution window is a first-pass fraud filter.
When multiple clicks from different referrers happen within the attribution window, you need a tie-breaking rule:
- Last click wins: Attribute to the most recent referral click. Simpler, incentivizes active sharing.
- First click wins: Attribute to whoever first introduced the user. Better for programs where early discovery matters.
Choosing the Right Method
| Method | Web | App Install | Cross-Device | User Friction | Fraud Risk |
|---|---|---|---|---|---|
| Cookie | Good | No | Poor | None | Medium |
| Deep Link | Limited | Excellent | Good | None | Low |
| Code Entry | Good | Good | Good | High | Medium |
| Fingerprint | Fallback | Fallback | Medium | None | Low |
For mobile apps: Deep link-based tracking is the primary method, with fingerprinting as a fallback and code entry as a user-facing option.
For web products: Cookie-based tracking is sufficient for most cases, supplemented by code entry for users who share outside a single browser session.
For cross-platform products: You need all three: deep links for app installs, cookies for web, and code entry as a universal fallback.
Implementing with Tolinku
Tolinku's referral system handles all of these tracking methods. Deep link attribution is built into the SDK for iOS and Android. Cookie-based attribution is handled automatically for web clicks. Code entry attribution is supported via the referrals API.
The referral analytics dashboard shows attribution source breakdown so you can see what percentage of conversions came through each method.
See the referral setup guide for a step-by-step walkthrough of configuring tracking for your Appspace.
Best Practices Summary
- Use deep links as the primary tracking method for any program with a mobile app
- Set cookie attribution as a fallback for web conversions
- Always offer code entry as a user-visible option (it has the highest conversion certainty)
- Set an attribution window appropriate for your product's conversion timeline
- Log all click events with metadata: timestamp, channel, device type, IP hash
- Monitor attribution source distribution in analytics, anomalies often indicate fraud or a tracking configuration problem
Related reading: Building Referral Programs That Work, Mobile Attribution: A Developer's Guide, Referral Link Generation: Technical Implementation.
Get deep linking tips in your inbox
One email per week. No spam.
