The simplest form is a URL parameter:<\/p>\n\n\n\n
https:\/\/yourapp.com\/signup?ref=abc123\n<\/code><\/pre>\n\n\n\nThis works for basic web flows. It breaks down the moment the user:<\/p>\n\n\n\n
\n- Clicks on mobile and your app is installed (should open the app, not the browser)<\/li>\n
- Clicks on mobile and your app is not installed (needs to land correctly after install)<\/li>\n
- Shares via a surface that strips query parameters (some messaging apps do this)<\/li>\n
- Copies the link and pastes it somewhere that truncates it<\/li>\n<\/ul>\n\n\n\n
A production referral system needs deep link-aware URLs that handle all of these cases.<\/p>\n\n\n\n
Server-Side vs Client-Side Generation<\/h2>\n\n\n\n
Client-side generation<\/strong> (building the link in the browser or app) is tempting because it is fast and requires no API call. The problem is that you cannot validate anything client-side. A user can manipulate the referral code before sharing, create synthetic links with arbitrary codes, or generate links for other users' IDs.<\/p>\n\n\n\nServer-side generation<\/strong> is the correct approach. When a user requests their referral link, your server:<\/p>\n\n\n\n\n- Authenticates the request<\/li>\n
- Looks up (or generates) the user's referral code<\/li>\n
- Creates the link with verified attribution data<\/li>\n
- Returns the URL<\/li>\n<\/ol>\n\n\n\n
This adds a round trip but gives you control over the data that ends up in the link.<\/p>\n\n\n\n
Generating Unique Codes<\/h3>\n\n\n\n
The referral code is the identifier that ties a click back to a referrer. A few approaches:<\/p>\n\n\n\n
Deterministic from user ID.<\/strong> Hash the user ID with a secret salt and take a substring. Fast, no storage needed, but codes are predictable if someone discovers your algorithm.<\/p>\n\n\n\nconst code = crypto\n .createHmac('sha256', process.env.REFERRAL_SECRET)\n .update(userId)\n .digest('base64url')\n .slice(0, 8)\n .toUpperCase();\n<\/code><\/pre>\n\n\n\nRandom with storage.<\/strong> Generate a random code and store the user-to-code mapping. More flexible (users can regenerate their code, you can revoke codes), requires a database lookup on every click.<\/p>\n\n\n\nSequential with obfuscation.<\/strong> Use a numeric ID but encode it with something like Hashids<\/a> so it does not look sequential. Avoids enumeration attacks while keeping codes short.<\/p>\n\n\n\nFor most applications, random codes stored in a referral_codes<\/code> table are the right choice. They are short enough to share verbally (important for some use cases), easy to look up, and straightforward to revoke.<\/p>\n\n\n\nURL Structure Options<\/h2>\n\n\n\nQuery Parameter Approach<\/h3>\n\n\n\nhttps:\/\/yourapp.com\/signup?ref=ABC123\n<\/code><\/pre>\n\n\n\nPros: simple, works everywhere, easy to parse.\nCons: can be stripped by some platforms, looks like tracking to privacy-conscious users, does not work for mobile app deep linking without additional handling.<\/p>\n\n\n\n
Path-Based Approach<\/h3>\n\n\n\nhttps:\/\/yourapp.com\/r\/ABC123\nhttps:\/\/yourapp.com\/invite\/ABC123\n<\/code><\/pre>\n\n\n\nPros: cleaner, less likely to be stripped, easier to make memorable.\nCons: requires server-side routing for every code, slightly more complex to implement.<\/p>\n\n\n\n
Subdomain Approach<\/h3>\n\n\n\nhttps:\/\/ABC123.yourapp.com\n<\/code><\/pre>\n\n\n\nRarely worth the infrastructure complexity for referral links specifically.<\/p>\n\n\n\n
Deep Link-Aware URLs<\/h3>\n\n\n\n
The best approach for mobile apps is to use a link management system that generates URLs which:<\/p>\n\n\n\n
\n- Redirect to the App Store or Google Play if the app is not installed<\/li>\n
- Open the app directly if it is installed (via Universal Links on iOS or App Links on Android)<\/li>\n
- Pass the referral code through the install so it is available when the app first opens (deferred deep linking)<\/li>\n<\/ul>\n\n\n\n
See the Tolinku deep linking docs<\/a> for a full explanation of how deferred deep linking works. This is the mechanism that makes referral attribution work after an app install.<\/p>\n\n\n\nEmbedding Referral Data in Deep Links<\/h2>\n\n\n\n
When you create a deep link for a referral, you embed the referral code in the link's metadata. The link management system preserves this data through the entire flow, including through the App Store redirect and install.<\/p>\n\n\n\n
A referral link might carry:<\/p>\n\n\n\n
{\n "referralCode": "ABC123",\n "referrerId": "user_789",\n "campaign": "friend-invite",\n "channel": "in-app-share",\n "createdAt": "2026-03-04T10:00:00Z"\n}\n<\/code><\/pre>\n\n\n\nWhen the new user opens your app for the first time (or clicks the link if the app is already installed), your SDK reads this metadata and you can:<\/p>\n\n\n\n
\n- Pre-fill the signup form with context ("You were invited by Sarah")<\/li>\n
- Attribute the new user to the referrer immediately<\/li>\n
- Trigger the reward flow automatically<\/li>\n<\/ul>\n\n\n\n
Using the Tolinku API for Referral Link Generation<\/h2>\n\n\n\n
![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/platform-platform-referrals.png\")
<\/p>\n\n\n\n
Tolinku's referral API<\/a> handles the link creation, deep link generation, and attribution tracking in one call. Here is a basic server-side implementation:<\/p>\n\n\n\n\/\/ Generate a referral link for a user\nasync function generateReferralLink(userId, options = {}) {\n const response = await fetch('https:\/\/app.tolinku.com\/v1\/referrals\/links', {\n method: 'POST',\n headers: {\n 'Authorization': `Bearer ${process.env.TOLINKU_SECRET_KEY}`,\n 'Content-Type': 'application\/json',\n },\n body: JSON.stringify({\n referrerId: userId,\n campaign: options.campaign || 'default',\n channel: options.channel || 'unknown',\n metadata: {\n userId,\n ...options.metadata,\n },\n }),\n });\n\n const data = await response.json();\n return data.url; \/\/ e.g., https:\/\/go.yourapp.com\/r\/ABC123\n}\n<\/code><\/pre>\n\n\n\nThe referral setup guide<\/a> walks through configuring your Appspace for referral tracking, including setting up the attribution window and reward triggers.<\/p>\n\n\n\nFor a full walkthrough of link structure and parameters, see the referral links documentation<\/a>.<\/p>\n\n\n\nUnique Codes vs URL Parameters: Which to Use<\/h2>\n\n\n\n
This is not really an either\/or decision. Most production systems use both:<\/p>\n\n\n\n
\n- The URL path or subdirectory<\/strong> contains the human-readable or shareable form:
\/r\/ABC123<\/code><\/li>\n- The underlying link<\/strong> contains richer metadata that does not need to be in the URL itself<\/li>\n<\/ul>\n\n\n\n
What you should avoid is putting sensitive data in the URL directly (like the user's internal database ID as a plain integer). Even if your codes are random, treat them as semi-public and do not design your system so that knowing someone's referral code reveals anything sensitive about them.<\/p>\n\n\n\n
Handling Link Expiration and Revocation<\/h2>\n\n\n\n
Referral links generally should not expire for standard programs. A user shares their link in a tweet, it gets picked up six months later, and you want it to still work. However, you may want to:<\/p>\n\n\n\n
\n- Revoke codes<\/strong> for users who have been banned or who violated terms<\/li>\n
- Expire campaign-specific links<\/strong> that were generated for a limited-time promotion<\/li>\n
- Rotate codes<\/strong> on user request (some users want to reset their referral history)<\/li>\n<\/ul>\n\n\n\n
Build your code storage with a status<\/code> field (active, revoked, expired) and a campaign_id<\/code> foreign key. When a link is clicked, validate both the code status and the campaign window before attributing the referral.<\/p>\n\n\n\nTracking Attribution After Click<\/h2>\n\n\n\n
The click itself is only the first step. You need to:<\/p>\n\n\n\n
\n- Record the click with timestamp, referral code, and metadata (user agent, IP hash for fraud checks)<\/li>\n
- Store a cookie or device fingerprint so you can match the click to a later signup<\/li>\n
- When the new user signs up, look up pending attribution and create the referral record<\/li>\n
- Trigger the reward flow<\/li>\n<\/ol>\n\n\n\n
For mobile installs, step 2 is handled by the deep link system rather than cookies. The Tolinku SDK reads the deferred deep link data on first app launch and passes it to your attribution callback.<\/p>\n\n\n\n
\/\/ iOS SDK - read referral data on first launch\nTolinku.shared.getReferralData { data in\n guard let referralCode = data?["referralCode"] as? String else { return }\n \/\/ attribute the install to this referral code\n YourAPI.attributeInstall(referralCode: referralCode)\n}\n<\/code><\/pre>\n\n\n\nShort Links for Sharing<\/h2>\n\n\n\n
Long URLs with query parameters or encoded metadata are impractical for manual sharing (SMS, verbal communication, printed materials). Generate short links as the user-facing format and resolve them server-side to the full attribution URL.<\/p>\n\n\n\n
Most link management platforms handle this automatically. The short link (go.yourapp.com\/r\/ABC123<\/code>) redirects to the full destination with all attribution metadata intact.<\/p>\n\n\n\nFor the full picture on how Tolinku handles referral attribution end to end, see the referral features page<\/a> and the rewards and attribution docs<\/a>.<\/p>\n\n\n\nSummary<\/h2>\n\n\n\n
Solid referral link generation comes down to a few decisions made correctly:<\/p>\n\n\n\n
\n- Generate codes server-side with validation, not client-side<\/li>\n
- Use deep link-aware URLs for mobile apps so attribution survives the install<\/li>\n
- Store codes with status and campaign metadata so you can revoke and expire them<\/li>\n
- Keep the user-facing URL short and clean, while the underlying link carries full attribution data<\/li>\n
- Hook into your SDK's deferred deep link callback for mobile attribution<\/li>\n<\/ul>\n\n\n\n
These choices compound. A referral system built on top of reliable link infrastructure is much easier to extend with fraud prevention, tiered rewards, and analytics than one built on simple query parameters and cookies.<\/p>\n\n\n\n
Related reading: Building Referral Programs That Work<\/a>, Deferred Deep Linking: How It Works<\/a>, Tolinku Referral Use Cases<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"Generating referral links is more than appending a query parameter to a URL. This guide walks through server-side generation, URL structures, embedding referral data in deep links, and using the Tolinku API to build a complete referral link system.<\/p>\n","protected":false},"author":2,"featured_media":671,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Referral Link Generation: Technical Implementation","rank_math_description":"Learn how to generate referral links the right way: server-side generation, URL structures, deep link embedding, unique codes vs parameters, and the Tolinku API.","rank_math_focus_keyword":"referral link generation","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-referral-link-generation.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-referral-link-generation.png","footnotes":""},"categories":[13],"tags":[62,28,20,142,45],"class_list":["post-672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-growth","tag-api","tag-attribution","tag-deep-linking","tag-mobile","tag-referrals"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=672"}],"version-history":[{"count":1,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/672\/revisions"}],"predecessor-version":[{"id":673,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/672\/revisions\/673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/671"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}