Overcloakovercloak
Log inTalk to us
TrackingMarch 3, 2026·8 min read

Setting Up Facebook CAPI for Cloaked Campaigns

Server-to-server tracking that bypasses ad blockers and iOS restrictions. Step-by-step setup guide.

Overcloak

Overcloak Team

@overcloak

share

Cookies are dead for ad attribution. iOS 14.5+, ad blockers, and ITP have killed pixel-based tracking. The replacement is Conversions API (CAPI) — a server-to-server endpoint where you fire conversions directly from your backend to Facebook, with the user's hashed identifiers as the matching key.

CAPI works with cloaking — but you have to wire it correctly.

The flow

  1. 1User clicks your cloaked URL (e.g. yourdomain.xyz/c/abc).
  2. 2Overcloak runs detection. Real users get redirected to your offer URL with a click_id parameter (e.g. ?oc_click=xyz123).
  3. 3User lands on your offer, completes the conversion.
  4. 4Your offer's backend fires a CAPI event to Facebook with: event_name=Purchase, event_source_url, the click_id, and hashed email/phone if available.
  5. 5Facebook attributes the conversion to the original ad click.

Required fields for good match rate

  • fbc parameter (the Facebook click ID — comes from fbclid in the original landing URL)
  • fbp parameter (the Facebook browser ID cookie)
  • Hashed email (lowercase, trimmed, SHA-256)
  • Hashed phone (E.164 format, then SHA-256)
  • client_ip_address (from the user's request)
  • client_user_agent
  • event_time (Unix timestamp)

The more fields you send, the higher Facebook's match rate. 6 fields = ~70% match. 4 fields = ~40%. Below 4 and you might as well not bother.

Setup with Overcloak

  1. 1In your flow settings, add your Facebook Pixel ID and your CAPI access token (generate in Events Manager).
  2. 2Set the event name (Purchase, Lead, AddToCart, etc.).
  3. 3When a real user passes detection, Overcloak forwards the fbclid as oc_click in the redirect URL.
  4. 4On your offer's thank-you page, fire a postback to: https://overcloak.pro/api/postback?flow=xxx&click_id=oc_click_value&payout=AMOUNT.
  5. 5Overcloak sends the CAPI event to Facebook on your behalf.

Common errors

  • Fbclid not preserved — make sure your offer's URL accepts and preserves the parameter
  • Wrong access token scope — needs ads_management permission
  • No deduplication — if you also have the pixel firing client-side, send the same event_id from both sides so Facebook deduplicates
Run this in production

Stop running cloaking on duct tape.

Overcloak ships the 11-layer detection stack described above out of the box. $97/mo locked forever for the first 50 customers — only 13 founder seats left.

Lock my founder seat — $97/moSee the engine →
// keep reading
Ad Cloaking12 min

The Complete Guide to Facebook Ads Cloaking in 2026

Everything changed in 2026. Meta's review infrastructure got smarter. Here's what still works, what doesn't, and how to stay undetected.

Ad Cloaking9 min

Google Ads Cloaking: Safe, Scalable Tactics That Work Now

Google's detection is the hardest to beat. We break down the exact setup that passes review every time.

Ad Cloaking6 min

TikTok Ads Cloaking Setup in Under 5 Minutes

TikTok's review process is fast but sloppy. Here's how to exploit the gaps with proper cloaking.