Meta CAPI Setup Guide 2026: Server-Side Facebook Conversion Tracking

Meta CAPI (Conversions API) sends purchase and event data directly from your server to Meta, bypassing browser limitations that kill your pixel data. If you’re running Meta ads and not using CAPI, you’re losing 20-40% of your conversion data — which means Meta’s algorithm is optimizing against incomplete information and your ROAS is lower than it should be.

This guide covers actual implementation, not theory. Three approaches, platform-specific instructions, and the deduplication setup that most guides skip.

Why CAPI Matters in 2026

The browser pixel alone is broken:

Problem	Data Lost	CAPI Fix
Safari ITP (cookie expiry)	30-40% of Safari users	Server sends data regardless of cookies
Ad blockers	~30% of desktop users	Server-to-server, invisible to blockers
iOS ATT opt-out	~75% of iOS users opt out	First-party data sent server-side
Consent Mode denial	Varies by region (50%+ in EU)	Server events with proper consent signals

Without CAPI, Meta sees roughly 60% of your actual conversions. Its algorithm optimizes against that 60%, which means your bids are wrong, your audiences are incomplete, and your cost-per-acquisition is inflated. For a plain-language explanation of how server-side tracking works and why it matters, see Server-Side Tracking Explained (No Jargon).

Three Implementation Approaches

Approach 1: Platform Native (Easiest)

For Shopify: Shopify’s native integration sends some CAPI events automatically. Go to Settings → Customer Events → Meta pixel. This covers basic purchase events but misses:

Add to cart from non-checkout pages
View content events
Custom events
Proper deduplication with the browser pixel

Verdict: Good starting point. Insufficient for serious advertisers.

For WordPress/WooCommerce: Plugins like PixelYourSite, TagFrog, or server-side GTM handle CAPI. The quality varies dramatically — most plugins just mirror the pixel events server-side without proper deduplication, causing Meta to double-count conversions.

Approach 2: Server-Side GTM (Most Flexible)

Google Tag Manager’s server-side container acts as a proxy:

Browser pixel fires event → hits your sGTM endpoint
sGTM processes the event → forwards to Meta CAPI
Same event, two delivery methods, one deduplication ID

Pros:

Full control over data
Works with any platform
Handles consent at the container level
Can enrich events with server-side data

Cons:

Requires cloud hosting (GCP, AWS, or self-hosted)
~$30-100/mo for the container
Configuration complexity
Still relies on browser pixel firing first (doesn’t recover adblocker losses)

Approach 3: Direct Server Integration (Most Reliable)

Your server sends events directly to Meta’s Graph API when business events occur (purchase, add to cart, etc.):

Customer buys → Your server processes order → POST to graph.facebook.com

This is the gold standard. It doesn’t depend on the browser at all. When a WooCommerce order is placed or a Shopify webhook fires, your server sends the conversion data with:

Hashed email (SHA-256, lowercase, trimmed)
Hashed phone
Transaction ID for dedup
IP address and user agent (from the original request)
Cookie values (_fbp, _fbc) captured during checkout

The Deduplication Problem (What Most Guides Miss)

If you run both the browser pixel AND CAPI, Meta receives the same event twice. Without deduplication, a $100 purchase looks like $200 in revenue, your ROAS doubles overnight, and you think your ads are performing better than they are.

How dedup works: Both the pixel and CAPI send the same event_id. Meta matches them and counts once.

Browser pixel fires:  Purchase, event_id = "order_12345", value = $100
CAPI fires:           Purchase, event_id = "order_12345", value = $100
Meta sees:            1 purchase, $100 (matched by event_id)

Common dedup failures:

Different event IDs: Pixel generates a random ID, server generates a different one. Meta counts both.
No event ID at all: If either side omits event_id, Meta can’t match them. Both count.
Timing mismatch: If CAPI fires 30+ minutes after the pixel, Meta may not match. Send within 5 minutes.

The fix: Generate the event ID on the client, pass it to the server, and use the same ID for both pixel and CAPI events. For order events, use the order ID or checkout token — it’s naturally unique and available on both sides.

Event Match Quality Score

Meta grades your CAPI implementation with Event Match Quality (EMQ), scored 1-10:

Score	Assessment	Action
8-10	Excellent	You’re sending good identity data
6-7	Good	Add phone number or address data
4-5	Fair	Missing email or key identifiers
1-3	Poor	Implementation is broken or data is malformed

How to improve EMQ:

Always send hashed email (biggest impact)
Send hashed phone number
Send _fbp and _fbc cookies (captures click ID)
Send external_id (your customer ID, hashed)
Send IP address and user agent

Each additional parameter gives Meta more signals to match your server event to a real Facebook user.

CAPI doesn’t exempt you from consent requirements:

GDPR (EU): Must have consent before sending personal data. Set data_processing_options: ['LDU'] for opted-out users.
CCPA (California): Use Limited Data Use flag. Meta respects this server-side.
Consent Mode v2: If you’re using Google’s Consent Mode, apply the same consent logic to CAPI events. Don’t send CAPI events when marketing consent is denied. See our Consent Mode v2 implementation guide for the complete setup.

The common mistake: “It’s server-side so consent doesn’t apply.” Wrong. The data is the same regardless of how it’s transmitted. If a user denied marketing consent, don’t fire the CAPI event.

Verifying Your Implementation

Check 1: Events Manager

In Meta Business Suite → Events Manager → select your pixel → “Test Events” tab:

Send a test purchase from your site
You should see the event appear twice: once as “Browser” and once as “Server”
If both show with the same event ID, deduplication is working

Check 2: Event Match Quality

Same page → “Overview” tab → scroll to “Event match quality”:

Click each event type to see its EMQ score
Score below 6 means you’re missing identity parameters

Check 3: Dedup Rate

In Events Manager → “Diagnostics” tab:

Look for “Duplicate Events” warnings
If you see “High rate of duplicate events,” your dedup is broken
If you see nothing about duplicates, dedup is working (or CAPI isn’t firing at all — verify with Test Events first)

When to Stop and Call for Help

If your Meta pixel stopped working after iOS 14, CAPI is how you recover most of that lost data — see Meta Pixel Not Working After iOS 14? Here’s the Complete Fix. On Shopify specifically, Shop Pay bypasses your pixel entirely, making CAPI even more critical.

If any of these are true, your Meta tracking needs professional attention:

EMQ score is below 5 for purchase events
You see “duplicate events” warnings in diagnostics
Your Meta-reported ROAS is 2x higher than your actual revenue supports
Conversions in Meta dropped 30%+ after a site update
You’re spending over $5K/mo on Meta ads without CAPI

Run a free tracking scan — we check your Meta pixel, CAPI implementation, deduplication, and consent setup automatically.