Affiliate network and traffic

1) Collaboration roles and models

Affiliates: webmasters, media buyers, content sites, influencers, applications, aggregators.
Network manager (your platform): rules, creatives, tracking, PRM, payouts.

• CPA - Confirmed Activity Fee (Registration/Deposit/Purchase).
• CPL - Lead Fee (Form/Claim) with Qualification.
• RevShare -% of margin/revenue (often a long tail).
• Hybrid — CPA + RevShare; sometimes with minimal guarantees.
• Financial parameters: hold/validation window, clawback (return for fraud/refand), caps (day/week limits), payment shooting galleries.

2) Tracking and attribution architecture

2. 1 Event model

Key steps: 'click → visit → signup → qualify → target_action (e. g., FT, purchase) → retention events`.

json
{
"event_id": "uuid",
"occurred_at_utc": "2025-10-31T12:45:10Z",
"type": "affiliate.target_action.v1",
"affiliate_id": "aff_001",
"campaign_id": "cmp_42",
"click_id": "c_abc123",
"user_pseudo_id": "u_... (hashed)",
"amount": 49.90,
"currency": "EUR",
"status": "qualified",
"signature": "base64/Ed25519",
"version": 1
}

2. 2 Attribution

Window: 7-30 days by click (or 24-72 hours by view-through, if allowed).
Model: last-click most often; data-driven is allowed for large networks.
Channel priority: paid/brand/organic - fix with a priority matrix.
Deduplication by 'event _ id '/' click _ id' + server-side (S2S) session thumbprint.

2. 3 S2S postbacks and c2s events

S2S post-back: server-to-server to fix the target action (reliability, privacy).
c2s stream: client events → your backend → normalization → postback to partner (signed).
Idempotence: idempotence key = 'affiliate _ id + click_id + action_type'.

POST https://aff.example/postback
Headers:
X-Signature: ed25519:...
X-Timestamp: 1730388405
Body:
click_id=c_abc123&status=qualified&amount=49.90&currency=EUR&event_id=uuid

3) Antifraud and quality control

Vectors: bots, incentivized/low-quality traffic, cookie stuffing, referrer spoofing, proxies/emulators, registration farms.

• Signatures and reputation: device signals, ASN/proxy lists, velocity check, behavioral metrics (dwell time, scroll, focus).
• Quality score (q-score): композит `q = w1cohort_retention + w2FT_rate + w3refund_rate^-1 + w4fraud_signals^-1`.
• Limits and caps: "overclocking" as you pass verification; automatic tightening at bursts.
• Delayed qualification (cool-off): confirmation of CPA after N days of activity/no chargeback.
• Honey-tokens: "traps" in landings/SDKs for detecting parsers and click bots.
• Consent and privacy: cookie banners/CMPl, mode without 3rd-party cookies → emphasis on S2S.

4) Creatives, landings and UX

Catalog of creatives: versions/localization, brand rules, UTM parameters, deeplink templates.
Landings: fast TTV (simple form, social login), A/B tests, geo/device content.
Politicians: forbidden verticals/words, reservations about age limits, responsibility for misleading creatives.
Speed: LCP <2. 5s; p95 landing timings - part of the SLO for the affiliate.

5) PRM processes (Partner Relationship Management)

5. 1 Onboarding

Questionnaire, CCM/sanctions, confirmation of traffic sources, domains/applications.
Agreements: MSA/IO, content policy, DPA (if any PD), attribution rules.
Technical start: API keys, sandbox, post-back test cases.

5. 2 Operations

QBR/MBR (review), goals and caps, creative library, support tickets.
Campaign changes: versions, canary launches, freeze periods on large releases.
Sanctions/blocking: fraud threshold → auto-pause, investigation, reports.

5. 3 Exit/Change

Key rotation/token recall, closing campaigns, uploading reports, final calculations.

6) Metrics and Analytics

• CR (visit→signup, signup→action)
• ARPU/LTV cohorts affiliate/campaign/geo eCPA/eCPL/eROAS
• FT rate / Repeat rate / Retention w4/w8
• Refund/Chargeback rate, Clawback%
• q-score by source, quality heat maps

utm_source=aff_network&utm_medium=cpa&utm_campaign=cmp_42&utm_content=ban_01&utm_term=kw aff_id=aff_001&click_id=c_abc123&geo=TR&lang=tr

sql
SELECT cohort_week,
aff_id,
COUNT(DISTINCT user_id) AS users,
SUM(first_deposit_amount) AS gmv,
SUM(margin) AS net_rev,
SUM(payout) AS payout,
SUM(margin) - SUM(payout) AS contrib
FROM fact_users
GROUP BY 1,2;

7) Settlement, reconciliation and disbursement

7. 1 Calculation rules

Payment base: net-basis (after commissions/taxes/bonuses) or gross - specify explicitly.
Windows: T + N (days/weeks), currencies, conversion rate, invoice/credit note.
Clawback: Write-off when forging/chargebacks within the window.

7. 2 Reconciliation

Bilateral reports (your fact vs affiliate report), ε tolerances, event _ id dedup.
SLA for closing discrepancies (for example, ≤ 5 working days), comment log.

sql
SELECT a.event_id
FROM partner_report a
LEFT JOIN internal_events b ON a.event_id = b.event_id
WHERE a.date BETWEEN:from AND:to
AND b.event_id IS NULL;

8) Policies as code (gates)

rego package affiliate.policies

deny["Weak signature"] {
input.webhook.signature.alg not in {"HMAC-SHA256","Ed25519"}
}

deny["No attribution window"] {
not input.campaign.attribution.window_days
}

deny["Fraud spike"] {
input.metrics.fraud_rate > 0.7 input.metrics.signup_to_action_cr < 0.05
}

deny["PII in logs"] {
some f f:= input.logs[_]
contains(f, "ssn") # пример
}

9) Compliance and privacy

Transparency: disclosure for advertising materials, age restrictions, local advertising norms.
Privacy: minimizing data to partners (pseudonyms, aggregates), right to delete, TTL.
Legal areas: geo-targeting, prohibition of traffic from regions with restrictions, storage in permissible locations.
Anti-coercion: Banning "toxic" (misleading) incentives.
Access logs: who saw what data, audit reports.

10) Templates and examples

10. 1 Affiliate Passport (YAML)

yaml affiliate_id: "aff_001"
name: "Acme Media"
regions: ["EU","TR","LATAM"]
traffic_sources: ["SEO","Content","Push"]
contracts:
model: "Hybrid"
cpa: 60 revshare: "20% of net"
hold_days: 14 attribution:
window_days: 30 priority_matrix: ["affiliate>paid>brand>organic"]
tech:
postback_url: "https://acme.example/postback"
signature: "Ed25519"
test_click_id: "TEST123"
policies:
caps: { daily: 200, weekly: 1000 }
banned_keywords: ["free money", "no risk"]
quality:
min_q_score: 0.6 cool_off_days: 7 status: "active"
owner: "aff-team-emea"

10. 2 Postback validator (pseudocode)

python def verify_postback(req, key):
ts = int(req.h["X-Timestamp"])
if abs(now()-ts) > 300: return 401 if not ed25519_ok(req.body, req.h["X-Signature"], key): return 401 if seen(req.form["event_id"]): return 200 save_event(req.form); mark_seen(req.form["event_id"]); return 200

10. 3 Q-score formula (example)

python q = 0.35retention_w4 + 0.25ft_rate + 0.2(1-refund_rate) + 0.2(1-fraud_score)

10. 4 Deduplication Policies

dedupe_key = SHA256(affiliate_id    click_id    action_type    user_pseudo_id    date)

11) Anti-patterns

Only cookie tracking without S2S → loss of attribution.
Blind CPAs without quality control/retention → budget burnout.
Lack of hold/cool-off → overpriced payments and disputes.
Mixing gross/net in calculations → eternal discrepancies.
The only super-large affiliate → concentration risk.
There are no auto-limits for a splash of fraud → mass write-offs.
PII in logs/webhooks → privacy risks and fines.

12) Architect checklist

1. Fixed payout model, calculation base and windows (hold, clawback)?
2. Implemented S2S tracking with signature and idempotency?
3. The attribution windows and the priority of the channels are defined, does the dedup work?
4. Built-in anti-fraud signals and q-score, caps and auto-pause?
5. PRM processes: onboarding/CUS, creatives, sandbox, post-back test cases?
6. Dashboards: CR, eCPA, LTV, retention, refund/clawback, q-score?
7. Reconciliation: bilateral reports, ε-allowance, dispute closure SLA?
8. Policies as code in CI/CD/PRM (signatures, windows, ban list)?
9. Privacy: minimum PD, pseudonyms, TTL, right to delete?
10. Incident plan: fraud spike, post-back downtime, out of sync reports?

Conclusion

A strong affiliate network is an engineering system, not just marketing. When attribution is server-based and transparent, traffic quality is measured and managed, PRM processes are standardized, and calculations are supported by evidence base and "policy as code," the channel scales predictably: eCPA is stable, LTV is growing, disputes are rare, and partners willingly invest in your traffic.