Affiliate attribution — first-click vs last-click

Affiliate attribution decides who gets paid when a buyer touches three different affiliates before checkout, and the rule the program picks is rarely the one that feels fair. A reader hits your in-depth review on day 1, forgets about it for two weeks, opens a newsletter on day 15 that links to the same product, sees a coupon code on a deal site on day 45, and finally buys on day 50. Three affiliates were involved. One commission gets paid. Which one depends on a single line in the program's terms — first-click, last-click, or some flavour of cookie window — and that single line decides whether your work earns $60 or $0.

Most beginner content treats attribution like a footnote. It is the entire game. Get the headline rate wrong and you earn 20% instead of 30%. Get the attribution model wrong and you earn nothing on the same sale. This piece walks through three concrete buyer journeys with real numbers, shows what each attribution model pays out under cookie windows of 30, 60, and 90 days, and covers the cookie-deprecation reality every program is quietly scrambling to handle in 2026. If the four-step mechanical primer in the beginner's guide to how affiliate programs work is the wide shot, this post zooms in on step three.

How affiliate attribution actually decides who gets paid#

Every affiliate program has to answer one question at the moment of purchase: which affiliate, of the possibly several whose tracking cookies are still alive in this browser, gets credit for this sale. The answer is the attribution model, and the three you will encounter in the wild are last-click, first-click, and some variant of multi-touch or split.

Last-click attribution. The most recent affiliate cookie alive at the moment of purchase wins the entire commission. Earlier affiliates get nothing. This is the default on roughly nine out of ten programs — Amazon Associates, ShareASale, most of Impact and PartnerStack's hosted schemes, the bulk of indie SaaS affiliate plug-ins. The reason it dominates is purely operational. Last-click is the simplest rule to implement, the easiest to dispute, and the cheapest to defend in court. It is also the rule that most punishes content creators who do top-of-funnel work, which is why the people who hate it loudest are reviewers and the people who love it loudest are coupon-site operators.

First-click attribution. The first affiliate to drop a cookie wins. Subsequent clicks do not overwrite. This is rare — maybe one in twenty programs — and almost always a deliberate signal that the merchant values education over interception. Buffer's old creator program, a handful of newer indie SaaS programs, and most enterprise B2B referral schemes run first-click. If you see a program advertise "we credit the affiliate who introduced the customer," that's first-click.

Multi-touch or split attribution. The commission gets divided across all affiliates whose cookies are alive at purchase, sometimes weighted by recency or position. Equal-split is the simplest form. Position-based — typically 40% first-click, 40% last-click, 20% middle — exists in enterprise schemes but almost never in indie SaaS. The reason: it is operationally painful to implement and constantly disputed. When you see it, it is usually because the merchant cares enough about both top-of-funnel and bottom-of-funnel affiliates to pay both.

The practical implication of this distribution is that most affiliates, most of the time, are competing under last-click rules. Your in-depth review on day 1 sets up the buyer. The coupon site on day 45 — whose only contribution was a search for "[brand] discount code" the buyer made because your review convinced them to buy — collects the commission. This is the affiliate marketing version of farming a field someone else gets to harvest, and it is the structural reason coupon and deal sites are so profitable. They sit at the bottom of every funnel, and last-click hands them the cheque.

A concrete three-touch journey, with numbers#

Let's walk through one realistic buyer journey with the math written out. Same product, same buyer, three different attribution outcomes. Setup:

• The product: a $99/month SaaS tool, 30% recurring commission.
• The cookie window: 60 days.
• The buyer journey:
  • Day 1. Buyer reads a long-form review on Affiliate A's site, clicks the affiliate link. Cookie dropped — call this cookie A, expires day 61.
  • Day 15. Buyer opens Affiliate B's weekly newsletter, clicks the link to the same product. Cookie B dropped, expires day 75.
  • Day 45. Buyer searches the brand name, lands on Affiliate C's deal site, clicks the coupon link. Cookie C dropped, expires day 105.
  • Day 50. Buyer checks out. All three cookies are still alive (the earliest, A, expires at day 61; the purchase happens at day 50).

The headline commission on month one is $99 × 30% = $29.70. Recurring at the same rate compounds over the customer's lifetime — at 4% monthly churn that lifetime value is roughly $182. So the question is who collects $182.

Under last-click attribution: Affiliate C wins everything. The coupon site, whose only role was to be the last cookie alive when the buyer was already going to check out, collects $182 in lifetime commission. Affiliate A — who wrote the 3,000-word review that started the journey — gets $0. Affiliate B — whose newsletter kept the product top-of-mind — gets $0.

Under first-click attribution: Affiliate A wins everything. The reviewer collects $182 because A's was the first cookie dropped. The newsletter and the coupon site get nothing, which is exactly the structural inversion of last-click.

Under equal-split attribution: Each affiliate collects $60.67. The reviewer gets paid for the education, the newsletter for the nudge, the coupon site for closing.

The same buyer, the same product, the same three affiliates — three completely different lifetime payouts. None of the affiliates did anything different. The merchant's attribution choice decided it.

The merchant's attribution rule is the single biggest determinant of affiliate income on a sale. The headline rate matters less than which line in the terms decides who collects it.

Cookie windows — the second lever that decides everything#

The attribution model picks among cookies that are alive. The cookie window decides which cookies are alive in the first place. Three windows you will see in the wild, with the same buyer journey above plugged into each.

The interesting outcome is under first-click attribution: at a 30-day window, Affiliate A is dead by the time of purchase, so the first surviving cookie at checkout is Affiliate B — and B collects the commission. The buyer journey is identical. The window changed who "first" means.

This is why cookie window discussions matter as much as attribution model discussions. The two interact in ways that look harmless on the program terms page and turn ugly in practice. A "first-click, 30-day window" program tells you they value education, then quietly disqualifies most educational content by killing the cookie before the buyer comes back. A "last-click, 90-day window" program is generous on paper and still hands the entire pot to whichever affiliate touched the buyer most recently.

The cleanest combinations:

• First-click, 90+ day window. Honest about valuing top-of-funnel content. Rare. The mark of a program that wants reviewer-quality affiliates.
• Last-click, 90+ day window. Honest about valuing bottom-of-funnel conversions, but generous enough that most affiliates collect something if they touched the buyer recently.
• Last-click, 24-hour window. The program is openly saying it values literal-click-to-purchase only. Translates to "we want coupon-site traffic and not much else."
• First-click, 14-day window. The combination that sounds generous and pays out almost never.

The data primer on how to track QR code scans covers the underlying first-party vs third-party cookie mechanics that affect what your tracker can actually see in 2026 — worth reading if any of the cookie talk feels abstract.

The cookie-deprecation reality nobody likes talking about#

The whole architecture above — drop a cookie, read it at purchase, pay accordingly — was built on the assumption that browsers would happily store and return tracking cookies across sessions. That assumption is being dismantled, on schedule, by browser vendors who have decided cross-site tracking is bad for users. The collapse is in three layers.

Safari's Intelligent Tracking Prevention. Apple's WebKit team has been progressively tightening cookie behavior since 2017. By 2026, ITP caps all client-side cookies set via JavaScript at seven days regardless of what expiry the script requests. Third-party cookies (set by domains other than the one the user is browsing) are blocked entirely. The practical effect: an affiliate cookie set via a tracking pixel on a third-party tracker on Safari dies in seven days, no matter what the program's terms claim about a 90-day window.

Firefox Enhanced Tracking Protection. Mozilla blocks third-party cookies in Firefox by default since 2019. First-party cookies set by the merchant's own domain still work, which is why most modern affiliate networks switched to a redirect-and-set pattern — the click bounces through a tracker that immediately redirects to the merchant's own domain, and the cookie is set in the first-party context on landing.

Chrome's third-party cookie deprecation. Google has announced and delayed the kill of third-party cookies in Chrome multiple times. As of mid-2026, Chrome is rolling out a user-choice prompt that lets people opt out of third-party cookies entirely, with the default leaning toward deprecation. The exact timeline keeps shifting, but the direction has been clear for years: third-party cookies are not the future, and any program whose tracking depends on them is on borrowed time.

What programs are doing in response:

Server-side attribution. The click hits the merchant's own server, which writes a record in its database keyed to a server-issued ID rather than a browser cookie. The buyer's session is then tagged in the merchant's first-party context. This works on Safari, Firefox, and Chrome regardless of cookie policy because the persistence lives on the merchant's server, not in the browser. The downside: you need infrastructure to do it well. Indie programs without dev resources are stuck with cookies.

Signed-in tracking. If the buyer creates an account during the click-through flow — even a free trial — the merchant can tag the user record with the affiliate ID at signup time. From that moment on, attribution is keyed to the account, not the browser. This is how Kit, Shopify Partners, and Beehiiv handle most of their tracking — the cookie matters until signup, then the database takes over. The downside: requires a signup flow that affiliates can route through, which not every product has.

URL parameter persistence. The affiliate ID gets passed in the URL query string on every page of the merchant's site, then stored in localStorage or a first-party cookie when the buyer is about to check out. Works around ITP because the storage is first-party. Brittle because anything that strips query parameters (some payment processors, some checkout redirects) kills the attribution.

Hashed identifier matching. Larger networks use hashed email or phone matching when the buyer eventually completes a purchase, comparing against a hash the affiliate captured at click time (typically via a logged-in newsletter system that already had the email). Powerful but only available to networks at scale; small affiliates have no access to this data path.

The honest summary: any program selling you on a "30-day cookie window" in 2026 without explaining their server-side or signed-in attribution story is selling a window that has already collapsed on a third of their traffic. The Safari and Firefox slices alone are about 35% of consumer web browsing globally and rising on iPhone-heavy markets like the US, UK, and Japan. Effective attribution on those segments depends entirely on whether the program has done the work to escape cookies.

For platform context, the events docs cover the kind of server-side conversion tracking that survives browser cookie deprecation — the same mechanics work for affiliate attribution, even though the use case is different.

Pick your attribution model — the interactive#

The widget below walks through the three-touch journey above and lets you change the variables. Pick the attribution model, the cookie window, and which affiliate's link the buyer clicked last. The output shows who gets paid, why, and what the alternative models would have produced.

The most instructive combinations to try: set last-click at 14 days and watch Affiliate C still win because C's day-45 click is fresh. Set first-click at 14 days and watch the program effectively become last-click — by day 50, A and B have both expired, so the "first" surviving cookie is whichever recent one is left. The model's name doesn't predict the payout when the window is short.

Which model the merchant should pick — and why most pick the wrong one#

The merchant's attribution choice is a business decision dressed up as a technical detail. Pick last-click and you reward conversion-stage affiliates: coupon sites, deal aggregators, retargeted-ad buyers. Pick first-click and you reward education-stage affiliates: reviewers, comparison-content creators, newsletter operators. Pick split and you reward both but pay more in total commission for the same number of sales.

Most merchants pick last-click by default for the reasons listed earlier — operational simplicity, easy disputes, low litigation surface. The choice is rarely deliberate. It is the default in every off-the-shelf affiliate plug-in (Tapfiliate, Rewardful, FirstPromoter, PartnerStack), and most merchants accept the default without thinking about what it incentivises.

The result is a market in which the affiliates who do the most expensive top-of-funnel work — long-form reviews, video comparisons, sustained newsletter coverage — are the least likely to be paid for their efforts. Coupon-site operators run automated extraction tools against any merchant with a discount program and collect the commission on conversions they didn't drive. This is so consistent and so structural that several modern SaaS affiliate programs (ConvertKit, Webflow, Beehiiv) now explicitly disqualify coupon and deal-site traffic from earning commissions — not because coupon affiliates broke the rules, but because the rules themselves were broken.

What a merchant should actually pick depends on what kind of affiliates they want to attract:

• Want reviewers and content creators? First-click with a 90+ day window. Expensive but signals that you value education.
• Want a high-volume long tail? Last-click with a 60-day window. The default. Will attract everyone including coupon sites; budget for the coupon-site leakage.
• Want enterprise B2B partners? Position-based split (40/40/20). Pays both ends of the funnel. Used by Salesforce, HubSpot, and other enterprise schemes.
• Want signups for a free product? First-click on the signup event itself, not the purchase. Pays the affiliate who introduced the user.

The merchant's decision between recurring and one-time commission structures interacts with attribution choice in non-obvious ways. Recurring + last-click penalises the reviewer twice: once on month one (lost to the coupon site) and forever after (still lost to the coupon site, who kept the cookie cleanly). Recurring + first-click compounds the reviewer's win — the cookie is set once on day 1, and every subsequent month feeds back to the affiliate who started the journey. This is part of why first-click is rare: it is genuinely expensive for the merchant if they pick a generous recurring structure on top.

What sophisticated affiliates do under last-click#

If you are promoting under a last-click program — which is most of them — there are three workable responses to the structural disadvantage of being a top-of-funnel content creator. None of them are clever hacks. They are the ground-truth strategies people doing this for a living actually use.

Drive the last click yourself. Embed an affiliate link not just in your review post but in your follow-up emails, retargeting ads, and the bottom of every related piece. If the buyer is going to do one final click before checkout — and most do — make it on your link, not the coupon site's. Routing through a branded short link on your own domain makes the redirect feel native to your brand rather than spammy, and the walkthrough of using a URL shortener specifically for affiliate marketing covers how the wrapper keeps the ref parameter intact through the same platforms that quietly strip raw network URLs. Combined with conversion tracking on short links, you can see which of your touches actually convert and double down.

Promote programs that exclude coupon traffic. Read the program terms. Some explicitly disqualify coupon and deal sites — ConvertKit and Webflow are two public examples. On those programs, your last-click problem largely evaporates because the bottom-of-funnel competitor is structurally disqualified. The pool of programs with these terms is small but growing.

Build first-party relationships. Email lists, paid communities, anything where the buyer is signed in and the affiliate ID is attached to their account at signup rather than to a browser cookie. Once the buyer is signed up via your link, attribution is account-keyed, not cookie-keyed, and no later coupon site can overwrite it. This is how the highest-earning affiliate marketers structure their businesses — they own the audience and route them into programs that respect account-keyed attribution.

The stack-or-pick framework for agencies running affiliate links covers the additional twist where the affiliate is also a service provider — different incentives, different disclosure requirements, same attribution rules underneath. The mechanical primer on how affiliate programs actually work end to end is the right next read if you want the cookie-and-clawback details that sit one layer below attribution.

Disputes — what to do when the math doesn't match#

Even with clean attribution, programs sometimes don't pay what they should. The three most common failure modes:

Cross-device journeys. Buyer clicks your link on their phone, completes purchase on their laptop. Two different cookie stores, no link between them. Most programs lose this attribution silently. The fix is server-side or account-keyed attribution, which not every program has.

Ad-blocker stripped tracking. The buyer's browser blocks the affiliate redirect or the cookie write. The click never registers. The program shows no impression, no click, no conversion attributed to you. The fix is server-side tracking on the merchant's first-party domain, which avoids the third-party block list.

Manual reversal during the pending period. The merchant marks the commission as invalid during the 30-60 day pending window, often citing "fraudulent traffic" or "coupon-stacking violation" without explaining further. The fix is to have logs of your own — UTM-tagged clicks, conversion events, screenshots of the affiliate dashboard at click time — and dispute promptly. Programs that respond honestly to evidence keep your trust; programs that stonewall belong on your blacklist.

The honest take: a program that loses 5-10% of attribution to legitimate technical failures is normal. A program that loses 30%+ is either incompetent or extracting from affiliates deliberately. The pattern is visible after 60-90 days of consistent traffic — if your clicks far exceed your conversions and the program has no explanation, that's your data telling you to stop promoting them.

The platform documentation on analytics and event-level tracking covers the technical side of click-and-conversion logging from the platform end — useful for understanding what data the merchant actually sees about you. Surface-level traffic data is the public view; the deeper attribution surface is built on the same primitives.

Frequently asked questions#