If your postbacks can be spoofed, your revenue can be siphoned. It’s that simple. Postback integrity is the thin line between accurate attribution and silent leakage through fabricated or replayed conversions.
The fastest win—technically small, financially meaningful—is enforcing an Advertiser Security Token on every conversion postback. One secret, checked on every hit, eliminates a surprising amount of noise.
What fraud looks like at the postback layer?
(and why basic IP checks aren’t enough!)

Spoofed postbacks are cheap to generate and hard to spot once they hit your endpoint: bad actors guess or steal click IDs, re-send old events, or craft look-alike payloads that slip through naive IP filters. Even “friendly” errors—misconfigured advertiser servers, staging systems bleeding into production—inflate numbers and damage trust. If your network accepts any syntactically valid payload, you’re paying to learn the same lesson every month.
What the Advertiser Security Token is—and what it guarantees?
At its core, the Advertiser Security Token is a shared secret (a token string) known only to you and the advertiser. Every postback must include this token; Scaleo verifies it on arrival. No token or the wrong token? The conversion is rejected with a clear, auditable message:Fail: Incorrect Advertiser Security Token
That single check collapses an entire fraud surface. Spoofers can’t guess a secret they’ve never seen, and well-meaning misroutes don’t slip through “by coincidence.”
How to enable it in Scaleo?
- Go to Settings → Security and enable Advertiser Security Token for Postback. Save.
- This toggle does not retro-enable existing advertisers. For each existing partner, open the Advertiser Edit page and turn Required Security Token = ON.
- For new advertisers, the requirement is enabled automatically.
- Management is on the Advertiser page only (by design). You cannot manage this from the Offer page, preventing a fragmented policy.
Once active, Scaleo validates the token on every postback for that advertiser. Missing or incorrect tokens mean the conversion is not recorded—with the error above visible in the advertiser’s postback logs for rapid self-serve debugging.
Implementation pattern (simple and deterministic)
Think of the token as a mandatory parameter you require on the advertiser’s callback to your network.
Example (illustrative parameters):
https://your-network.tld/postback?
click_id={CLICK_ID}
&amount={AMOUNT}
¤cy={CURRENCY}
&status=approved
&token=ADVERTISER_SECRET_TOKEN
Server behavior:
- Scaleo extracts
token, checks it against the advertiser’s stored secret, and only then processesclick_id, values, and statuses. - If the token fails, nothing is booked; the log records the failure for that postback attempt.
No gray area, no partial credit.
Why C-levels should care: it’s not “just” security, it’s P&L hygiene?
You’re not adding complexity—you’re deleting uncertainty. A token requirement:
- Stops fabricated/replayed conversions at the edge (no downstream cleanups or clawbacks).
- Shortens dispute cycles because there’s a binary truth for every hit (valid token or not).
- Protects margin without antagonizing legitimate partners—good traffic sails through, bad payloads bounce with a clear reason.
Pairing the token with landing-page controls (reduce bad traffic before it starts)
Fraud mitigation is multi-layer. While the token secures the “money in” event, Scaleo’s landing-page controls help keep low-quality or forbidden traffic from ever reaching conversion:
- Preview optionality per landing page lets you hide test endpoints from general use.
- Visibility settings control which affiliates can see/use a specific landing page.
- Targeting per landing (GEO, device type, connection type, etc.) ensures only eligible users see the page.
- Traffic distribution supports weighted rotation, equal rotation, and targeting-based redirection—so you can route around risk and keep experiments isolated.
Better routing and visibility reduce accidental policy violations and shrink the attack surface that opportunistic affiliates exploit.
Common attack vectors vs. controls (and where the token fits)
| 🚩 Threat | What it looks like | Primary control | Outcome |
|---|---|---|---|
| Spoofed postback | Random click IDs, correct format | Advertiser Security Token | Rejected with “Incorrect Advertiser Security Token” |
| Replay attack | Real postback resent later | Token + duplicate conversion logic | First accepted, replays blocked |
| Staging bleed | Test systems hitting prod | Token on prod only | Test traffic fails safely |
| Parameter tampering | Inflated amounts/status flags | Token + server-side validation rules | Invalid deltas discarded |
| Unapproved GEO/device | Conversions from excluded traffic | Landing-page targeting + compliance rules | Traffic redirected or blocked |
A clean rollout plan teams can execute in a week
Start with the high-volume advertisers and move down the long tail.
- Day 1–2: Enable the feature globally (Settings → Security). Communicate the change with a one-pager: how to add the
tokenparam, what error appears on failure, how to test. - Day 3–4: Flip Required Security Token = ON for top advertisers, one by one. Provide each partner their secret via a secure channel.
- Day 5–7: Monitor the advertiser postback logs. Any “Incorrect…Token” error is immediately actionable by the advertiser—they can fix their callback without your dev team.
The win here is operational: partners debug themselves with a precise error string, and your managers stop doing log forensics.
The single checklist your ops team needs
- Token feature enabled in Settings → Security (saved).
- All new advertisers inherit “Required Security Token = ON.”
- Existing advertisers migrated in descending traffic order (and confirmed).
- Advertiser documentation updated with the required
tokenparameter. - Billing and compliance trained to use the postback log error for quicker triage.
- Landing-page visibility/targeting set on sensitive offers to avoid policy drift.
What good looks like in your dashboards?
- Near-zero “unknown source” conversions (they never pass the token gate).
- Lower dispute rate and faster resolution time because failures are explicit.
- Cleaner contribution margin in high-risk GEOs: fewer bogus approvals, fewer end-of-month clawbacks.
Simplicity (and why we keep it server-side)
You could ship more elaborate signing schemes, but most of the value comes from one invariant secret checked server-side on every callback. It’s fast to adopt, easy to enforce, and—crucially—centralized on the Advertiser, not per offer. That keeps policy coherent and avoids configuration drift.
TL;DR for decision-makers
Every fraudulent or misrouted postback costs you twice: once when you pay it, again when you waste time reversing it. The Advertiser Security Token stops those hits at the door. Turn it on once, require it per advertiser, and let Scaleo enforce it on every event. Combine with landing-page visibility/targeting and you’ve reduced a big chunk of your risk—without slowing down legitimate revenue.
🎯 Unlock the full potential of your gambling business
Get actionable insights into your players’ funnel. In-depth reports let you discover your players’ journeys, from clicking on an affiliate link to registration and deposit.