Skip to content
Pathbound DOCS
Sign in Get an API key

Tracker — Overview

The Pathbound tracker is a small JavaScript snippet that runs on your website and captures behavioral events — page views, clicks, form submissions, video plays — into the Pathbound platform. Once a visitor identifies (by submitting a form, clicking a tracked email link, or being matched via fingerprint), every event in their history is attached to their contact record.

Tracker URL

Section titled “Tracker URL”
https://tracker.pathbound.ai/tracker.js

The script is served minified and gzipped/brotli-compressed, around 4 KB on the wire. There are no client-side dependencies; everything runs in vanilla browser JS.

What gets tracked

Section titled “What gets tracked”

Out of the box, no configuration:

  • page_view on every navigation, with title, path, UTM params, and load time.
  • first_visit the first time a browser is seen.
  • button_click on every <button> click — text, class, id.
  • link_click on every <a> click — text, href, internal vs external.
  • form_submit on every native <form> submission — formId, action, method.
  • Wistia video events when a <wistia-player> is on the page — video_play, video_pause, video_complete, video_milestone (25/50/75/100%), video_conversion (Turnstile email capture).

Plus anything you fire yourself via pathbound.track().

Every event is enriched server-side with the visitor’s identity (cookie + fingerprint), session, referrer, screen resolution, user agent, and _ga user ID if Google Analytics is present.

How visitors get linked to contacts

Section titled “How visitors get linked to contacts”

Three mechanisms, in order of reliability:

  1. Form submission — The tracker’s form_submit event includes the form’s data. Submissions to your Pathbound-tracked form (via the /v1/public/form-submission endpoint) link the visitor_id to a contact.
  2. External contact ID cookie — If your app sets pathbound_external_contact_id (e.g. after a logged-in user authenticates), the tracker reads it on every event and the backend resolves it to a Pathbound contact.
  3. Fingerprint recovery — If the visitor’s pathbound_visitor_id cookie is missing (cleared, new device, incognito), the tracker computes a device fingerprint from Canvas + WebGL + AudioContext + system signals, hashes it (SHA-256), and asks the server for the canonical visitor ID. This recovers the timeline across cookie loss without depending on third-party identifiers.

Details: Identity & fingerprinting.

Privacy

Section titled “Privacy”
  • Honors a Do-Not-Track cookie — set pathbound_dnt=1 on a domain and the tracker exits before doing anything.
  • Honors navigator.doNotTrack as part of the fingerprint signal mix (so a DNT browser produces a different fingerprint than the same device without).
  • Stores cookies with SameSite=Strict; Secure over HTTPS. Session cookies use HttpOnly.
  • No third-party requests — all events POST to your tracker host (e.g. tracker.pathbound.ai).

Architecture

Section titled “Architecture”

The tracker is a standalone Express service that:

  • Serves tracker.js (rate-limited, host-validated, brotli/gzip).
  • Accepts batched events at POST /track (up to 10 events per batch, 2-second timeout).
  • Provides fingerprint recovery at POST /recover-visitor.
  • Writes directly to the same MongoDB as the REST API and MCP server, so events appear in GET /v1/events immediately.

This means the tracker is not authenticated by API key — instead, the server validates the request’s Origin/Referer against the verified domains of each tenant. You verify domains in Settings → Domains in the dashboard.