Cookies
Trackbridge writes three first-party cookies, all in the same shape. They store Google Ads click identifiers captured from URL parameters so the SDK can attribute conversions across page navigations and sessions.
The server tracker writes no cookies.
The table
Section titled “The table”| Cookie | Contents | Set when | Default expiry |
|---|---|---|---|
_tb_gclid | Standard Google Ads click identifier from ?gclid=... | Captured from URL or pre-existing cookie, gated on ad_storage consent if consentMode: 'v2' | 90 days |
_tb_gbraid | iOS-app-to-web click identifier from ?gbraid=... | Same | 90 days |
_tb_wbraid | iOS-app-to-web identifier (ATT-restricted) from ?wbraid=... | Same | 90 days |
The expiry is configurable: pass cookieExpiryDays to createBrowserTracker.
Attributes (every cookie)
Section titled “Attributes (every cookie)”_tb_gclid=Cj0KCQ...; Secure; SameSite=Lax; Path=/; Expires=<UTC date string>Optionally with a Domain= attribute when cookieDomain is set on the tracker config:
_tb_gclid=Cj0KCQ...; Domain=.example.com; Secure; SameSite=Lax; Path=/; Expires=<UTC date string>| Attribute | Value | Why |
|---|---|---|
Secure | always set | Cookies travel only over HTTPS. The SDK assumes HTTPS in production. |
SameSite | Lax | Sent on top-level navigations (which is when ad clicks land), not on third-party iframe loads. |
Path | / | Available across the whole site. |
Expires | <now + cookieExpiryDays> (default 90 days) | Long enough to span typical click-to-purchase windows; short enough to age out abandoned identifiers. |
Domain | optional, value of cookieDomain | Set to .example.com to share cookies across www.example.com, app.example.com, etc. Omitted entirely if cookieDomain is not configured — the cookie is then host-only. |
The cookies are not HttpOnly. The SDK reads them from JavaScript on subsequent page loads, so they can’t be HTTP-only. The trade-off is documented; treat the value of a click identifier as low-sensitivity (it’s a tracking token, not a credential).
When cookies are written
Section titled “When cookies are written”clickIdentifierStorage controls the storage mode. Default: 'cookie'.
clickIdentifierStorage | consentMode | ad_storage | Cookie written? |
|---|---|---|---|
'cookie' | 'off' | n/a | yes, immediately |
'cookie' | 'v2' | 'granted' | yes, immediately |
'cookie' | 'v2' | 'denied' | no |
'cookie' | 'v2' | unknown | no — value held in memory until updateConsent is called |
'memory' | any | any | no — value held in memory only, lost on tab close |
'none' | any | any | no — captured value discarded immediately |
Cookie keys are hardcoded
Section titled “Cookie keys are hardcoded”The names are literal: _tb_gclid, _tb_gbraid, _tb_wbraid. The _tb_ prefix is not configurable. Don’t try to share these cookies with another tracking library that uses the same names — Trackbridge will overwrite them on init.
What’s NOT in cookies
Section titled “What’s NOT in cookies”- No user data. The SDK never writes email, phone, name, or address into cookies. Identity fields are passed as call arguments and sent to Google directly, not stored locally.
- No session token. Trackbridge does not maintain its own session.
- No transaction IDs. The dedup key is supplied per call; nothing about it is persisted by the SDK.
- No GA4 client ID. GA4’s
_gacookie is written by gtag itself, not by Trackbridge. The server tracker reads its value from your application code, not from a Trackbridge cookie.
Cross-subdomain sharing
Section titled “Cross-subdomain sharing”If your site spans hosts (www.example.com for marketing, app.example.com for the product, checkout.example.com for payment), set cookieDomain so the click identifier captured on landing is readable when the user converts:
createBrowserTracker({ // ... cookieDomain: '.example.com',});The leading . is conventional but not required by browsers; either form works. See Cross-subdomain tracking for the full pattern (including matching the cookieDomain across deployments).
See also
Section titled “See also”- Click identifiers (gclid / gbraid / wbraid)
- Consent Mode v2
createBrowserTracker—cookieDomain,cookieExpiryDays,clickIdentifierStorage.