Who is this for? Backend engineers and game server developers who need to send events from server-side code — purchase confirmations, server-authoritative game events, or login handlers.
When to Use the REST API
| You want to… | Use this |
|---|---|
| Passively capture page views and clicks on a marketing site | Tracking Pixel |
| Instrument a web app with typed, explicit events | Web SDK |
| Send events from your game server, backend, or webhook handler | REST API |
| Send purchase confirmations or server-verified identity events | REST API |
What You Need
- An Immutable Hub account with a project (get started here)
- A publishable key from your project settings (API keys guide)
Quick Start
Authentication
All requests require a publishable key in thex-immutable-publishable-key header. Manage your keys in Immutable Hub — see the API Keys guide for how to create one.
| Environment | Base URL | Key prefix |
|---|---|---|
| Sandbox | https://api.sandbox.immutable.com | pk_imapik-test- |
| Production | https://api.immutable.com | pk_imapik- |
Consent
You are responsible for obtaining and recording user consent before sending tracking events. The REST API does not enforce consent on your behalf — only send what the user has consented to. The same three-tier model (none / anonymous / full) applies as with the Tracking Pixel and Web SDK. See the Data Dictionary → Consent Model for what each level allows. In brief: at none send nothing; at anonymous omit userId and PII; at full send everything.
Recording Consent
Call this when a user accepts or declines tracking:204 No Content
| Field | Type | Required | Description |
|---|---|---|---|
anonymousId | string | Yes | The anonymous ID used in your events. Max 256 chars. |
status | string | Yes | none, anonymous, or full |
source | string | Yes | Where the consent decision originated (e.g. cookie-banner-v1). Max 128 chars. |
Reading Consent
Retrieve a stored consent preference at session start:{ "status": "not_set" }. Treat not_set the same as none.
API Reference
Endpoints
| Method | Path | Purpose |
|---|---|---|
| POST | /v1/audience/messages | Ingest up to 100 events per request |
| GET | /v1/audience/tracking-consent?anonymousId= | Read stored consent status |
| PUT | /v1/audience/tracking-consent | Record a consent decision |
| DELETE | /v1/audience/data?anonymousId= or ?userId= | GDPR erasure request — coming soon |
Sending Events
Headers:| Header | Required | Value |
|---|---|---|
Content-Type | Yes | application/json |
x-immutable-publishable-key | Yes | Your publishable key |
200 OK even if some messages fail validation — invalid messages are silently skipped. Check the rejected count to detect failures. A 400 means the entire request failed (invalid key or malformed body).
Message Schema
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | track, identify, alias, page, or screen |
messageId | string (UUID) | Yes | Unique per message — used for deduplication |
eventTimestamp | string (ISO 8601) | Yes | When the event occurred, not when you send it. Must include a timezone offset (e.g. 2026-04-08T12:00:00Z). Up to 30 days in the past accepted. |
context | object | Yes | Must include library (your system name) and libraryVersion |
userId | string | — | Your canonical user ID. Required on most types unless anonymousId is set. |
anonymousId | string | — | Anonymous device or session ID. Required if userId is absent. |
surface | string | — | web, pixel, unity, or unreal |
pageUrl, pagePath, and pageReferrer accept up to 2048.
Optional fields inside the context object
Optional fields inside the context object
Use these to pass environment metadata alongside the required
library and libraryVersion. Include whichever are relevant — all are optional.| Field | Description |
|---|---|
userAgent | Browser or client user agent |
browserLanguage | Browser language from navigator.language (e.g. en-US) |
locale | App or game locale setting (e.g. en-US) |
timezone | e.g. America/New_York |
screen | Screen resolution (e.g. 1920x1080) |
pageUrl | Full page URL |
pagePath | URL path only |
pageReferrer | Referrer URL |
pageTitle | Page title |
Event Types
track
track
Record a named event. The most common message type.Also required: Use any
eventName, plus userId or anonymousIdeventName. Predefined events have defined property schemas — see the Data Dictionary for the full list. Custom event names are also supported.identify
identify
Associate a user ID with traits. Send when a user logs in, creates an account, or updates their profile.Also required:
userId or anonymousIdidentityType values: passport, steam, epic, google, apple, discord, email, customalias
alias
Link two identities together — for example, connecting an anonymous visitor to a known user, or linking a Steam ID to a Passport user ID.Also required: When linking accounts, send
fromId, toId (must be different). from is the external or anonymous ID; to is the canonical user ID.alias and identify together in the same batch request.page
page
Record a page view. Useful for server-side rendering where you capture page loads on the server.Also required:
userId or anonymousIdscreen
screen
Record a screen view in a game client or app. Same schema as
page.purchase, progression, resource, sign_up, and more), see the Data Dictionary.
Error Responses
| Status | Meaning |
|---|---|
200 | Request accepted. Check accepted and rejected counts. |
400 | Malformed request body or key format invalid. |
401 | Publishable key not recognised — check your key is correct. |
500 | Server error — retry with exponential back-off. |
Next Steps
Data Dictionary
Predefined event schemas and property definitions
Attribution
How tracking data powers player attribution
Tracking Pixel
Lightweight snippet for marketing sites
Web SDK
Typed SDK for web apps and games