Docs · Guide

First-party proxy

A first-party proxy routes the Statlark script andits event beacons through your own domain, so they’re same-origin instead of cross-origin. That dodges host-based ad-blockers and keeps visitor geography working — with no changeto the tracker or the collector. It’s an optional upgrade over the default install.

The default: a zero-config hosted collector

The one-line snippet already works out of the box. The script loads from statlark.comand events post to Statlark’s hosted collector, which stamps each visit’s country, region and city from the edge — so you get geography with zero setup.

<script defer src="https://statlark.com/script.js" data-website-id="sl_xxxx"></script>

The only downside is that both requests go to a Statlark host, which browser extensions that block by hostname can recognise and drop. If that matters for your audience, proxy through your own domain instead.

How the proxy works

You expose two paths under a segment on your own domain — say /q3v/ — and point the snippet at them:

  • GET /q3v/s.js — rewrites to https://statlark.com/script.js (the unchanged tracker).
  • POST /q3v/e — forwards the event beacon to the collector. It forwards only the geo and user-agent headers, and never the Cookie or Authorizationheader — going same-origin means the beacon now carries your site’s first-party cookies, and those must not reach the collector.

Then the snippet becomes relative, with a data-api override:

<script defer src="/q3v/s.js" data-website-id="sl_xxxx" data-api="/q3v/e"></script>

Set it up

You don’t have to hand-write any of this. Open Settings → Install and use the first-party proxy option: Statlark generates the exact recipe for your site — a derived path segment, the rewrite, the forwarding route, and the swapped snippet — as a set of steps you can follow by hand or paste straight into your coding agent (the recipe assumes Next.js on Vercel; the same two-path shape works on any stack).

If your app has auth middleware, exclude the proxy segment from its matcher so the script and beacon aren’t auth-gated or handed a Set-Cookie on every hit.

Verify & roll back

A working proxy means GET /q3v/s.js (or your derived segment) returns the tracker JavaScript and POST /q3v/e returns 202. The Install screen’s verification check confirms it end-to-end. To roll back, revert the snippet to the direct https://statlark.com/script.js form (drop data-api) — nothing else changes.

One caveat: cookieless mode can’t be combined with a first-party proxy — cookieless needs the hosted collector to derive its rotating visitor id. Pick one.