DataFirefly Server-Side — Complete guide
Install, connect and operate the free server-side connector for PrestaShop 8 and 9: credentials, test event, consent and troubleshooting.
Overview
DataFirefly Server-Side is the free PrestaShop connector for the DataFirefly Server-Side Tracking service. Every time an order is validated, the module builds a complete purchase event and sends it server-to-server, HMAC-SHA256 signed, to the EU-hosted DataFirefly dispatcher (Germany). The service then delivers the event to your configured destinations: Meta Conversions API, GA4 Measurement Protocol, TikTok Events API, Pinterest Conversions API and Google Ads.
The split of roles is simple: the module captures and signs, the service ingests, deduplicates and delivers. The module is free; delivery requires a service subscription (Starter from €39/month).
A tracking hiccup will never break your checkout: the module is fail-safe by design (2 s / 4 s timeouts, errors logged to the PrestaShop logs, no exception ever reaches the order funnel).
Requirements
- PrestaShop 1.7.6 or above, 8.x or 9.x
- PHP 7.4 or above, with the cURL extension (present on virtually all hosting)
- An active DataFirefly Server-Side Tracking account — subscribe at server-side.datafirefly.com
- Recommended: our DataFirefly Cookie Manager module (compliant tarteaucitron banner with Google Consent Mode v2) for the native consent gate
Installation
- Download the module ZIP from your DataFirefly account.
- In the PrestaShop back office, open Modules > Module Manager > Upload a module and drop the
datafirefly_serverside.zipfile. - Click Install. The module registers on the order validation hook; no overrides or theme changes are needed.
On installation, tracking is disabled and the consent requirement is enabled: nothing is sent until you configure and enable the module.
Getting your credentials
- Log in to your DataFirefly client space (or subscribe if you haven’t yet).
- Open the Connect your shop section of your site.
- Copy the three values shown: the Tenant ID (in the form
shop_yourstore_xxxx), the HMAC secret (64-character signing key) and the events endpoint.
The HMAC secret is a private key: don’t share it and don’t paste it anywhere other than the module configuration. If it ever leaks, regenerate it from your client space.
Configuration
Open Modules > Module Manager > DataFirefly Server-Side > Configure. The form has five settings:
- Enable tracking — the main switch. While it’s set to No, no event is sent.
- Tenant ID — your shop’s identifier in the service, copied from your client space.
- HMAC secret — the 64-character signing key. Every event is signed with this key before sending.
- Events endpoint — the dispatcher’s ingestion URL. The default value is right in virtually all cases; only change it if your client space tells you otherwise.
- Require consent — enabled by default. When active, the purchase is only forwarded if the visitor granted marketing consent (see below). Disable it only if you handle consent upstream with another setup.
Save, then move on to the test.
Testing the connection
Click Send test event in the configuration form. The module sends a signed, synthetic page_view to the dispatcher — without touching real orders.
- “Test event delivered” (HTTP 200): your Tenant ID, secret and endpoint are correct. Your shop is connected, even if no destination is configured on the service side yet.
- “Test event failed”: the HTTP code and the dispatcher’s message are shown for diagnosis (see Troubleshooting).
Consent (GDPR)
When Require consent is active, the module reads — directly server-side, at order validation time — the tarteaucitron-format consent cookie set by our DataFirefly Cookie Manager module (Google Consent Mode v2). The cookie name is picked up automatically from the Cookie Manager configuration (default tarteaucitron).
The purchase is forwarded if the visitor consented to at least one advertising service: Meta Pixel, Google Ads, TikTok Pixel or LinkedIn Insight. The approach is privacy-first: no cookie, or an unreadable one, means no send.
This is the recommended combination on PrestaShop: the Cookie Manager handles the banner, Consent Mode v2 and consent proof; this module applies the same decision to server-side tracking. One source of truth for the whole chain.
If you handle consent with another setup, disable Require consent and apply your own logic upstream: it’s then up to your setup to guarantee that no order comes from a non-consenting visitor.
What is sent
For every validated order, the module builds a purchase event with:
- Transaction: paid amount, ISO currency, order reference, products (id, name, quantity, tax-included unit price) and total item count.
- Match data: email and customer id, phone, first name, last name, city, postcode and ISO country from the invoice address (falling back to the delivery address).
- Browser identifiers captured at order time:
_fbpand_fbc(Meta),_ttp(TikTok) and the GA4 client id extracted from the_gacookie.
Every optional field is added only when present and valid: the dispatcher validates strictly, and a well-formed event is a delivered event. The event id is keyed to the order (order_ID), idempotently — it’s what enables client + server deduplication on the platforms if you also run browser tags.
On the wire, every request carries three headers: the tenant, the timestamp (checked within a 300-second anti-replay window) and the HMAC-SHA256 signature of the exact request body. Your Meta, GA4, TikTok, Pinterest and Google Ads credentials stay in your DataFirefly space: neither the shop nor the browser ever sees them.
Monitoring your events on the service side
In your client space, the Event Inspector shows events one by one, with personal data masked (GDPR-compliant). That’s where you verify what is actually delivered to each destination. Platform availability can be checked at any time on the public status page.
Troubleshooting
The test event fails with “not_configured”
One of the three fields (Tenant ID, secret, endpoint) is empty. Re-copy all three values from your client space and save before retesting.
The test event fails with HTTP 401 or 403
The signature is rejected: the HMAC secret doesn’t match the tenant, or the Tenant ID is wrong. Re-copy both values without spaces or line breaks. Also check that your server clock is correct (NTP): an offset above 300 seconds fails the anti-replay window.
The test event fails with “curl: …” or HTTP 0
Your server can’t reach the dispatcher: outbound firewall, DNS or proxy. Allow outbound HTTPS connections to the endpoint shown in your client space.
The test passes, but no orders arrive
- Check that Enable tracking is set to Yes.
- If Require consent is active, only orders from visitors who consented to an advertising service are forwarded. Place a test order after accepting advertising cookies in the banner.
- Check Advanced Parameters > Logs in the back office: every delivery failure is logged there with the HTTP code and the order id (prefix
[DataFirefly SS]).
Conversions are counted twice
Not possible on the module side: the event id is idempotent per order. If you also run browser tags outside the service, make sure they send the same event id (order_ID) so the platforms deduplicate.
Uninstalling
Uninstalling removes the module’s entire configuration (tenant, secret, endpoint, settings). No database table is created: the module stores nothing besides its configuration.