# MIM4U First-Party Analytics Endpoint

**Purpose:** Allow key events (page views, CTA clicks, form submissions) to be measured even when ad blockers block Google Analytics. The frontend sends a copy of each event to a first-party endpoint.

## Frontend behavior

When cookie consent is **accept**, the app sends events to:

- **Google Analytics** (when `gtag` is available)
- **First-party fallback:** `POST /api/events` (fire-and-forget, `keepalive: true`)

Request body is a JSON object:

```json
{
  "event": "page_view",
  "properties": {
    "page": "/",
    "title": "Miracles In Motion | ...",
    "timestamp": "2026-02-26T12:00:00.000Z",
    "url": "https://mim4u.org/"
  },
  "userId": null
}
```

Example event names: `page_view`, `cta_clicked`, `donation_completed`, `form_submission`, `volunteer_signup`.

## Backend (API on VMID 7811)

The API behind `/api/` (proxied from 7810 to 7811) should implement:

**`POST /api/events`**

- **Auth:** Optional; if you require auth, use a short-lived token or same-origin only (no CORS for other origins).
- **Body:** JSON as above.
- **Response:** `204 No Content` or `200 OK` (no body required).
- **Side effects:** Log to disk, forward to a server-side analytics pipeline (e.g. GA4 Measurement Protocol, Plausible, or internal DB). Do not expose PII in logs unless compliant with privacy policy.

If the endpoint is not implemented, the frontend `fetch` will 404; the app ignores failures and continues.

## Rate limiting

Nginx on 7810 applies `limit_req zone=api burst=5 nodelay` to `/api/`. Ensure `/api/events` is included in that path so abuse is limited.

## See also

- [MIM4U_502_ERROR_RESOLUTION.md](./MIM4U_502_ERROR_RESOLUTION.md) — nginx and proxy
- [MIM4U_UX_UI_TECHNICAL_REVIEW.md](./MIM4U_UX_UI_TECHNICAL_REVIEW.md) — analytics recommendations