customerio-known-pitfalls
Identify and avoid Customer.io anti-patterns and gotchas. Use when reviewing integrations, onboarding developers, or auditing existing Customer.io code. Trigger: "customer.io mistakes", "customer.io anti-patterns", "customer.io gotchas", "customer.io pitfalls", "customer.io code review".
Best use case
customerio-known-pitfalls is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Identify and avoid Customer.io anti-patterns and gotchas. Use when reviewing integrations, onboarding developers, or auditing existing Customer.io code. Trigger: "customer.io mistakes", "customer.io anti-patterns", "customer.io gotchas", "customer.io pitfalls", "customer.io code review".
Teams using customerio-known-pitfalls should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/customerio-known-pitfalls/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How customerio-known-pitfalls Compares
| Feature / Agent | customerio-known-pitfalls | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Identify and avoid Customer.io anti-patterns and gotchas. Use when reviewing integrations, onboarding developers, or auditing existing Customer.io code. Trigger: "customer.io mistakes", "customer.io anti-patterns", "customer.io gotchas", "customer.io pitfalls", "customer.io code review".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Customer.io Known Pitfalls
## Overview
The 12 most common Customer.io integration mistakes, with the wrong pattern, the correct pattern, and why it matters. Use this as a code review checklist and developer onboarding reference.
## The Pitfall Catalog
### Pitfall 1: Wrong API Key Type
```typescript
// WRONG — using Track API key for transactional messages
const api = new APIClient(process.env.CUSTOMERIO_TRACK_API_KEY!);
// Gets 401 because App API uses a DIFFERENT bearer token
// CORRECT — use the App API key
const api = new APIClient(process.env.CUSTOMERIO_APP_API_KEY!);
```
**Why:** Customer.io has two separate authentication systems. Track API uses Basic Auth (Site ID + Track Key). App API uses Bearer Auth (App Key). They are not interchangeable.
### Pitfall 2: Millisecond Timestamps
```typescript
// WRONG — JavaScript Date.now() returns milliseconds
await cio.identify("user-1", {
created_at: Date.now(), // 1704067200000 → year 55976
});
// CORRECT — Customer.io expects Unix seconds
await cio.identify("user-1", {
created_at: Math.floor(Date.now() / 1000), // 1704067200
});
```
**Why:** Customer.io accepts millisecond values without error but interprets them as seconds, resulting in dates thousands of years in the future. Segments using date comparisons silently break.
### Pitfall 3: Track Before Identify
```typescript
// WRONG — tracking before identifying creates orphaned events
await cio.track("new-user", { name: "signed_up", data: {} });
// User profile doesn't exist yet — event may be lost
// CORRECT — always identify first
await cio.identify("new-user", { email: "user@example.com" });
await cio.track("new-user", { name: "signed_up", data: {} });
```
**Why:** Track calls on non-existent users may be silently dropped. Always `identify()` before `track()`.
### Pitfall 4: Using Email as User ID
```typescript
// WRONG — email can change, creating duplicate profiles
await cio.identify("user@example.com", { email: "user@example.com" });
// When user changes email, old profile orphaned, new one created
// CORRECT — use immutable database ID
await cio.identify("usr_abc123", {
email: "user@example.com", // Email as attribute, not ID
});
```
**Why:** The first argument to `identify()` is the permanent user ID. If you use email and the user changes it, you get two profiles. Use your database primary key instead.
### Pitfall 5: Missing Email Attribute
```typescript
// WRONG — user can't receive email campaigns
await cio.identify("user-1", {
first_name: "Jane",
plan: "pro",
// No email attribute!
});
// CORRECT — always include email for email campaigns
await cio.identify("user-1", {
email: "jane@example.com",
first_name: "Jane",
plan: "pro",
});
```
**Why:** Without an `email` attribute, the user profile exists but can't receive any email campaigns or transactional messages.
### Pitfall 6: Dynamic Event Names
```typescript
// WRONG — creates hundreds of unique event names
await cio.track("user-1", {
name: `viewed_${productId}`, // "viewed_SKU-12345"
data: {},
});
// CORRECT — use a static name with data properties
await cio.track("user-1", {
name: "product_viewed", // Consistent, filterable
data: { product_id: productId }, // Dynamic data in properties
});
```
**Why:** Dynamic event names pollute your event catalog and make it impossible to create campaign triggers. Use a fixed set of event names and pass variations as data properties.
### Pitfall 7: Blocking Request Path
```typescript
// WRONG — API call adds 200ms+ to every request
app.post("/api/action", async (req, res) => {
const result = await doBusinessLogic(req.body);
await cio.track(req.user.id, { name: "action_taken", data: {} }); // BLOCKS response
res.json(result);
});
// CORRECT — fire-and-forget for non-critical tracking
app.post("/api/action", async (req, res) => {
const result = await doBusinessLogic(req.body);
cio.track(req.user.id, { name: "action_taken", data: {} })
.catch((err) => console.error("CIO track failed:", err.message));
res.json(result); // Returns immediately
});
```
**Why:** Customer.io tracking is non-critical analytics. Don't add 200ms+ latency to every user request.
### Pitfall 8: No Bounce Handling
```typescript
// WRONG — keep sending to bounced addresses, damaging sender reputation
// (No webhook handler for bounces)
// CORRECT — suppress users who bounce
async function handleBounceWebhook(event: { customer_id: string }) {
await cio.suppress(event.customer_id);
console.warn(`Suppressed bounced user: ${event.customer_id}`);
}
```
**Why:** Continuing to send to bounced addresses damages your sender reputation, eventually causing all your emails to go to spam.
### Pitfall 9: New Client Per Request
```typescript
// WRONG — creates a new TCP connection for every API call
app.post("/track", async (req, res) => {
const cio = new TrackClient(siteId, apiKey, { region: RegionUS });
await cio.track(req.body.userId, req.body.event);
res.sendStatus(200);
});
// CORRECT — singleton, created once
const cio = new TrackClient(siteId, apiKey, { region: RegionUS });
app.post("/track", async (req, res) => {
await cio.track(req.body.userId, req.body.event);
res.sendStatus(200);
});
```
**Why:** Each `new TrackClient()` creates fresh connections. Singleton reuses TCP connections, reducing latency by 50-80%.
### Pitfall 10: Inconsistent Event Names
```typescript
// WRONG — multiple naming conventions
await cio.track(userId, { name: "UserSignedUp" }); // PascalCase
await cio.track(userId, { name: "user-signed-up" }); // kebab-case
await cio.track(userId, { name: "user signed up" }); // spaces
// CORRECT — consistent snake_case everywhere
await cio.track(userId, { name: "user_signed_up" });
```
**Why:** Event names are case-sensitive. Inconsistent naming means campaign triggers only match one variant, and your event catalog becomes a mess.
### Pitfall 11: No Rate Limiting
```typescript
// WRONG — blasting API at full speed during import
for (const user of allUsers) {
await cio.identify(user.id, user.attrs); // 1000+ req/sec → 429 errors
}
// CORRECT — rate-limited processing
import Bottleneck from "bottleneck";
const limiter = new Bottleneck({ maxConcurrent: 10, minTime: 15 });
for (const user of allUsers) {
await limiter.schedule(() => cio.identify(user.id, user.attrs));
}
```
**Why:** Customer.io rate limits at ~100 req/sec. Without throttling, bulk operations trigger 429 errors and potentially get your API key temporarily blocked.
### Pitfall 12: PII in Event Names
```typescript
// WRONG — PII in event names is unsanitizable
await cio.track(userId, { name: `email_sent_to_john@example.com` });
// CORRECT — PII only in data properties (can be deleted per GDPR)
await cio.track(userId, {
name: "email_sent",
data: { recipient: "john@example.com" },
});
```
**Why:** Event names are indexed and cached. PII in event names can't be deleted for GDPR compliance. Always put PII in event `data` properties.
## Quick Reference
| # | Pitfall | Fix |
|---|---------|-----|
| 1 | Wrong API key type | Track key for tracking, App key for transactional |
| 2 | Millisecond timestamps | `Math.floor(Date.now() / 1000)` |
| 3 | Track before identify | Always `identify()` first |
| 4 | Email as user ID | Use immutable database ID |
| 5 | Missing email attribute | Include `email` in `identify()` |
| 6 | Dynamic event names | Static names, dynamic data properties |
| 7 | Blocking request path | Fire-and-forget with `.catch()` |
| 8 | No bounce handling | Suppress bounced users via webhook |
| 9 | New client per request | Singleton pattern |
| 10 | Inconsistent event names | Always `snake_case` |
| 11 | No rate limiting | Use Bottleneck or p-queue |
| 12 | PII in event names | PII in `data` properties only |
## Integration Audit Script
```bash
# Quick grep audit for common pitfalls in your codebase
echo "=== Customer.io Pitfall Audit ==="
echo "--- Checking for Date.now() without /1000 ---"
grep -rn "created_at.*Date.now()" --include="*.ts" --include="*.js" \
| grep -v "/ 1000" || echo "OK"
echo "--- Checking for new TrackClient inside functions ---"
grep -rn "new TrackClient" --include="*.ts" --include="*.js" \
| grep -v "^.*const\|^.*let\|^.*export" || echo "OK"
echo "--- Checking for dynamic event names ---"
grep -rn "name:.*\`" --include="*.ts" --include="*.js" \
| grep "track\|Track" || echo "OK"
echo "--- Checking for blocking await in routes ---"
grep -rn "await.*cio\.\|await.*track\.\|await.*identify" --include="*.ts" \
| grep "router\.\|app\." || echo "Review these for fire-and-forget"
```
## Resources
- [Customer.io Best Practices](https://docs.customer.io/get-started/)
- [Track API Reference](https://docs.customer.io/integrations/api/track/)
- [customerio-node SDK](https://github.com/customerio/customerio-node)
## Next Steps
After reviewing pitfalls, use `customerio-reliability-patterns` for fault tolerance.Related Skills
windsurf-known-pitfalls
Identify and avoid Windsurf anti-patterns and common mistakes. Use when onboarding new developers to Windsurf, reviewing AI workflow practices, or auditing Windsurf configuration for issues. Trigger with phrases like "windsurf mistakes", "windsurf anti-patterns", "windsurf pitfalls", "windsurf what not to do", "windsurf gotchas".
vercel-known-pitfalls
Identify and avoid Vercel anti-patterns and common integration mistakes. Use when reviewing Vercel code for issues, onboarding new developers, or auditing existing Vercel deployments for best practice violations. Trigger with phrases like "vercel mistakes", "vercel anti-patterns", "vercel pitfalls", "vercel what not to do", "vercel code review".
supabase-known-pitfalls
Avoid and fix the most common Supabase mistakes: exposing service_role key in client bundles, forgetting to enable RLS, not using connection pooling in serverless, .single() throwing on empty results, missing .select() after insert/update, not destructuring { data, error }, creating multiple client instances, and not using generated types. Use when reviewing Supabase code, onboarding developers, auditing an existing project, or debugging unexpected behavior. Trigger with phrases like "supabase mistakes", "supabase anti-patterns", "supabase pitfalls", "supabase code review", "supabase gotchas", "supabase debugging", "what not to do supabase", "supabase common errors".
snowflake-known-pitfalls
Identify and avoid Snowflake anti-patterns and common mistakes in SQL, warehouse management, data loading, and access control. Use when reviewing Snowflake configurations, onboarding new users, or auditing existing Snowflake deployments for best practices. Trigger with phrases like "snowflake mistakes", "snowflake anti-patterns", "snowflake pitfalls", "snowflake what not to do", "snowflake code review".
shopify-known-pitfalls
Identify and avoid Shopify API anti-patterns: ignoring userErrors, wrong API version, REST instead of GraphQL, missing GDPR webhooks, and webhook timeout issues. Trigger with phrases like "shopify mistakes", "shopify anti-patterns", "shopify pitfalls", "shopify what not to do", "shopify code review".
sentry-known-pitfalls
Identify and fix common Sentry SDK pitfalls that cause silent data loss, cost overruns, and missed alerts. Covers 10 anti-patterns with fix code. Use when auditing Sentry config, debugging missing events, or reviewing SDK setup. Trigger: "sentry pitfalls", "sentry anti-patterns", "sentry mistakes", "why are sentry events missing".
salesforce-known-pitfalls
Identify and avoid Salesforce anti-patterns including SOQL N+1, governor limit violations, and API waste. Use when reviewing Salesforce code for issues, onboarding new developers, or auditing existing Salesforce integrations for best practices violations. Trigger with phrases like "salesforce mistakes", "salesforce anti-patterns", "salesforce pitfalls", "salesforce what not to do", "salesforce code review".
retellai-known-pitfalls
Retell AI known pitfalls — AI voice agent and phone call automation. Use when working with Retell AI for voice agents, phone calls, or telephony. Trigger with phrases like "retell known pitfalls", "retellai-known-pitfalls", "voice agent".
replit-known-pitfalls
Avoid the top Replit anti-patterns: ephemeral filesystem, public secrets, port binding, Nix gotchas, and database limits. Use when reviewing Replit code, onboarding developers, or auditing existing Replit apps for common mistakes. Trigger with phrases like "replit mistakes", "replit anti-patterns", "replit pitfalls", "replit what not to do", "replit code review".
perplexity-known-pitfalls
Identify and avoid Perplexity anti-patterns and common integration mistakes. Use when reviewing Perplexity code, onboarding new developers, or auditing existing integrations for best practices violations. Trigger with phrases like "perplexity mistakes", "perplexity anti-patterns", "perplexity pitfalls", "perplexity code review", "perplexity gotchas".
openrouter-known-pitfalls
Avoid common OpenRouter integration mistakes and gotchas. Use proactively when starting a new integration or reviewing existing code. Triggers: 'openrouter pitfalls', 'openrouter gotchas', 'openrouter mistakes', 'openrouter best practices'.
notion-known-pitfalls
Common Notion API mistakes: wrong page ID format (dashes), rich text array structure, block children not returned with page, pagination required for all lists, 3 req/sec shared across endpoints, not sharing pages with integration. Use when debugging or reviewing Notion code. Trigger with phrases like "notion mistakes", "notion pitfalls", "notion common errors", "notion gotchas", "notion debugging".