diff --git a/src/cli/commands/auth/index.ts b/src/cli/commands/auth/index.ts
index 78acda421d..440f91b11b 100644
--- a/src/cli/commands/auth/index.ts
+++ b/src/cli/commands/auth/index.ts
@@ -12,6 +12,7 @@ import { MisconfiguredAuthInCI } from '../../../lib/errors/misconfigured-auth-in
 import { AuthFailedError } from '../../../lib/errors/authentication-failed-error';
 import { verifyAPI } from './is-authed';
 import { CustomError } from '../../../lib/errors';
+import { getUtmsAsString } from '../../../lib/utm';
 
 export = auth;
 
@@ -33,6 +34,7 @@ async function webAuth(via: AuthCliCommands) {
   };
 
   let urlStr = authUrl + '/login?token=' + token;
+  urlStr += '&' + getUtmsAsString();
 
   // validate that via comes from our code, and not from user & CLI
   if (redirects[via]) {
diff --git a/src/lib/utm.ts b/src/lib/utm.ts
new file mode 100644
index 0000000000..c77b33c4d1
--- /dev/null
+++ b/src/lib/utm.ts
@@ -0,0 +1,17 @@
+import * as url from 'url';
+
+const SNYK_UTM_MEDIUM = process.env.SNYK_UTM_MEDIUM || '';
+const SNYK_UTM_SOURCE = process.env.SNYK_UTM_SOURCE || '';
+const SNYK_UTM_CAMPAIGN = process.env.SNYK_UTM_CAMPAIGN || '';
+
+export function getUtmsAsString(): string {
+  /* eslint-disable @typescript-eslint/camelcase */
+  const utmQueryParams = new url.URLSearchParams({
+    utm_medium: SNYK_UTM_MEDIUM,
+    utm_source: SNYK_UTM_SOURCE,
+    utm_campaign: SNYK_UTM_CAMPAIGN,
+  });
+  /* eslint-enable @typescript-eslint/camelcase */
+
+  return utmQueryParams.toString();
+}