Dashboard

Every browser tells a story. We catch the fictions.

Browser fingerprinting that catches fraud without false-positively challenging real customers. Calibrated risk scores, calibrated outcomes.

Talk to us or read the docs

Three audiences. One signal.

Browser fingerprinting is rarely just about one team. The same signal shapes outcomes for businesses, platforms, and the people who use them.

  • For companies

    Fraud teams, security engineers, platform PMs. The teams that pay when fraud lands and the teams that pay when real customers churn.

  • For platforms

    Marketplaces, social networks, multi-sided platforms. Trust between users matters more than ever; sybil-resistance is a moat.

  • For people

    End-users. The under-discussed stakeholder. The people who get false-positively challenged, blocked, or asked to solve CAPTCHAs for being on Brave.

→ Read use cases per audience in docs

What it does.

Six capabilities. Each one rooted in a real business outcome.

  • Risk Scoring

  • Bot Detection

  • Operator Console

  • Edge-First Latency

  • Privacy by Construction

  • Open Integration

→ Detailed feature reference

From signal to decision.

Four stages. The browser collects, the token carries the signal, the score is calibrated server-side, and your code makes the call.

Browser

The SDK collects 30+ browser signals client-side — canvas, WebGL, audio, fonts, hardware markers. Loaded async, never blocks DOMContentLoaded.

Token

The signals are wrapped in a signed token (ES256) and sent to your backend. The token can't be replayed; it carries the full fingerprint.

Score

Your server calls verify(). We return a 5-tier risk + confidence + flag trace. No DNS lookup; p99 under 12ms at the edge.

Decision

Your code reads the risk tier and decides. Block, challenge, observe, or allow — your policy, our receipt.

→ Read the full integration flow in docs

What we measure.

Four layers of signal, composed into one calibrated fingerprint. Each layer answers a different question — together, they're the difference between a verdict and a measurement.

  • Browser intelligence

    Is the browser real?

    Catch automated traffic, masked browsers, and synthetic visitors the moment they arrive — before they reach your signup, login, or checkout. Real customers pass through. Fake ones don't.

    → Detection categories

  • Network signals

    Is the network safe?

    Spot suspicious origins and high-risk infrastructure without punishing legitimate traffic. Remote workers, VPN users, and corporate networks stay welcome. Wholesale fraud sources get flagged.

    → Detection categories

  • Hardware verification

    Is the device real?

    Verify the real device behind the session — not just the software running on it. Genuine users on genuine devices breeze through. Bots running on shared, throwaway infrastructure surface immediately.

    → Detection categories

  • Behavioral fingerprints

    Is the user real?

    Tell a real person from a script by the rhythm of how they interact with the page. Humans hesitate, correct themselves, and explore. Automation moves with a tell-tale precision it can't hide.

    → Detection categories

Four layers of signal, each answering a different question. Together they're the difference between a verdict and a measurement.

What we catch.

Six categories of threat. Each one tuned to catch automation, fraud, and abuse — without false-positively challenging real customers.

  • Automation & bots Recognize automated traffic before it reaches login, signup, or checkout.
  • Fingerprint tampering Surface deliberate evasion attempts without blocking honest privacy choices.
  • Infrastructure abuse Identify the wholesale-fraud signal — without misfiring on remote workers.
  • Privacy-browser handling Welcome legitimate privacy users while still catching the actors hiding among them.
  • Hardware attestation Verify the device is what it claims to be — not just the browser running on it.
  • Behavioral anomalies Catch the sessions that look human on paper but don't behave like a person.

→ See all detection methodology in docs

Why we don't tell you 'this is a bot.'

Most fingerprinting services tell you what you want to hear: bot or human. Binary. Clean. Wrong. We tell you what the signal actually says, with confidence — and let your code decide.

// We don't tell you 'this is a bot.'

// We tell you risk: medium, confidence: 0.87.

// You decide.

→ Read the full essay

See it in production.

Where signals become decisions. The operator console — search, compare, audit, decide.

[ screenshot ] /screenshots/fingerprints-list.svg Backoffice screenshot: Fingerprints list with risk badges, country flags, and 4-way compare staging.
The Fingerprints list — search, filter, and compare devices side-by-side.
[ screenshot ] /screenshots/fingerprint-detail.svg Backoffice screenshot: per-fingerprint detail page showing score gauge, full signal list, and flag breakdown.
Per-fingerprint detail. Every signal, every detection, every decision — visible.
[ screenshot ] /screenshots/dashboard.svg Backoffice screenshot: aggregate analytics dashboard with risk distribution and anomaly trends.
Aggregate analytics. Risk distribution. Anomaly trends.
[ screenshot ] /screenshots/audit-log.svg Backoffice screenshot: audit trail listing every API call and operator action with timestamps.
Audit trail. Every API call. Every operator action.
[ screenshot ] /screenshots/api-config.svg Backoffice screenshot: API keys, domains, and rate-limit configuration panel.
API keys. Domains. Rate limits. All operator-managed.

What success looks like.

Real numbers from real integrations. Bias toward false-negative; bias toward customer retention.

47%
median chargeback reduction (90 days)
0.4%
false-positive rate, default config
~5ms
median verify latency at edge

  • Marketplace

    Sybil rings caught before review-bombing — by signal, not by IP.

  • Financial services

    New-device challenges instead of blocks. Real customers feel nothing.

  • Identity-sensitive platforms

    Magic-link clicks verified by fingerprint match. Phishing kits stop here.

→ See full use cases in docs

Honest signals. Testable claims.

Six properties that hold up on inspection. No vendor magic — every one of them is auditable against the product surface.

  • EU data residency

  • GDPR-ready

  • Open SDK source

  • No PII collected

  • p99 verify <12ms

  • Calibrated, not magical

What we believe.

Operating constraints that show up everywhere — in the SDK, in the API, in the operator console.

  • Calibration over verdicts

    You own the policy. We hand you the evidence.

  • The source is the documentation

    Every threshold is documented and tunable. No black box.

  • False positives are not acceptable losses

    A blocked customer never comes back. We bias against that.

  • Privacy by construction

    No PII. No third-party calls. We can't sell what we never collected.

→ Read each principle in detail

Five tiers. No sales call.

Self-serve through Starter, Growth, Scale, and Professional. Enterprise gets a real human conversation, not a 'request a demo' form.

  • Starter

    Small sites and side projects. 2M API requests, 200K events/month, 1-day retention.

    $199 /month

    billed annually · 30% less than monthly

    See plan details →
  • // most popular

    Growth

    Production teams shipping fast. 5M API requests, 500K events/month, 2-day retention, API access.

    $499 /month

    billed annually · 30% less than monthly

    See plan details →

  • Scale

    High-traffic apps and platforms. 12M API requests, 1.2M events/month, 2-day retention, custom integrations.

    $999 /month

    billed annually · 30% less than monthly

    See plan details →

  • Professional

    Demanding production workloads. 30M API requests, 3M events/month, 7-day retention, priority support.

    $1,999 /month

    billed annually · 30% less than monthly

    See plan details →

  • Enterprise

    Custom limits, SSO/SAML, SLA, dedicated support, on-prem available.

    Custom
    See plan details →

See full pricing comparison →

Questions engineers ask.

Real questions from real integrations. If yours isn't here, the docs probably cover it.

Does this work with Tor?

Tor exits get a default risk of `medium` from the IP signal (datacenter_asn + known-exit lists), but the fingerprint itself is still computed. If your application explicitly allows Tor — journalism, sensitive search, abuse-survivor flows — set `tor_policy: 'allow'` in the verify call to suppress the IP-based scoring while keeping every other signal active. The flag stays in the response either way; you just decide whether it counts toward the score.

What about privacy-focused browsers — Brave, LibreWolf, Tor?

All work. Each has distinctive fingerprints — Brave's farbling, LibreWolf and Tor Browser profiles are all known to our population data. Tracking-prevention features don't break verification; they just yield different (still consistent) fingerprints. We flag the protection level as an honest signal rather than silently penalizing the user.

What's your false-positive rate?

Depends on the threshold you trigger on. With defaults (risk ≥ high → challenge), our internal benchmark against a ground-truth set of 4.2M real user sessions measures ~0.4% false positives. At risk = critical only, the FP rate drops to ~0.07%. Both numbers are continuously updated and visible in the operator dashboard, broken down by browser family and country so you can see where the misses come from.

Do we need to run a backend?

Yes — the SDK collects in the browser and emits a signed token; verification happens server-side via our REST API. The token has the full fingerprint embedded and is verified cryptographically (ES256, `kid: nox-2026-01`), so `verify()` does no DNS lookups during a request. p99 verification latency is under 5ms because it's a signature check plus a cache lookup, not a re-collection.

GDPR / CCPA compliance?

We're a sub-processor under your DPA, with our own DPA available on request. We process fingerprints as 'personal data' because they could re-identify a returning visitor — full Article 28 controls apply. No third-country transfers; infrastructure is EU-resident (Cloudflare EU-only routing). Hard-delete on request via the backoffice. We can sign DPAs in 24h. Subprocessor list is at `/subprocessors`.

Five more questions live in the docs — on-prem, iframes, network behavior, threshold tuning, and Noxtica vs. CAPTCHA. → See all questions in docs

Start protecting your users today.

Stop fraud before it lands. Keep real customers moving. Get the calibration that fits your traffic — and a team that actually picks up the phone.

What you get

A partner, not a pricing page.

Everything you need to ship with confidence — and nothing you don't.

Get your API key