Fraud overview

Stytch offers a flexible suite of products to help prevent fraud on your platform while ensuring your user facing flows remain responsive and friction-free.

Device Fingerprinting


Get beta access

Our Device Fingerprinting product allows you to identify and track devices that are used to access your application and build robust device and browser identifiers that you can use for fine-grained traffic shaping.

Stytch's Device Fingerprinting provides a set of customizable tools to accurately vet devices and take action based on that information. Stytch’s device fingerprints remain stable across incognito browsing, webviews, VPNs, changes to user agent or IP addresses, and more.

Key features
  • Device classification grouping.

    Stytch automatically classifies devices into categories based on the level of trust (e.g. likelihood that it is a bot or malicious traffic). You can customize rules and set the actions taken based on the grouping that a device falls into.

  • Globally unique IDs.

    A unique identifier is provided for each device; you can leverage this ID to create granular controls and identify devices across logins.

  • Pre-built actions.

    Stytch provides three default suggested actions – Allow, Block, and Challenge – that can be leveraged for each device grouping or unique device ID.

Device Fingerprinting let's you easily build the use cases like the following:
  • Detecting cross-session abuse patterns.

    Bad actors churning/rotating local data storage, cookies, etc.

  • Increasing friction or explicitly blocking bad actors.

    Prompt bad actors to complete a CAPTCHA or block them entirely.

  • Decreasing friction for returning users on future logins.

    Let your valid users through without forcing multi-factor authentication every time if you’ve already seen this user and device.

  • Customizing anonymous user experiences.

    Provide a login-less or a semi-anonymous user experience to customize the experience for a user that visits your site without introducing login friction.

Getting started with Device Fingerprinting

Step 1: Enable your Project for Device Fingerprinting

Reach out to Stytch to be enabled for Device Fingerprinting. Device Fingerprinting is still in an open beta, to take part in the beta, just reach out to us and we can enable you for this new product.

Step 2: Add Device Fingerprinting to your app

You only need to add a simple script tag to the HEAD or BODY of your app.

    <script src=></script>

Once that is live in your app, you'll be collecting Stytch Device Fingerprinting data automatically, no other work necessary.

Step 3: In-house decisioning, or base it on Stytch?

Our Device Fingerprinting product can be used in two ways:

Collection only

In this mode, Device Fingerprinting will collect information about devices using your app and you'll use our Lookup endpoint to receive all of that data directly. This lets you make the rules, decisions, and generate insights based on the raw data from Stytch.

If you'd like to build your own insights on the raw data, skip directly to step 5.

Collection and decisioning

In this mode, Stytch will collect the data, but we'll also return a score based on our own algorithms to help you make a confident decision on what action to take with a given device or user.

If you'd like to use this mode, go on to step 4.

Step 4: Integrate decisioning from Stytch (optional)

First you'll add an onclick() handler to your login button, or any other flow that you'd like to protect.

Call the async function GetTelemetryID(). This function will promise resolve the telemetry GUID for a give request. You should pass this telemetry GUID along with the sensitive request as an X header or as a URL parameter.

When your backend receives a sensitive request, do the following:

  1. Extract the telemetry GUID from the header or URL argument.
  2. Do a Lookup call (see step 5).
  3. Parse the JSON response and use that data to make your decision.

From Stytch you'll receive one of the following values for action in your Lookup call:

  • ALLOW: Stytch has determined that this traffic is from a real human and should be allowed to proceed without any additional friction.
  • CHALLENGE: Stytch detected that this traffic came from scripted traffic, e.g. a Python script, or otherwise did not meet our ALLOW ruleset. This attempt should be stepped up in friction, e.g. served a CAPTCHA or be prompted to complete a second authentication factor, before moving forward.
  • BLOCK: Stytch detected active tampering or traffic came from an IP address with known bad reputation, e.g. TOR exit nodes. This attempt should be blocked from performing any additional action.

An example of what this might look like:

    <script src=></script>
    <button id="login" onclick="login()">Click here to log in!</button>
        function login() {
            GetTelemetryID().then((session_id) => {
                var request = new XMLHttpRequest();
      'POST', '', true);
                request.setRequestHeader('X-Telemetry-ID', session_id);

Step 5: Pulling your fingerprinting data

If you're using Collection only, you'll need to pull the data that Stytch collects.

To do this you'll use our Lookup endpoint; as part of your Device Fingerprinting onboarding, we'll send over instructions on how to use our Lookup endpoint and some sample responses that you'll receive.

Step 6: Tying it all together

If you went with Collection only, you now have all of the data you need for your fraud risk team to build smart decisioning models based on the data that you receive from Stytch.

If you went with Collection and decisioning, your backend should be receiving Stytch decisions on each user and device going through your login flow. You can now decide where to introduce friction or outright block suspected bad actors quickly and easily.

Any feedback? We'd love to hear it! Reach out to



Get beta access

Strong CAPTCHA offers a modern take on traditional CAPTCHA that thwarts bots by completely revamping the public key pattern that is susceptible to bad actors. Strong CAPTCHA works by loading an incredibly thin remote client that allows your user to solve the CAPTCHA, but ensures that bot farms are incapable of attacking your app.


You are in control of determing when a user is prompted with Strong CAPTCHA. We recommend using Strong CAPTCHA when a user is attempting to login from a suspicious device (check out Device Fingerprinting above) or about to take an action that carries a high risk of fraud (e.g. collecting a sign up bonus).


Due to the sensitive and highly customized nature of Strong CAPTCHA, we do not publish a public implementation guide. Instead our team will walk you through implementation step-by-step.

Get in touch with our team to learn how to integrate Strong CAPTCHA into your app here.