> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Protected Auth

> Stytch's combined solution for authentication and fraud prevention.

## Overview

Protected Auth is a ready-made solution in Stytch's frontend & mobile SDKs that seamlessly integrates with [Device Fingerprinting](/fraud-risk/device-fingerprinting/overview) to detect and stop fraud, such as credential stuffing attacks.

When Protected Auth is enabled, the SDK automatically generates a Telemetry ID before an API call and includes the Telemetry ID in the Stytch API request. The API will verify the fingerprint verdict before authenticating the request and handles the backend integration.

### Scenario: Credential stuffing

Protected Auth will stop the attack by detecting signs of browser automation or scripting. The attacker only sees failed authentication attempts with no idea if the request failed due to a failed fingerprint request or an incorrect password.

***

## Configuring Protected Auth

Protected Auth requires no code changes and is enabled from the [Dashboard](https://stytch.com/dashboard/sdk-configuration).

* Follow our [Get started](/fraud-risk/get-started/using-protected-auth) guide to enabling Protected Auth.

### Connection type modes

There are two modes for Protected Auth:

* **Observation mode:** Generates and submits fingerprints to the API, but the API will **not** enforce any action.
* **Enforcement mode:** The API will react to each fingerprint lookup triggered by the SDK based on the verdict.

### Handling challenge verdicts

`BLOCK` verdicts are a clear sign that traffic should be blocked. But in cases where it is unclear if the request is malicious, `CHALLENGE` verdicts are returned.

You can configure how Protected Auth handles challenge verdicts:

* See [Challenge verdict](/fraud-risk/device-fingerprinting/verdict/challenge) to learn more about your options: Allow, Block, or Trigger CAPTCHA.

<Note>
  By default, the API will continue `CHALLENGE` verdicts as if they received an `ALLOW` verdict.
</Note>

### CAPTCHA behavior

If you've configured a [CAPTCHA key](/api-reference/consumer/frontend-sdks/react/resources/captcha#configuration) in the Dashboard, the behavior will depend on how Protected Auth is configured:

* If Protected Auth is in **Observation mode** or disabled, a CAPTCHA check will be run on *every* frontend SDK request
* If Protected Auth is in **Enforcement mode** *and* configured to trigger CAPTCHA on `CHALLENGE`s, a CAPTCHA check will be only be run upon a `CHALLENGE` verdict

***

## Protected methods

These methods will collect fingerprints and, when in *Enforcement mode*, prevent actions if a fingerprint receives a `BLOCK` verdict:

### Consumer

<Columns cols={2}>
  <Columns cols={1}>
    * `stytch.biometrics.authenticate`
    * `stytch.cryptoWallets.authenticate`
    * `stytch.impersonation.authenticate`
    * `stytch.magicLinks.email.loginOrCreate`
    * `stytch.magicLinks.email.send`
    * `stytch.otps.authenticate`
    * `stytch.otps.email.loginOrCreate`
    * `stytch.otps.sms.loginOrCreate`
    * `stytch.otps.sms.send`
    * `stytch.otps.whatsapp.loginOrCreate`
    * `stytch.otps.whatsapp.send`
  </Columns>

  <Columns cols={1}>
    * `stytch.passwords.authenticate`
    * `stytch.passwords.create`
    * `stytch.passwords.resetByEmail`
    * `stytch.passwords.resetByEmailStart`
    * `stytch.passwords.resetByExistingPassword`
    * `stytch.passwords.resetBySession`
    * `stytch.totps.authenticate`
    * `stytch.totps.recover`
    * `stytch.webauthn.authenticate`
  </Columns>
</Columns>

### Multi-tenant / B2B

<Columns cols={2}>
  <Columns cols={1}>
    * `stytch.impersonation.authenticate`
    * `stytch.magicLinks.authenticate`
    * `stytch.magicLinks.discovery.authenticate`
    * `stytch.magicLinks.email.discovery.send`
    * `stytch.oauth.authenticate`
    * `stytch.oauth.discovery.authenticate`
    * `stytch.otps.email.authenticate`
    * `stytch.otps.email.discovery.authenticate`
    * `stytch.otps.email.discovery.send`
    * `stytch.otps.email.loginOrSignup`
    * `stytch.otps.sms.authenticate`
    * `stytch.otps.sms.send`
    * `stytch.passwords.authenticate`
  </Columns>

  <Columns cols={1}>
    * `stytch.passwords.discovery.authenticate`
    * `stytch.passwords.discovery.resetByEmail`
    * `stytch.passwords.discovery.resetByEmailStart`
    * `stytch.passwords.resetByEmail`
    * `stytch.passwords.resetByEmailStart`
    * `stytch.passwords.resetByExistingPassword`
    * `stytch.passwords.resetBySession`
    * `stytch.recoveryCodes.recover`
    * `stytch.recoveryCodes.rotate`
    * `stytch.sso.authenticate`
    * `stytch.totp.authenticate`
    * `stytch.totp.create`
  </Columns>
</Columns>

***

## Next steps

<Columns cols={2}>
  <Card title="Get started with Protected Auth" icon="arrow-up-right" href="/fraud-risk/get-started/using-protected-auth">
    Follow our guide to setting up and using Protected Auth.
  </Card>
</Columns>