Skip to main content

Overview

There are three main steps:
  1. Document your use case and implementation plan
  2. Ensure you’ve completed important integration steps
  3. Run in production in observation mode
You don’t need to do these in this exact order, but we recommend that you complete these three steps before enforcing decisions on your production traffic.
This checklist is also available as a fillable spreadsheet. To request a copy, email support@stytch.com or contact your account team.

Document your use case and implementation plan

You’ll want to define the problem, plan key decisions about your integration, and define outcomes. Documenting these will help you understand business goals and related design decisions, enabling you to revise them over time if needed.

Define the problem

  • What is the fraud or abuse problem we are trying to solve?
  • How does the attacker benefit?

Key integration decisions

Outcomes

  • What are key metrics and indicators of success?
  • How will you handle users who report issues
  • How will you ensure a user-reported issue is not a social engineering attack?

Ensure you’ve completed important integration steps

You’ll want to complete the following steps before running in production:
  1. Set up custom domains to reduce ad-blocker interference.
  2. If using the API:
    1. Consider adding external metadata for additional context.
    2. Test your integration, including properly handling non-200 responses.
    3. If you’re using Protected Auth, these are automatically handled for you.
  3. Review privacy & compliance considerations.

Run Observation mode in production

When you’re ready, you can collect fingerprints and verdicts in production without taking action. This is valuable because you can observe traffic and predicted actions to ensure they look correct, without disrupting your live users. You can view Fingerprint Lookup results from the last 30 days in the Dashboard. For Protected Auth:
  • Set your Connection type to Observation mode to collect data without blocking any requests.
For the API:
  • Call the Lookup API without taking any enforcement action on the result.
  • You can also log results to your preferred observability or analytics platform.

Next steps

Once you’ve completed the three steps above and confirmed the observation results look reasonable, you can start enforcing your decisions. For Protected Auth:
  • Switch to Enforcement mode.
For the API:
  • Change your code (or feature flag, etc.) to enforce decisions based on your plan.
Now, you’re protecting your application and users with Device Fingerprinting!