Go-live checklist
This guide provides a checklist of recommended steps to take before enforcing decisions on your production traffic.
There are three main steps:
- Document your use case and implementation plan
- Ensure you've completed important integration steps
- Run in production in observation mode
You don't need to do these in this exact order, but we recommend that you complete these three steps before enforcing decisions on your production traffic.
Document your use case and implementation plan
You'll want to define the problem, plan key decisions about your integration, and define outcomes. Documenting these will help you understand business goals and related design decisions, enabling you to revise them over time if needed.
Defining the problem:
- What is the fraud or abuse problem we are trying to solve?
- How does the attacker benefit?
Key integration decisions:
- Are you using Device Fingerprinting standalone (via the API), or using Protected Auth?
- If using Protected Auth, how will you handle challenges?
- If using the standalone API:
- What actions will you fingerprint?
- What are the high-level decisioning and enforcement processes?
- Will you use Rules or Verdict Reason Overrides to customize your decisioning?
Outcomes:
- What are key metrics and indicators of success?
- How will you handle users who report issues? How will you ensure a user-reported issue is not a social engineering attack?
Ensure you've completed important integration steps
While you can get started with Device Fingerprinting in under one hour, you'll want to complete the following steps before running in production.
- Set up custom domains to reduce ad-blocker interference.
- If using the standalone API:
- Consider adding external metadata for additional context.
- Test your integration, including properly handling non-200 responses.
- If you're using Protected Auth, these are already handled for you.
- Review privacy and compliance considerations.
Run in production in observation mode
When you're ready, you can collect fingerprints and verdicts in production without taking action. This is valuable because you can observe traffic and predicted actions to ensure they look correct, without disrupting your live users. You can view Fingerprint Lookup results from the last 30 days in the Stytch Dashboard.
- If you're using Protected Auth, set your Frontend SDK configuration to Observation mode to collect data without blocking any requests.
- If you're using Device Fingerprinting with the standalone API, call the Lookup API without taking any enforcement action on the result.
- You can also log results to your preferred observability or analytics platform.
Next steps
Once you've completed the three steps above and confirmed the observation results look reasonable, you can start enforcing your decisions.
- If you're using Protected Auth, switch to Enforcement mode.
- If you're using the standalone API, change your code (or feature flag, etc.) to enforce decisions based on your plan.
Now, you're protecting your application and users with Stytch Device Fingerprinting!
Want to try Device Fingerprinting for your project?
Get started with a free trial