Setting rules with DFP

Stytch's Device Fingerprinting (DFP) allows you to create authorization rules which enable increased or reduced friction for previously fingerprinted instances. This is helpful in cases where you need to block or allow specific users.

In this guide, you'll learn how to set up rules with DFP. By the end, you'll have:

  • Called the Set Rule endpoint to apply an authoritzaion action on a specific fingerprint.
  • Removed the rule.

Before you start

In order to complete this guide, you'll need the following:

  • A Stytch project (either Consumer or B2B). If you don't have one already, in the Dashboard, click on your existing project name in the top left corner of the Dashboard, click Create a new project, and then select B2B Authentication or Consumer Authentication.

  • The project Test environment's project_id and secret from the API keys section. You'll need to pass these values into the Authorization request header for most Stytch API calls.
  • Device Fingerprinting enabled. If you don't have the product enabled, reach out to Stytch here.

Step 1: Acquire the fingerprint

First, you'll need either the visitor_id or browser_id fingerprint you want to set a rule for. These fingerprint IDs are generated by the Fingerprint Lookup endpoint from the Telemetry ID.

If you haven't already, check out this guide on how to set up DFP and generate fingerprints.

Step 2: Call the Set Rule endpoint

Next, you'll call the Set Rule endpoint with the following body parameters in the request:

  • The visitor_id or browser_id.
  • An action set to ALLOW, BLOCK, or CHALLENGE.
  • An optional expires_in_minutes set to a specified int.
curl --request POST \
  --url \
  --data '{
	"visitor_id": "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
	"action": "BLOCK"

Upon a successful API call, in the example request above, the rule directs Stytch to BLOCK any fingerprint with a matching visitor_id from now on. Any future calls to Fingerprint Lookup endpoint involving this fingerprint will automatically return a BLOCK verdict with a reason of RULE_MATCH.

To learn more about the actions like BLOCK, ALLOW, or CHALLENGE, check out our DFP overview

You also have the option of providing a expires_in_minutes parameter if you need a rule to expire after a specified lifetime. Since expires_in_minutes was ommitted in our example request, the rule will be kept permanently.

Step 3: Remove the rule

To remove a rule you've set, call the same Set Rule endpoint with the following body parameters in the request:

  • The same visitor_id or browser_id from step 2.
  • An action set to NONE.
curl --request POST \
  --url \
  --data '{
	"visitor_id": "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
	"action": "NONE"

What's next

To enable Device Fingerprinting for your project, please reach out to Stytch.

Contact sales