Skip to main content

API Reference

BotShield provides two SDKs for integrating human presence verification:
  • Frontend SDK — Drop-in web component for your pages (cdn.botshield.ai/sdk.js)
  • Backend SDK — TypeScript/Node.js library for server-side validation (botshield-sdk on npm)
Get your API keys from the Partner Dashboard → Settings → API & Credentials.

Install

<script src="https://cdn.botshield.ai/sdk.js"></script>
Then render the widget:
const widget = BotShield.render('#container', {
  siteKey: 'pk_live_YOUR_SITE_KEY',
  signals: true,
  onSuccess: ({ token, signal_token }) => {
    // Send to your backend for validation
    fetch('/api/verify', {
      method: 'POST',
      body: JSON.stringify({ token, signal_token }),
    });
  },
});
Or use the HTML element directly:
<botshield-verify
  site-key="pk_live_YOUR_SITE_KEY"
  signals="true"
  onsuccess="handleVerified"
></botshield-verify>

The Primary Output: Verdict + Reason

The verification flow returns a 2-field decision pair that drives partner enforcement. Both fields are surfaced via /signal/check, /signal/evaluate, and the embed component’s botshield:multipass-status event.
FieldValuesMeaning
verdictpassNo further verification needed — proceed with the gated action
verdictrequire_presenceRun the full Face ID / passkey flow
reasonmultipass_activePass on credential continuity (passkey + presence consent + valid TTL)
reasonpresence_freshPass on a fresh Face ID event (within the 5-minute lease window)
reasonmultipass_staleStandard scope, MultiPass freshness lapsed — verify again
reasonelevated_requires_presenceElevated scope always demands live proof, even if MultiPass is active
reasonno_resolutionUser isn’t identified — establish identity first
Partners branch on the pair. BotShield has no opinion on which actions require which scope — that is your policy decision. See Human Presence for the full reason enum and the standard/elevated scope canon.

Authentication

All backend SDK calls use your API key in the Authorization header: 
Authorization: Bearer bs_prod_your_key_here
Key TypePrefixPurpose
Productionbs_prod_Live verification with real users
Testbs_test_Development and testing

SDK Methods

Core Verification

Create Session

Get an anchor grant token to start creating verification requests.

Create Verification Link

Generate a verification request with deep link, web URL, and QR code.

Verify Token

Validate a verification receipt JWT. Returns the decoded claims.

Check Status

Poll verification status. Returns signed token when complete.

Signal Pixel

Store Signal

Store a Signal Pixel bot score server-side. Returns a tamper-proof signal token.

Validate Signal

Validate a signal token to get the real server-side bot score. One-time use.

Partner Config

Get enabled integrations (Turnstile, etc.) for a site key.

Session Management

Revoke Verification

Cancel a pending verification. Use when create-verification-link returns 409.

Revoke Session

Invalidate an anchor grant token.

Typical Flow

Error Handling

CodeMeaning
200Success
400Invalid or missing parameters
401Invalid or expired token
403Forbidden — includes rate-limit blocks (check errors[0].code === 'RATE_LIMITED', see Rate Limits)
409Duplicate pending verification — use revokeVerification() first
500Internal server error
{
  "error": {
    "message": "Description of what went wrong",
    "statusCode": 400
  }
}
For rate-limit specifics — per-key-type limits, the _rateLimit response envelope, and block behavior — see the Rate Limits page.

Next Steps