Skip to main content

Client SDK Embed

The BotShield Client SDK is a lightweight web component (<botshield-verify>) that merchants embed directly on their pages to gate checkout, cart, and other sensitive flows behind human presence verification. CDN: https://cdn.botshield.ai/sdk.js (~9KB minified)
The Client SDK requires a site key (pk_live_...), which you create in the BotShield Partner Dashboard under Settings > Site Keys.

Two Integration Modes

Web Component

Active human verification via BotShield passkey flow. User clicks the widget, completes a passkey challenge, and receives a signed verification token.

Signal Pixel

Passive signal collection. Enable signals="true" on the web component to run edge scoring and behavioral fingerprinting silently. Low-risk traffic passes automatically; high-risk is escalated.

How It Works

Web Component Flow

1. Merchant page loads <botshield-verify>
2. User clicks "Verify human presence"
3. BotShield verification opens (new tab)
4. User completes passkey challenge
5. Widget updates to "Human presence verified"
6. onsuccess callback fires with signed token
7. Merchant server validates token

Signal Pixel Flow

1. Merchant page loads <botshield-verify signals="true">
2. Cloudflare edge scores the request (ASN, TLS, headers)
3. Component runs behavioral fingerprint (canvas, WebGL, mouse, timing)
4. Combined score determines pass/fail
5. Events deliver result to your code

Quick Start

<!-- Load the SDK -->
<script src="https://cdn.botshield.ai/sdk.js"></script>

<!-- Add the verification widget -->
<botshield-verify
  site-key="pk_live_YOUR_SITE_KEY"
  theme="auto"
  onsuccess="onBotShieldVerified"
  onfailure="onBotShieldFailed"
></botshield-verify>

<script>
  function onBotShieldVerified({ token }) {
    // Human verified -- enable checkout
    document.querySelector('[name=checkout]').disabled = false;

    // Send token to your server for validation
    fetch('/api/verify-botshield', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ token }),
    });
  }

  function onBotShieldFailed({ reason }) {
    console.error('BotShield verification failed:', reason);
  }
</script>

When to Use Which Mode

ScenarioRecommended ModeWhy
Checkout protection (Shopify, WooCommerce)Web ComponentPasskey verification = highest assurance
Cart page gatingSignal PixelPassive, no user friction for low-risk traffic
High-value drops / limited releasesWeb ComponentEvery buyer must prove human presence
General bot screeningSignal PixelAutomated scoring filters most bots silently
API-driven integrationsServer SDKBackend-to-backend, no UI component

Site Keys

Site keys are public/secret key pairs created in the Partner Dashboard:
KeyPrefixWhere UsedCan Do
Public / Site Keypk_live_Frontend data-site-keyIdentify merchant, safe to expose
Secret Keysk_live_Backend / server onlyVerify tokens, call management API
  • pk_test_ / sk_test_ for sandbox environments
  • pk_live_ / sk_live_ for production
  • Public keys are domain-locked at creation (stolen keys are unusable on other domains)
Create and manage site keys at Settings > Site Keys in the Partner Dashboard.

Next Steps

Web Component Reference

Full attribute API, events, states, and integration examples

Signal Pixel Reference

Bot scoring details, signal collection, and configuration

Try in Playground

Test both modes live in the Partner Dashboard playground

Source Code

View the SDK source on GitHub