Skip to main content

BotShield Gate

BotShield Gate is a reverse-proxy gateway that sits in front of your website and verifies human presence before granting access. No CAPTCHA puzzles, no tracking, no personal data collected.
BotShield Gate is available to all partners with an active BotShield account. Configure it directly from your Partner Dashboard.

How It Works

  1. A visitor navigates to your domain
  2. The gateway checks for a valid session
  3. No session — the visitor sees a verification page and completes a quick biometric check via the BotShield app
  4. Valid session — the request is transparently proxied to your origin server
Once verified, the visitor receives a secure, time-limited session. Subsequent requests pass through without interruption until the session expires.

Use Case: Protecting a Limited-Edition Drop

Imagine you run a sneaker shop at shop.kicksonly.com. You have a limited-edition release dropping Friday at noon, and past launches have been hammered by bots — inventory sells out in seconds, real customers get nothing, and your support inbox fills with complaints. With BotShield Gate:
  1. You point shop.kicksonly.com through BotShield Gate
  2. Before the drop, every visitor completes a one-time biometric verification (Face ID / Touch ID via the BotShield app)
  3. Verified humans get a session and browse your store normally
  4. Bots, scripts, and headless browsers can’t pass verification — they never reach your storefront
  5. When the drop goes live, only real humans are in the queue
The result: your limited inventory goes to real customers. No CAPTCHA friction, no account creation walls, no PII collected. Visitors verify once and shop freely for the duration of their session. This same pattern works for:
  • Ticket sales — prevent bot scalping for concerts and events
  • Flash sales — ensure fair access during time-limited promotions
  • Membership portals — gate access to exclusive content or communities
  • Waitlist launches — verify humans before granting early access
  • Any high-demand page — protect landing pages from automated traffic

Deployment Options

BotShield Gate offers two ways to deploy, depending on how much control you need.

Managed Gateway

Configure in your dashboard — no code, no infrastructure. Fastest way to get protected.

Self-Hosted Gateway

Deploy and customize the open-source gateway template on your own infrastructure.

Managed Gateway

The managed gateway is the fastest path to protection. You configure everything from your BotShield Partner Dashboard — no code required.

Setup

1
Add your domain
2
In your Partner Dashboard, navigate to Storefront Gate and enter:
3
  • Public host — the domain your customers visit (e.g. shop.kicksonly.com)
  • Origin host — where your actual server lives (e.g. origin.kicksonly.com)
    • 4
    Configure DNS
    5
    Add two DNS records at your domain registrar:
    6
    TypeNameValueCNAMEshop.kicksonly.comgateway.botshield.aiTXT(shown in dashboard)(shown in dashboard)
    7
    The TXT record proves domain ownership. Both records are displayed in your dashboard after creating the gate.
    8
    Wait for activation
    9
    BotShield provisions an SSL certificate and validates your domain automatically. The dashboard shows real-time status:
    10
  • Pending validation — DNS records detected, SSL provisioning in progress
  • Active — gate is live and protecting your domain
    • 11
    DNS propagation typically takes a few minutes but can take up to 24 hours depending on your registrar. The dashboard auto-refreshes status every 10 seconds while pending.
    12
    Enable protection
    13
    Once the domain is active, toggle Gate Protection to on. Your storefront is now protected.

    Protection Modes

    ModeSession DurationBest For
    Standard30 — 60 minutesGeneral storefront protection, browsing-heavy sites
    Drop3 — 10 minutesHigh-demand launches, flash sales, limited-edition releases
    You can switch modes at any time from the dashboard. Drop mode uses shorter sessions to ensure presence is re-verified more frequently during high-stakes events.

    Managing Your Gate

    From the dashboard you can:
    • Toggle protection on/off — disable the gate without removing DNS records (useful for maintenance)
    • Switch modes — change between Standard and Drop mode instantly
    • Monitor status — see domain and SSL status in real time
    • Delete — remove the gate entirely and restore direct access to your origin

    Session Security

    BotShield Gate sessions are designed to be secure and tamper-proof:
    • Cryptographically signed — session tokens use HS256 JWT signatures that cannot be forged
    • Time-limited — sessions expire automatically based on your chosen mode
    • HttpOnly cookies — session tokens cannot be read or modified by client-side JavaScript
    • Single-domain — tokens are validated against the specific hostname they were issued for
    • No PII — the session contains no personal information about the visitor

    What Gets Protected

    The gate applies to all requests to your public domain. Once a visitor has a valid session, all subsequent requests (pages, API calls, assets) are proxied transparently to your origin with no added latency.
    If you need fine-grained control over which paths require verification (e.g. skip the gate for /api/* or static assets), use the self-hosted gateway which supports path-based allowlists.

    Next Steps

    Self-Hosted Gateway

    Want full control? Deploy the open-source template on your own infrastructure.

    Shopify Integration

    Running a Shopify store? Use the native checkout extension instead.

    SDK Overview

    Need deeper integration? Use the BotShield API directly.

    Request Access

    Don’t have an account yet? Apply for developer access.