Skip to main content

What is BotShield?

BotShield attests one truth: whether a human is present for a specific action. Verification is:
  • Action-scoped — tied only to the specific operation being performed or enforced
  • On-demand — invoked only when and where the platform desires verification
  • Non-replayable— attestations expire after use or TTL
  • Hardware-backed — secured by OS-level device authentication
  • Privacy-preserving — no identity collection or behavioral tracking
BotShield produces a cryptographically verifiable attestation that platforms can consume alongside existing signals to allow, deny, or escalate the action. It functions as a definitive human confirmation layer within a broader security stack. BotShield attests. Platforms enforce.

How BotShield Fits in a Security Stack

It is typically deployed as:
  • Step-up verification when automated defenses flag uncertainty
  • A final checkpoint before high-value actions are approved
  • A low-friction alternative to challenge-based verification
  • An independent human confirmation signal for risk engines
BotShield operates alongside existing protections and does not require removal of CAPTCHA, device fingerprinting, behavioral analysis, or fraud detection systems.

Availabiity

BotShield is available as a private SDK for qualified partners.

Access is provided through a developer onboarding process. Approved integrations receive API credentials, implementation guidance, and deployment support. BotShield is not distributed as a public self-service download. ➡️ To begin integration, request developer access through the BotShield Pilot Program.
BotShield is for security-sensitive infrastructure, controlled distribution is required. Access to the SDK is provisioned only to approved partners.

Key Features

Human Presence Verification

Each verification returns a verdict (pass or require_presence) and a reason — your server branches on the pair to drive enforcement

Action-Scoped Verification

Verification is scoped to the specific action or security flow

Hardware-Backed Security

Requires device passcode security at minimum for valid attestations

Anonymous By Design

Verifies human presence without identity, data collection, or persistent tracking

How It Works

BotShield integrates into your platform’s critical actions via a REST API:
  1. Your server creates a session using your API key
  2. Your server creates a verification link for the user’s action
  3. The user opens BotShield via deep link, web URL, or QR code
  4. BotShield verifies presence using device biometrics (Passcode / Face ID / Touch ID)
  5. A signed verification token is returned to your server via webhook or polling. The token’s claims describe the user, device, and verification context — but BotShield’s internal trust state is never embedded in your contract.
  6. Your server validates the token via sdk/verify-token and applies its own policy based on the returned verdict

Use Cases

BotShield is ideal for:
  • Limited-access drops — Ensure fair access for real customers
  • Ticket purchasing — Prevent bot corruption of ticket sales
  • High-value actions — Protect critical transactions
  • Account recovery — Verify presence during sensitive operations
  • Digital agreement execution — Confirm human presence for consent
  • Public posting actions — Reduce spam and abuse

Next Steps

Quick Start

Integrate BotShield in minutes using the REST API

Request Developer Access

Apply for API credentials to start integrating