Skip to main content

Rollout checklist

Before enforcing verdicts in production, follow this sequence:

1. Report-only mode

Start by logging verdicts without blocking anyone. This lets you understand your traffic baseline. 
const { safeVerifyTripwireToken } = require('@abxy/tripwire-server');

app.post('/signup', async (req, res) => {
  const result = safeVerifyTripwireToken(
    req.body.sealedToken,
    process.env.TRIPWIRE_SECRET_KEY,
  );

  // Log but don't block
  if (result.ok) {
    console.log('Tripwire verdict:', result.data.decision.verdict, 'score:', result.data.decision.risk_score);
  }

  // Continue with signup regardless
  createAccount(req.body);
});

2. Soft challenge

After a week of report-only data, add friction for suspicious sessions:
  • Show a CAPTCHA for inconclusive verdicts
  • Add email verification for bot verdicts
  • Let human verdicts through without friction

3. Hard enforcement

Once you’re confident in the signal quality:
  • Block bot verdicts outright
  • Challenge inconclusive verdicts
  • Pass human verdicts through

Monitoring

Track these metrics in your dashboard:
  • Verdict distribution — what % of traffic is human/bot/inconclusive?
  • False positive rate — are real users being flagged?
  • Block rate — how many sessions are you blocking?

What’s next