Skip to main content

Documentation Index

Fetch the complete documentation index at: https://tripwirejs.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Before you start:
  • Import t.js from https://cdn.tripwirejs.com.
  • Use a publishable key (pk_*) in the browser and a secret key (sk_*) on your backend.
  • Keep the secret key server-side only.
  • The browser never receives Tripwire verdicts, scores, or visitor IDs.

1. Install the server SDK

npm install @abxy/tripwire-server

2. Load the browser client

Start the client as early as possible on your page. Keep the returned promise for later use. 
<script type="module">
  const tripwirePromise = import("https://cdn.tripwirejs.com/t.js")
    .then((Tripwire) =>
      Tripwire.start({
        publishableKey: "pk_live_your_publishable_key",
      }),
    );

  async function setupTripwire() {
    const tripwire = await tripwirePromise;
    tripwire.onError((error) => {
      console.error("Tripwire error", error.code, error.message);
    });

    // Optional: resolve early if you want fingerprinting ready before the action
    void tripwire.waitForFingerprint().catch(console.error);
  }

  setupTripwire().catch(console.error);
</script>

3. Get a session at action time

Right before signup, login, checkout, or another sensitive action, request a sealed handoff and send it to your backend. 
<script type="module">
  const tripwire = await tripwirePromise;

  async function submitSignup(formData) {
    const { sessionId, sealedToken } = await tripwire.getSession();

    const response = await fetch("/api/signup", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
        ...formData,
        tripwire: { sessionId, sealedToken },
      }),
    });

    return response.json();
  }
</script>

4. Verify on your backend

Verify the sealed token with your secret key. This is a local operation — no network call to Tripwire. 
const { safeVerifyTripwireToken } = require("@abxy/tripwire-server");

app.post("/api/signup", async (req, res) => {
  const result = safeVerifyTripwireToken(
    req.body.tripwire.sealedToken,
    process.env.TRIPWIRE_SECRET_KEY,
  );

  if (!result.ok || result.data.decision.verdict === "bot") {
    return res.status(403).json({ error: "Blocked" });
  }

  // Proceed with signup
  createAccount(req.body);
  res.json({ success: true });
});

5. Apply policy

Use the verdict to decide what to do:
VerdictAction
humanAllow the request
inconclusiveChallenge (CAPTCHA, email verification)
botBlock or rate-limit
Start in report-only mode (log verdicts without blocking) to understand your traffic before enforcing.

What’s next

Browser SDK

Full SDK API reference

Server verification

Advanced verification patterns

Testing

Test your integration with bot traffic

Going to production

Rollout checklist and monitoring