Server verification

Tripwire is designed around backend verification. The browser sends your backend a fresh { sessionId, sealedToken } handoff, and your backend decides whether to allow, challenge, throttle, or block the action.

Recommended flow

Start Tripwire early

Initialize the browser client on page load so collection begins before the user reaches the protected action.

Request a fresh session handoff

Right before signup, checkout, login, or another sensitive action, call tripwire.getSession().

Submit the handoff with the business action

Send { sessionId, sealedToken } to your backend alongside your normal payload.

Verify on the server

Use the SDK to verify the sealed token locally with your secret key.

Apply policy

Allow, challenge, rate-limit, or block based on the verdict.

Browser handoff

<script type="module">
  const { sessionId, sealedToken } = await tripwire.getSession();

  await fetch("/api/signup", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      ...formData,
      tripwire: { sessionId, sealedToken },
    }),
  });
</script>

Verify the sealed token

The primary verification path. Local, fast, no network call to Tripwire.

const { safeVerifyTripwireToken } = require("@abxy/tripwire-server");

app.post("/api/signup", (req, res) => {
  const result = safeVerifyTripwireToken(
    req.body.tripwire.sealedToken,
    process.env.TRIPWIRE_SECRET_KEY,
  );

  if (!result.ok) {
    return res.status(500).json({ error: "Verification failed" });
  }

  console.log(result.data.decision.verdict);    // "human", "bot", or "inconclusive"
  console.log(result.data.decision.risk_score); // 0–100
  console.log(result.data.session_id);

  if (result.data.decision.verdict === "bot") {
    return res.status(403).json({ error: "Blocked" });
  }

  // Proceed with the action
});

Alternative: durable session readback

If you prefer to fetch the full session from the API (useful for async or audit workflows):

const resp = await fetch(
  `https://api.tripwirejs.com/v1/sessions/${sessionId}`,
  { headers: { Authorization: `Bearer ${process.env.TRIPWIRE_SECRET_KEY}` } }
);
const session = await resp.json();

console.log(session.data.decision.automation_status); // "none", "automated", "inconclusive"
console.log(session.data.decision.risk_score);        // 0.0 – 1.0

Key fields in the durable session response:

Field	Description
`decision.automation_status`	`none`, `automated`, or `inconclusive`
`decision.risk_score`	0.0 (human) to 1.0 (bot)
`decision.evaluation_phase`	`snapshot` or `behavioral`
`decision.decision_status`	`preliminary` or `final`
`highlights`	Top signals that influenced the decision
`automation`	Detected automation framework details
`visitor_fingerprint`	Durable device identifier

Policy patterns

Pattern	When to use	Example
Report only	First week of integration	Log verdicts, don’t block anyone
Soft challenge	`inconclusive` on sensitive endpoints	Show CAPTCHA or require email verification
Hard block	`bot` on signup, checkout, scraping	Return 403 immediately
Rate control	Repeated fingerprints	Slow down instead of blocking

Start in report-only mode. Once you understand your traffic’s verdict distribution, gradually enable enforcement.

What’s next

Testing your integration — simulate bot traffic and debug
Going to production — rollout checklist
Verdicts & scoring — understand what scores mean
Sessions API — full API reference

Overview

Get started

Integrate

Use cases

Learn

Get started

Integrate

Resources

Server verification

Recommended flow

Browser handoff

Verify the sealed token

Alternative: durable session readback

Policy patterns

What’s next

Overview

Get started

Integrate

Use cases

Learn

Get started

Integrate

Resources

​Recommended flow

​Browser handoff

​Verify the sealed token

​Alternative: durable session readback

​Policy patterns

​What’s next

Recommended flow

Browser handoff

Verify the sealed token

Alternative: durable session readback

Policy patterns

What’s next