AI Agent Detection

AI agents and autonomous browsers now make up a growing share of web traffic. OpenAI Operator, Claude for Chrome, Perplexity Comet, Browserbase, and other agent frameworks drive real sessions through real browsers - so traditional User-Agent checks miss them. cside fingerprinting surfaces these visitors through the bot signal returned by the Events API.

What cside detects

The fingerprinting Events API returns a bot field for every identification call. It combines browser automation signals, environment tampering checks, and behavioural fingerprints to identify:

• AI browser agents - autonomous agents driving a real browser (OpenAI Operator, Claude for Chrome, Perplexity Comet, Browserbase sessions)
• Headless browsers - Puppeteer, Playwright, Selenium, and other automation frameworks
• Instrumented runtimes - browsers controlled by WebDriver, CDP, or similar protocols
• Classic bots and scrapers - crawlers, scrapers, and scripted traffic that bypass User-Agent cloaking

Detection runs server-side after the client-side script submits a fingerprint, so it cannot be bypassed by modifying browser headers alone.

Reading the bot signal

Each response from the Events API contains a bot field. For basic bot decisions, derive botOrNot from bot.result:

{
  "bot": {
    "result": "not_detected",
    "score": 0,
    "signal": []
  },
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."
}

Field	Meaning
bot.result	Detection status. Use "detected" or "not_detected".
bot.score	Numeric bot score for the current response.
bot.signal	Array of signals that contributed to the bot decision.

cside detects about 95% of basic bots with this signal. For more precise detection and enforcement, use smart detections and combine multiple fingerprint signals before blocking.

const botOrNot = identification.bot.result !== "not_detected";

Combine the bot field with other fingerprint signals for higher confidence:

• tampering: true - browser attributes have been modified, common in stealth automation
• developer_tools: true - devtools open, common in locally run agents
• virtual_machine: true - session is running inside a VM or sandbox
• high_activity_device: true - unusually high number of identifications from the same device, a common agent signal

Integration example

In your client-side JavaScript, request the fingerprint session token. The response field is still named token:

const fingerprintResponse = await sendClientTelemetry({
  accountId: "1234567890",
});

if (!fingerprintResponse?.ok) {
  throw new Error("Fingerprint telemetry request failed.");
}

const { token: sessionToken } = await fingerprintResponse.json();

In your backend, exchange the session token with https://api.cside.com/token/v1/client, then branch on the bot field:

const response = await fetch("https://api.cside.com/token/v1/client", {
  method: "POST",
  headers: { "Content-Type": "text/plain" },
  body: sessionToken,
});

const identification = await response.json();
const botOrNot = identification.bot.result !== "not_detected";

if (botOrNot) {
  // Block, challenge, or log the request
  return respondWithChallenge();
}

Common use cases

• Protect forms and checkout flows - drop agent traffic before it reaches payment or account creation
• Gate AI scraping of priced content - apply different rate limits or access tiers when AI agents are detected
• Measure agent share of traffic - log bot.result, bot.score, and bot.signal alongside the user_agent string to report on how much of your traffic is automated
• Chargeback and fraud evidence - pair the bot signal with the visitor_id to build an audit trail of automated sessions

Next steps

• Read the full Events API reference for the complete response shape
• Review the Fraud & environment signals table for all fields that support bot and agent detection
• Contact sales to enable fingerprinting for your account