AI Agent Detection
Detect AI agents, bots, and automated browsers hitting your site using cside fingerprinting. Identify browser-use agents, headless automation, and crawler traffic from the Events API response.
AI agents and autonomous browsers now make up a growing share of web traffic. OpenAI Operator, Claude for Chrome, Perplexity Comet, Browserbase, and other agent frameworks drive real sessions through real browsers - so traditional User-Agent checks miss them. cside fingerprinting surfaces these visitors through the bot signal returned by the Events API.
What cside detects
The fingerprinting Events API returns a bot field for every identification call. It combines browser automation signals, environment tampering checks, and behavioural fingerprints to identify:
- AI browser agents - autonomous agents driving a real browser (OpenAI Operator, Claude for Chrome, Perplexity Comet, Browserbase sessions)
- Headless browsers - Puppeteer, Playwright, Selenium, and other automation frameworks
- Instrumented runtimes - browsers controlled by WebDriver, CDP, or similar protocols
- Classic bots and scrapers - crawlers, scrapers, and scripted traffic that bypass User-Agent cloaking
Detection runs server-side after the client-side script submits a fingerprint, so it cannot be bypassed by modifying browser headers alone.
Reading the bot signal
Each response from the Events API contains a bot field:
{
"bot": "not_detected",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."
}| Value | Meaning |
|---|---|
"not_detected" | No bot or agent signals found |
| Any other string | An agent or automation pattern was detected, with the value indicating the detected category |
Combine the bot field with other fingerprint signals for higher confidence:
tampering: true- browser attributes have been modified, common in stealth automationdeveloper_tools: true- devtools open, common in locally run agentsvirtual_machine: true- session is running inside a VM or sandboxhigh_activity_device: true- unusually high number of identifications from the same device, a common agent signal
No single signal is definitive. Treat bot as the primary indicator and use tampering, virtual_machine, and high_activity_device as reinforcing signals before taking action.
Integration example
Send the fingerprint token to your backend, then branch on the bot field:
const { token } = await submitFingerprint("your-client-id");
const response = await fetch("https://<YOUR_BACKEND_HOST>/<PLACEHOLDER_PATH>", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ token }),
});
const identification = await response.json();
if (identification.bot !== "not_detected") {
// Block, challenge, or log the request
return respondWithChallenge();
}Common use cases
- Protect forms and checkout flows - drop agent traffic before it reaches payment or account creation
- Gate AI scraping of priced content - apply different rate limits or access tiers when AI agents are detected
- Measure agent share of traffic - log the
botvalue and theuser_agentstring to report on how much of your traffic is automated - Chargeback and fraud evidence - pair the
botsignal with thevisitor_idto build an audit trail of automated sessions
Next steps
- Read the full Events API reference for the complete response shape
- Review the Fraud & environment signals table for all fields that support bot and agent detection
- Contact sales to enable fingerprinting for your account
Thanks for your feedback!