Zero Trust Mode

When you identify browsers or devices with Fingerprint, you get back the visitorId value.
You can use this value in your business logic to find suspicious activity or for marketing analytics.
By default, this value is sent back to your browser or device where you can read it and do something with it, e.g. send it to your server for storage and analysis.
This works fine in most cases, but sometimes you want to not receive the visitorId value from Fingerprint back to your devices. In security-critical applications, you want to hide that value and only read it on the server with your secret API key.
Instead, you get back a random requestId value that you can use later to read the actual visitorId server-side.
This mode of running the identification and not sending the visitorId back to the client device is called Zero Trust Mode.

The Fingerprint API supports Zero Trust Mode to make it very difficult to send malicious identification requests that impersonate other visitors.
Zero Trust Mode is implemented internally by identification result hiding and strict origin-checking features.

Identification Result Hiding

Zero Trust Mode requires this feature to avoid sending the identification results to end-user browsers.

When enabled, these fields will not be sent to the end-user browser: visitorId, visitorFound, and confidenceScore. The requestId field will still be returned, because you need it to get the full results later using our Server API.
Importantly, when Zero Trust Mode is enabled, you will still get full results through the webhook.

In addition to the requestId, the JavaScript agent response will include a new field called zeroTrust that will list all the fields that were hidden:

  "requestId": "...",
  "zeroTrust": {
    "hiddenFields": ["visitorId", "visitorFound", "confidence"],
    "comment": "The result was hidden because of the subscription configuration."

Likewise, the iOS and Android client agents will not receive the visitorId directly, only a requestId and other metadata.

Strict Origin Checking

In all modern browsers, the Origin header is automatically included in all cross-origin requests.
Websites cannot spoof this header. However, some signals collected by the JavaScript agent can be spoofed.

When Zero Trust Mode is enabled, the strict origin-checking feature detects inconsistencies between the data collected by the JavaScript agent and the request headers that cannot be spoofed by the browser. These headers are the Origin and the Referer. Identification requests with inconsistencies are rejected by the server. This ensures that the url and clientReferrer values can’t be spoofed. That is important because url and clientReferrer are exposed in our Server API and webhook responses.

You can use Zero Trust Mode with the request filtering feature for additional security.

This mode is only available for the Enterprise plan. It can be enabled on a per-application level.


If you would like to try this mode or learn more, please contact our support team.