Resources

Guides, API references, and playbooks

Integration docs live on this site and the docs subdomain. Start with quick start, then Events GET for every fraud decision.

Full documentation Starter templates

Library

Featured resources

Start here

Getting started with DigitalFingerprint

Install @visitoriq/client, configure apiKey and signingSecret, init the OriginID SDK class, and wire eventId to your backend Events GET flow.

Guide

→Fraud

Merge policy & bootstrap tokens

balanced vs conservative per API key, bootstrapToken: 'auto' for fraud signup, peer-collision guards, and when to split originIds on shared hardware.

Guide

→API

Confidence model (v1 & v2)

Merge false-positive risk on a 0–100 scale, linkConfidence, fusion penalties, ORIGINID_CONFIDENCE_V2, and signup gate patterns.

Reference

→API

Smart Signals field guide

bot, vpn, proxy, tampering, velocity, ipInfo, ipBlocklist, highActivityDevice, and mobile integrity fields on Events GET.

Reference

→API

POST /api/identify

Authentication, request signing, slim vs full responses, Limiter enforcement, error codes, and rate limits.

Reference

→API

GET /api/events/:eventId

Server-authoritative enrichment: confidence, smartSignals, suspectScore, ruleAction, and optional raw signals.

Reference

→Rules

Limiter preset rulesets

Import signup-strict, marketing-balanced, and conservative-fleet templates from the console Limiter page.

Reference

→Hands-on

Cross-domain identification

Run apps/test-site on port 3002 as a second origin and verify matching across domains with the same project API key.

Tutorial

→Operations

Deploy to production

MySQL 8, Valkey, ORIGINID_SECRET, signing, slim responses, webhooks, retention cron, and AWS/Vercel paths in DEPLOY.md.

Ops

→Migration

Fingerprint-compatible responses

Side-by-side evaluation with ?format=fingerprint on identify and Events GET. Native confidence is 0–100; export uses 0–1.

Migration

→Security

Production trust model

Slim browser payloads, 5-minute eventId window, server-authoritative fraud, webhook verification, and integration checklist.

Playbook

→

Topics

Integration concepts

Core patterns every production deployment should follow.

Why server-side VPN detection beats IP lists alone

Timezone mismatch, relay detection, and visit history corroborate client VPN hints — IP rotation alone is insufficient.

Confidence is merge risk, not uniqueness

Gate signup and payouts on identification.confidence plus linkedId from Events GET — originId alone is a browser handle, not a person.

Limiter: identify-time blocks vs Events evaluation

Enabled rulesets auto-block abusive identify traffic; pass ruleset_id on Events GET when your backend needs inline ruleAction after identify.

Slim SDK responses and the 5-minute event window

Production keys never expose fraud fields in-browser; each eventId is authoritative for one server-side decision.