// telltales/registry/registry.go

func NewDefaultRegistry() *Registry {
    r := &Registry{} // 100+ detection rules

    r.Register(TelltaleDefinition{
        ID: "TT-071", Name: "property_descriptor_spoofed",
        Category: Fingerprint, Weight: 0.85,
        Evaluate: func(ctx *EvalContext) bool {
            return ctx.PropertyDescriptorSpoofed
        },
    })

    r.Register(TelltaleDefinition{
        ID: "TT-076", Name: "canvas_noise_injected",
        Category: Fingerprint, Weight: 0.85,
        Evaluate: func(ctx *EvalContext) bool {
            return ctx.CanvasNoiseInjected
        },
    })

    r.Register(TelltaleDefinition{
        ID: "TT-082", Name: "mouse_bezier_synthetic",
        Category: Behavioral, Weight: 0.80,
        Evaluate: func(ctx *EvalContext) bool {
            return ctx.MouseBezierSynthetic
        },
    })

    r.Register(TelltaleDefinition{
        ID: "TT-089", Name: "stealth_plugin_partial_patch",
        Category: Fingerprint, Weight: 0.85,
        Evaluate: func(ctx *EvalContext) bool {
            return ctx.StealthPluginPartialPatch
        },
    })

    r.Register(TelltaleDefinition{
        ID: "TT-063", Name: "client_hints_inconsistency",
        Category: Network, Weight: 0.70,
        Evaluate: func(ctx *EvalContext) bool {
            return ctx.ClientHintsInconsistent
        },
    })

    // ... 95+ more rules across 6 categories
    // score = fired_weights / total_weights * 100
    return r
}
Open source · Self-hostable · No CAPTCHAs

Human or agent?
One score. Every signal explained.

100+ signals across behavioral analysis, device fingerprinting, environment probes, cryptographic chain verification, proof of work challenges, and conversational gatekeeper. Every decision traceable.

View Dashboard See the code
$ | click to copy
0 Signals
0 Telltale Rules
0 SDK Size
0 CAPTCHAs
Detection

Every signal. Explained.

100+ telltale rules across 6 categories. Every decision traceable to exactly which signals fired and why.

Integration

One script tag.
Five defense layers.

Drop the SDK into any page. It collects 100+ signals across behavioral biometrics, environment probes (AudioContext, WebGL, canvas, fonts, emoji rendering, Web Workers), JS integrity checks (prototype tampering, property descriptors, stealth plugin detection), and cryptographic chain verification. Streams everything over WebSocket. No UI. No pop-ups. Users never know it's there.

Behavioral analysisMouse dynamics, keystroke cadence, click precision, scroll inertia, synthetic event detection, touch biometrics
Environment probesrAF timing, canvas entropy, AudioContext fingerprint, WebGL shader timing, stack traces, native function integrity
Cryptographic chainSHA-256 linked stamps with fabrication detection. Tamper with any entry = detection.
Five-tier enforcementEdge pre-score → behavioral analysis → proof of work → tarpit slow-drain → conversational gatekeeper with micro-games.
index.html
<!-- Drop this anywhere -->
<script
src="https://zgate.dev/static/zgate.js"
data-site-key="pk_your_key"
data-enforce="true"
></script>
 
// That's it. Auto-protects all forms.
// 100+ telltale rules, hardware probes,
// crypto chain, device correlation, WS.
Terminal
// Your form handler (Node.js / Express)
app.post("/signup", async (req, res) => {
 
// 1. Extract token injected by Z-Gate SDK
const token = req.body.__zgate_token;
 
// 2. Verify server-side with your secret key
const check = await fetch("https://zgate.dev/v1/siteverify", {
method: "POST",
body: JSON.stringify({
token,
secret_key: "sk_live_..."
})
});
 
const { success, score, action } = await check.json();
 
// 3. Act on the verdict
if (!success || action === "block") {
return res.status(403).json({ error: "Blocked" });
}
 
// Human verified — process the signup
createUser(req.body);
});
Server-side

Verify every form.
Three lines of code.

When data-enforce="true", the SDK auto-injects a __zgate_token hidden field on form submit. Extract it server-side, call /v1/siteverify, and act on the verdict.

successDid the session pass verification?
score0-100 bot probability. Log it, trend it, alert on it.
action"allow", "challenge", "tarpit", or "block" — your call what to enforce.
Edge-Native

Scored before your server sees it.

Z-Gate's edge middleware runs at the CDN layer — Vercel, Cloudflare, any edge runtime. Every request gets a pre-score before it ever touches your origin. Bots that don't even load JavaScript get caught here.

Trust Cookie

After a visitor passes behavioral analysis, the edge signs an HMAC cookie. Next request? Middleware reads the cookie, verifies the signature, lets them through. No SDK load. No WebSocket. No scoring. Verified humans get the fastest possible path.

HTTP Fingerprint

python-requests/2.28 with no Accept-Language and no Sec-Fetch-Mode? That's a 75 before a single behavioral signal fires. Z-Gate runs 12 network-level checks — Client Hints consistency, Sec-Fetch validation, header order analysis, Accept patterns, Connection anomalies, stale UA detection — plus 22+ known bot signatures including Puppeteer, Playwright, and headless Chrome.

IP Reputation

Datacenter CIDR? Tor exit node? Known bad actor? The edge caches IP reputation lists and checks every request in <1ms. No external API call. No latency penalty. Lists refresh every 5 minutes from your Z-Gate instance.

<1ms scoring

IP check + header heuristics run entirely at the edge. No round-trip to origin. Bots that don't even load JavaScript get caught here.

HMAC trust cookies

Verified visitors bypass all checks. Signed with SHA-256. Tamper-proof. 24h TTL. Returning humans get the fastest possible path.

Cached IP lists

Datacenter CIDRs, Tor exits, blocked ranges. In-memory. No external dependency. Lists refresh every 5 minutes from your instance.

Works with Next.js, Cloudflare Workers, any edge runtime · npm i @zgate/next
Device Intelligence

Know the device, not just the session.

Bots rotate fingerprints. Z-Gate correlates hardware signals across sessions to identify the physical device behind them — even when the browser fingerprint changes.

AudioContext Fingerprint

Renders audio through an OfflineAudioContext with oscillator + compressor and hashes the output. Real browsers produce unique waveforms from their audio stack. Headless browsers return silence — instant detection.

WebGL Shader Timing

Executes a 128-iteration sin/cos fragment shader and measures GPU execution time across 5 runs. Real GPUs have scheduling jitter. Software renderers (SwiftShader) are impossibly fast with zero variance. Pixel output is hashed to detect known software renderer signatures.

Cross-Browser Correlation

Groups devices by physical hardware signals — GPU renderer, screen resolution, CPU cores, timezone, IP range. When a bot rotates browser fingerprints, Z-Gate sees the same physical device underneath. More than 3 identities from one device = flagged.

DEVICE INTELLIGENCE LIVE
Devices
847
Avg Trust
91.2
Suspicious
23
Bots
12
Device List
DeviceTrustSessionsPlatformStatus
dev_a8f2c1... 98 142MacIntel Human
dev_3bf91e... 87 89iPhone Human
dev_c7201a... 54 31Linux x86 Suspicious
dev_91f4e2... 12 2,847Linux x86 Bot
dev_e45f81... 8 1,203Linux x86 Bot
Network Graph
dev_a8f2c1 dev_3bf91e dev_c7201a dev_91f4e2 dev_e45f81 shared IP same hardware
Persistent device identity across sessions · Trust scoring · Network visualization Dashboard →

Every device gets a unique, persistent identity. The network graph reveals hidden connections — bot farms sharing IPs, fingerprint rotators on the same physical machine. Click any node to see every session, every IP, every identity change.

Last Resort

Meet Gatekeeper.

When behavioral analysis isn't enough and proof of work gets bypassed, Gatekeeper steps in. A friendly chat with quick questions and interactive micro-games — trivial for humans, impossible for scripts. No image grids. No frustration. Just a 30-second conversation.

Available on Pro & Enterprise plans
Gatekeeper Adaptive Challenge
Our systems flagged unusual activity. Quick verification needed.
Quick! Name any color.
category: speed
blue
think: 0.8s · typing_σ: 42ms
Catch the falling ball!
category: game · physics_drop
Caught!
solve: 3.1s · trajectory: 47pts
Verified
score: 82.6 · passed: true
Physics Drop Micro-Game
precision: 94.2% mouse_moves: 38 solve: 4.3s
Session Trace Timeline
Session created
181.169.15.194 · AR
SDK connected
probes: clean · 32ms
Score: 62.4 → CHALLENGE
3 telltales fired · threshold: 40
Gatekeeper triggered
4 challenges · 2 games + 2 text
Verified Human
gk_score: 82.6 · 28s · ALLOW

Adaptive Questionnaire

An ever-growing bank of challenges across multiple categories — speed tests, trick questions, opinion prompts, absurd scenarios. The mix changes every session. Every keystroke, pause, and correction is measured. LLMs can answer the questions, but they can't fake the typing.

Micro-Games & Behavioral Probes

Interactive challenges mixed into the conversation — catch a falling ball, rotate an arrow to a random target, long press, double tap. Each one samples mouse trajectories, measures precision timing, and captures behavioral signals that require a real browser with a real human behind it.

Real-Time Telemetry

Every exchange is a data stream. Think time, typing cadence, keystroke variance, corrections, mouse trajectories, solve precision. All scored server-side in real time — the client sends raw behavioral data, the server computes the score. No client-side manipulation possible.

Gatekeeper session flow
// 4 challenges: 1 text + 2 games + 1 behavioral
intro → "Our systems flagged unusual activity..."
 
text → "Quick! Name any color."
{ think_time: 1.2s, typing_σ: 34ms, corrections: 1 }
 
game_1 → [Orientation Lock — rotate arrow to target]
{ solve_time: 3.1s, adjustments: 12, precision: 2.4° }
 
game_2 → [Physics Drop — catch the ball]
{ solve_time: 4.3s, trajectory: 47pts, mouse_moves: 38 }
 
behavior → [Long Press or Double Tap]
{ hold_accuracy: 94%, tap_gap: 280ms }
 
verify → POST /v1/gatekeeper/verify
{ score: 82.6, passed: true } // ≥ 60 = human

No LLM. No ML. Deterministic scoring.

The gatekeeper doesn't use AI to judge responses. Questions come from a static bank with validators. Scoring is pure math — weighted behavioral signals with known thresholds. Every decision is traceable to exactly which signals fired and why.

Ever-growing challenge bankSpeed, instruction, trap, opinion, absurd — and expanding. Questions and games are mixed dynamically. No two sessions play the same.
Server-side rescoringClient sends raw timestamps and trajectories. Server recomputes everything. No client-side manipulation possible.
~30 secondsFast enough that real users don't abandon. Rich enough that bots can't fake the behavioral fingerprint.
Defense Pipeline

Five layers. No puzzles. Maximum protection.

Every request flows through the same pipeline. Edge pre-scoring catches the obvious. Behavioral analysis catches the sophisticated. PoW, tarpit, and the gatekeeper handle the gray zone. No image grids. No "select all traffic lights."

Edge
pre-score in <1ms
Behavioral
score < 40 → allow
Proof of Work
40-65 → SHA-256 puzzle
Tarpit
65-75 → slow drain
Gatekeeper
> 75 → chat + games
Visibility

Real-time dashboard + session replay

Traffic time-series. Historical analytics. Session replay with mouse trail playback. Click any session to drill down into every signal, or watch the bot move in real time. Mark false positives. Get webhook alerts on block spikes.

zgate.dev/dashboard
--
Sessions
--
Allowed
--
Challenged
--
Blocked
Session Replay sess_7f2a · 4.2s
1x
Watch exactly how a bot navigated your page. Mouse trails, clicks, scrolls, keystrokes — all recorded and replayable at 1x, 2x, or 4x speed. Passwords are automatically redacted.
Webhook Alerts

Get notified when your block rate spikes. Z-Gate monitors a 5-minute sliding window and fires a POST to your webhook URL when blocks exceed your threshold. Slack, PagerDuty, anything that accepts HTTP.

{ "event": "block_spike", "rate": 12.4, "window": "5m", "blocked": 62 }
Feedback Loop

Mark any session as false positive or false negative directly from the dashboard. Track your detection accuracy over time and build confidence before switching from Monitor to Enforce mode.

Historical Analytics

Volume trends, score distributions, top telltales, and worst offender IPs — sliced by 24h, 7d, or 30d. Postgres-backed, not just in-memory. See patterns that real-time dashboards miss.

Response

From insight to action. One click.

Every session gets a score. Every score triggers a response. Automatic escalation from allow to block — plus manual interventions when you need surgical control.

Allow
score < 40
Request passes.
User never knows.
🔒
Challenge
score 40–65
SHA-256 PoW puzzle.
Invisible to humans.
🐌
Tarpit
score 65–75
Artificial delay.
Wastes bot resources.
Block
score > 75
Hard stop. 403.
Webhook fires.
Thresholds fully configurable per site. Start in monitor mode — flip to enforce when ready.

Block IP

One click to permanently block any IP address. See every session from that address, unique fingerprints, block rate, and first/last seen. Unblock anytime from the dashboard.

Force Gatekeeper

Flag any device for a conversational challenge on their next visit. Useful when a session looks suspicious but the score is borderline. The device gets Gatekeeper regardless of score.

Feedback Loop

Mark any session as false positive, false negative, confirmed bot, or confirmed human. Add notes. Track feedback stats across your account. Every label improves your understanding.

Monitor first. Enforce when ready.
Start in monitor mode — every session gets scored but nothing gets blocked. Review decisions, tune thresholds, check for false positives. Flip the switch to enforce when you trust the numbers.
Pricing

Simple, transparent pricing

Start free. Full protection included. Pay for deeper visibility.

Free
$0/mo
  • 10,000 sessions/month
  • Full telltale detection + hardware probes
  • Gatekeeper + 5 challenges
  • Proof of Work challenges
  • 1 API key
  • Dashboard overview
  • Analytics
  • Device intelligence
  • Webhooks
Get Started Free
Most Popular
Pro
$19/mo
  • 100,000 sessions/month
  • Full telltale detection + hardware probes
  • Gatekeeper + 5 challenges
  • Unlimited API keys
  • Full dashboard + 90-day analytics
  • Device intelligence + network graph
  • Session replay
  • Webhook alerts
  • PDF export
Start Pro
Enterprise
$99/mo
  • Unlimited sessions
  • Full detection + custom telltale weights
  • Everything in Pro
  • 1-year data retention
  • Priority support + SLA
  • Audit log
Contact Sales
Payments via Stripe & Mercado Pago. Pay in your local currency.
stripe mercadopago

Stop guessing.
Start explaining.

Deploy Z-Gate in minutes. 100+ telltale rules. Hardware probes. Device correlation. Every decision explained.

View Live Dashboard Read the docs
Deploy to Render

Deploy your own instance with Redis — free tier available.