Image tasks are increasingly automated
Modern vision models and solver markets continue to reduce the cost of image challenges. Harder puzzles often punish humans more than automation.
Behavioral Bot Defense
Stop bots.
Keep humans moving.
Notabot verifies real human interaction patterns without image puzzles, screen capture, or cross-site fingerprinting. Add a low-friction behavioral challenge to login, checkout, signup, and API flows — with signed, replay-resistant tokens for your backend.
No image puzzles
No screen capture
Site-scoped signals
Signed backend tokens
Developer proof
Add the widget, then validate the signed token server-side.
The frontend snippet mounts the challenge. Protected actions should call the signed validation endpoint from your backend before continuing.
Frontend
Backend validation
<script async
src="https://cdn.notabot.com/widget/v1/notabot.js"
data-notabot-site-key="tk_..."></script>
<div class="notabot-widget" data-action="signup"></div>Signed backend validation
POST /api/v1/token/validate
content-type: application/json
x-tpac-site-key: tk_your_public_site_key
x-tpac-timestamp: 1776900000
x-tpac-nonce: unique-base64url-nonce
x-tpac-signature: hmac-sha256-signature
{ "token": "one-time-token-from-widget" }Sign validation requests from your backend with the site signing secret; do not expose signing secrets to the browser.
Legacy CAPTCHA adds friction where it hurts most
If you run login forms, checkout flows, or public APIs, you already know the pain.
Conversion friction
Repeated puzzle loops and slow challenge handoffs create measurable drop-off in signup, login, mobile, and checkout flows.
Accessibility barriers
Visual puzzle CAPTCHAs often create accessibility barriers, especially for screen-reader users and users with visual or motor impairments.
Privacy violation
Users distrust services that fingerprint devices, capture screens, or build cross-site identity graphs without a clear security purpose.
Mobile UX suffers
Tiny tap targets, zoom conflicts, and touch-event bugs make visual puzzle flows especially fragile on small screens.
Low attacker cost
Credential stuffing, scalping, and checkout automation can route around static controls unless verification is tied to server-side policy.
Verify the interaction, not the image
Notabot measures session-scoped interaction signals that are costly for automation to synthesize reliably.
Capture motion
A Rust/WebAssembly module derives pointer kinematics — velocity, acceleration, jerk, and timing — directly in the browser for the primary verification path.
Encrypt edge
Feature payloads are encrypted client-side with AES-256-GCM, and the ephemeral content key is wrapped with the site RSA public key before server-side scoring. Key management covers per-site public keys, server-side private-key custody, rotation windows, and key IDs in the security brief.
Neural inference
The verify service decrypts the feature payload inside the server trust boundary, normalizes the feature vector, and runs ONNX inference before policy turns the score into allow, challenge, or block.
What we measure
- Fitts's Law compliance — human movement time scales logarithmically with distance
- Submovement structure — ballistic + corrective micro-movements
- Speed-curvature tradeoff — the power law: humans slow at curves
- Timing entropy — natural jitter vs. vsync-locked bot intervals
- Closure & winding — circular gesture signatures that are difficult to reproduce consistently
What we never do
- No screen capture or Canvas fingerprinting
- No cross-site device identifiers or third-party tracking cookies
- No image decoding as the primary verification task
- Primary verification does not transmit raw pointer paths; optional dataset collection is governed by signed grants, redaction, retention limits, and audit controls.
Built for teams that need lower-friction verification
| Capability | Notabot | Visual puzzle CAPTCHA | Image-based alternatives |
|---|---|---|---|
| User friction | Lower — natural interaction challenge | Mature ecosystem, but can add puzzle friction | Recognizable, but puzzle-dependent |
| Accessibility | No image decoding in the primary flow | Often needs audio or fallback handling | Varies by provider and flow |
| AI resistance | Behavioral signals plus policy tuning | Mature risk engines, with image tasks increasingly automatable | Variable |
| Privacy | Site-scoped signals and encrypted feature payloads | Depends on vendor collection model | Variable |
| Mobile UX | Touch-friendly interaction pattern | Can be fragile on small screens | Depends on challenge design |
| Custom branding | Hosted or embedded experience | Recognizable vendor UX | Variable |
| Compliance | Supports audit evidence for risk-based verification workflows | Depends on vendor evidence and DPA | Variable |
| Backend validation required | Yes — protected actions validate signed tokens server-side | Often optional or integration-dependent | Integration-dependent |
| Replay protection | Short-lived, one-time token validation | Depends on vendor token model | Variable |
| Data minimization | Site-scoped features, no cross-site identity graph | Depends on vendor collection scope | Variable |
| Accessibility fallback | Keyboard-accessible fallback and non-gesture review path | Audio or alternate challenge required | Depends on challenge design |
| Brand control | Embedded and hosted surfaces can be styled | Recognizable vendor UX | Variable |
| Model tuning required | Yes — tune per site, flow, and risk level | Vendor managed | Variable |
Security architecture at a glance
A small browser challenge produces a server-verifiable token without exposing a cross-site identity graph.
Browser challenge
User completes the challenge
Feature extraction
Session-scoped interaction signals
Encrypted verify API
AES-GCM payload, RSA-wrapped key
Model + policy
Allow, challenge, or block
Signed token
Short-lived one-time proof
Customer backend
Validates before protected actions
Browser boundary
Notabot verify service
Customer backend
Raw pointer path
Kept out of the primary verification API.
Feature payload
Encrypted before transport to the verify API.
Replay
Short-lived tokens are checked for one-time use.
Audit
Structured events support operational review.
Token and verification details
Notabot issues short-lived, one-time verification tokens bound to site, action, origin, challenge, and session context. Customer backends validate tokens through HMAC-signed server-to-server requests. Feature payloads are client-minimized, schema-versioned, encrypted in transit with per-site key material, and scored through versioned model + policy layers with structured audit events.
Built for the attacks you are already facing
One platform covers login abuse, checkout fraud, API scraping, and ticket scalping.
E-commerce & checkout flows
Add step-up verification for sneaker scalping, gift-card cracking, and checkout automation. Keep conversion focused with a short interaction challenge instead of repeated image puzzles.
SaaS login & credential stuffing
Add a behavioral step-up when credential-stuffing traffic rotates passwords, IPs, and infrastructure faster than static controls can respond.
Fintech risk workflows
Supports audit evidence for step-up and risk-based verification workflows with signed tokens, decision events, and adaptive scoring.
Ticketing & limited drops
Bot networks target concerts and flash sales before real users can complete checkout. Add behavioral friction that raises the cost of reliable automation.
Public APIs & scraping
Protect REST and GraphQL endpoints with server-side validation of signed verification tokens before sensitive actions continue.
Accessibility-first teams
Reduce visual CAPTCHA barriers with no image decoding in the primary flow, and enable hosted fallback paths for accessibility review.
Registration & fake-account floods
Stop mass-registration bots that pollute your user base and abuse free trials. Behavioral verification signals help keep analytics cleaner and support queues saner.
Comment spam & review fraud
Fake reviews and SEO spam destroy trust. A lightweight behavioral gate before every submission keeps forums and marketplaces authentic.
Account takeover & cracking
Password-spray attacks and hijacking tools can bypass static defenses. Smoothed risk scoring can require fresh verification when session behavior changes.
Security and review readiness — the 360° view
Designed to support privacy, security, and accessibility review with clear boundaries instead of blanket compliance claims.
Client-minimized interaction signals
The primary verification flow derives a compact feature payload in the browser, encrypts it with AES-256-GCM, and wraps the ephemeral content key with the site RSA public key before server-side scoring.
Client-side Proof-of-Work
Submissions include a WebAssembly-computed proof-of-work nonce that adds client cost to suspicious request volume and complements server-side policy controls.
HMAC-signed, replay-resistant tokens
Validation tokens are short-lived, checked for one-time use, and validated through signed server requests before protected actions continue.
Adaptive rate limiting & Kalman scoring
Risk scores can be temporally smoothed. If a session drifts toward higher-risk behavior, policy can require step-up verification or revoke trust.
Structured audit events
Allow, challenge, and block decisions can be logged with decision provenance, model version, and site-scoped session context for operational review.
No cross-site fingerprinting
We do not use Canvas, WebGL, AudioContext, or font-list enumeration for identity. No third-party cookies. Session and trust signals are scoped to the protected site.
CISO / DPO review map
These mappings show which product controls support customer legal, security, and accessibility reviews. They are not certifications or substitutes for your own assessment.
GDPR
Data minimization, lawful-purpose boundaries, retention limits, and DPA support.
CCPA
No sale of personal data, no cross-context ad tracking, and clear service-provider use.
PSD2
Step-up verification evidence for risk-based authentication and abuse review.
WCAG / EAA
Keyboard-accessible fallback, screen-reader tested hosted flow, reduced-motion support, and non-gesture verification notes.
Proof, not promises
Security review package available for pilot customers. It includes model card notes, replay and key-management threat modeling, privacy architecture, accessibility test notes, and the audit event schema.
Known limitations
- Not a replacement for account-level fraud analytics or abuse operations.
- Works best as a step-up verification layer with backend token validation.
- Model thresholds should be tuned per site, flow, and risk level.
- Production deployments should enable keyboard-accessible fallback, screen-reader review, reduced-motion support, and non-gesture verification.
- Optional dataset collection must use grants, redaction, retention limits, and audit controls.
Where Notabot fits
- Signup and registration abuse gates.
- Login step-up verification during credential-stuffing spikes.
- Checkout protection for scalping, card testing, and inventory abuse.
- API abuse gates before sensitive server-side actions.
- Ticketing drops and limited-release workflows.
Where it does not fit
- Standalone fraud engine or replacement for abuse operations.
- Identity proofing, KYC, or PSD2 Strong Customer Authentication decisions on its own.
- Bot protection without backend validation of signed tokens.
- Deployments that cannot provide an accessible fallback path.
- Use cases that require cross-site tracking or unrelated behavioral profiling.
Ready to stop bots without stopping users?
Try the demo, review integration examples, or set up a site key when you are ready to test.