Node.js SDK
Server-side integration for verifying bot scanner results and accessing the WebDecoy API from your Node.js backend.
npm install @webdecoy/node
// or
yarn add @webdecoy/node
// or
pnpm add @webdecoy/nodeWhat the SDK Does
The Node.js SDK provides server-side utilities for working with WebDecoy detections.
Verify Detections
Server-side verification of bot scanner results to prevent client-side tampering.
Query Detections
Access your detection history and analytics data through the API.
Webhook Validation
Validate HMAC signatures on incoming webhook payloads.
Quick Start
Initialize the SDK with your API key and start verifying bot scanner results from your backend.
API Key Authentication
Use your API key from the WebDecoy dashboard
Async/Await Support
Modern Promise-based API
TypeScript Types
Full type definitions included
import { WebDecoy } from '@webdecoy/node';
const webdecoy = new WebDecoy({
apiKey: process.env.WEBDECOY_API_KEY
});
// Verify a bot scanner token
app.post('/api/submit', async (req, res) => {
const token = req.headers['x-webdecoy-token'];
const result = await webdecoy.verify(token);
if (result.isBot && result.score > 70) {
return res.status(403).json({
error: 'Bot detected'
});
}
// Process legitimate request
});import { validateWebhook } from '@webdecoy/node';
app.post('/webhooks/webdecoy', (req, res) => {
const signature = req.headers['x-webdecoy-signature'];
const payload = req.body;
const isValid = validateWebhook(
payload,
signature,
process.env.WEBHOOK_SECRET
);
if (!isValid) {
return res.status(401).send('Invalid signature');
}
// Process the detection event
const { detection_type, threat_score, ip } = payload;
console.log(`Detection: ${detection_type}, Score: ${threat_score}`);
res.status(200).send('OK');
});Webhook Validation
All webhooks from WebDecoy are signed with HMAC-SHA256. The SDK provides utilities to validate these signatures.
Framework-Specific Packages
Install the core SDK or use our framework-specific packages with built-in middleware.
Core SDK
npm install @webdecoy/nodeWorks with any framework
Express
npm install @webdecoy/expressMiddleware included
Fastify
npm install @webdecoy/fastifyPlugin included
Next.js
npm install @webdecoy/nextjsMiddleware wrapper
Express Middleware
The Express package provides middleware that automatically analyzes every request and attaches detection results.
import express from 'express';
import { webdecoyMiddleware } from '@webdecoy/express';
const app = express();
// Apply globally
app.use(webdecoyMiddleware({
apiKey: process.env.WEBDECOY_API_KEY,
sensitivity: 'medium',
blockThreshold: 70,
exclude: ['/health', '/static/*']
}));
// Or per-route
app.post('/api/login',
webdecoyMiddleware({ blockThreshold: 50 }),
(req, res) => {
// Access detection results
const { score, threatLevel } = req.webdecoy;
if (req.webdecoy.shouldChallenge()) {
return res.status(429).json({
error: 'Please complete verification'
});
}
// Process login...
}
);import Fastify from 'fastify';
import webdecoyPlugin from '@webdecoy/fastify';
const fastify = Fastify();
// Register the plugin
await fastify.register(webdecoyPlugin, {
apiKey: process.env.WEBDECOY_API_KEY,
sensitivity: 'medium'
});
fastify.post('/api/checkout', async (req, reply) => {
// Detection attached to request
const detection = req.webdecoy;
if (detection.score > 80) {
return reply.code(403).send({
error: 'Request blocked'
});
}
if (detection.shouldChallenge()) {
return reply.code(429).send({
error: 'Verification required',
challengeUrl: '/verify'
});
}
// Process checkout...
});Fastify Plugin
Register WebDecoy as a Fastify plugin. Detection data is automatically attached to every request object.
Next.js Middleware
Protect your Next.js app at the edge with middleware that runs before every request.
import { withWebDecoy } from '@webdecoy/nextjs';
import { NextResponse } from 'next/server';
export default withWebDecoy({
apiKey: process.env.WEBDECOY_API_KEY,
// Handle detection results
onDetection: async (detection, request) => {
if (detection.score > 80) {
return NextResponse.json(
{ error: 'Blocked' },
{ status: 403 }
);
}
if (detection.shouldChallenge()) {
return NextResponse.redirect(
new URL('/verify', request.url)
);
}
return NextResponse.next();
}
});
export const config = {
matcher: ['/api/:path*', '/checkout/:path*']
};Detection Response
Every detection returns a comprehensive analysis with actionable methods.
{
"score": 78,
"threatLevel": "HIGH",
"flags": [
"headless_browser",
"webdriver_detected",
"canvas_anomaly"
],
"signals": {
"webdriver": true,
"headless": true,
"canvasAnomaly": true,
"mouseEntropy": 0.12
},
"ip": "203.0.113.42",
"userAgent": "Mozilla/5.0...",
"timestamp": "2025-12-13T22:30:00Z"
}Threat Levels
Helper Methods
shouldBlock() Score ≥ block thresholdshouldChallenge() Score in challenge rangeisLegitimate() Score below thresholdsWhy Use Server-Side Bot Detection
Client-side detection is powerful, but server-side verification makes it tamper-proof.
Tamper-Proof Verification
Attackers cannot modify bot scores or bypass detection by manipulating client-side JavaScript. Server verification is the final authority.
TLS Fingerprinting
The SDK adds JA3/JA4 TLS fingerprint analysis that can only be done server-side, catching bots that spoof browser user agents.
Real-Time Webhooks
Receive instant notifications when bots are detected. Trigger automated responses in your backend without polling.
Available SDKs
WebDecoy provides official SDKs for multiple languages and platforms.
Learn More About Server-Side Integration
Guides and tutorials for integrating WebDecoy into your backend.
SDK Launch: TLS Fingerprinting
Learn how JA3/JA4 fingerprinting detects bots by analyzing TLS handshakes.
SIEM Integration Guide
Forward bot detections to Splunk, Elastic, and CrowdStrike for SOC visibility.
WebDecoy & WAAP Integration
How WebDecoy fits into your Web Application and API Protection strategy.
See also: Bot Scanner for client-side detection, Threat Scoring for automated responses, and Integrations for WAF connections.
Frequently Asked Questions
Common questions about the WebDecoy Node.js SDK.
Why do I need server-side verification with the SDK?
Client-side bot detection can be tampered with by sophisticated attackers. The SDK allows you to verify detection tokens server-side, ensuring that bot scores have not been modified. This two-layer approach combines client-side signals with tamper-proof server verification.
Which Node.js frameworks are supported?
The SDK works with any Node.js framework including Express, Fastify, Next.js, NestJS, Koa, and Hapi. It provides simple middleware integration patterns and works with both JavaScript and TypeScript projects with full type definitions included.
How do I validate incoming webhooks from WebDecoy?
The SDK includes a validateWebhook function that verifies HMAC-SHA256 signatures on incoming webhook payloads. This ensures webhooks are genuinely from WebDecoy and have not been tampered with. The function also validates timestamps to prevent replay attacks.
What data does the verification response include?
Verification responses include the bot score (0-100), detection signals (webdriver, headless, canvas anomaly, etc.), a human/bot verdict, the visitor ID, and the timestamp. You can use this data to make access control decisions in your application.
Are there SDKs for other languages besides Node.js?
Yes. WebDecoy also provides SDKs for Go and PHP (with WordPress integration). All SDKs support the same core functionality: token verification, webhook validation, and API access. See our documentation for Go and PHP integration guides.
Ready to integrate server-side bot detection?
Install the Node.js SDK and start verifying bot scanner results in minutes.
View npm Package