Identifiers
See Identifiers for the full model. RequestID A UUID generated per identify call. It is the join key that ties a single check across the snapshot, the webhook, and the History API. Use it as your idempotency key. SessionID A per-visit UUID stored in the browser’ssessionStorage with a 10-minute window. Resets on a new session or tab.
CookieID
A first-party cookie/localStorage UUID minted in the browser. It is lost when the visitor clears cookies or storage.
DeviceID
A server-derived UUID5 of dozens of stable browser-environment components (canvas, WebGL, audio, fonts, screen, navigator, timezone, and more). Because it is derived rather than stored, it survives cleared cookies, incognito, and IP rotation within the same browser. It is browser-bound: a different browser produces a different DeviceID. This is the durable identity behind accurate visitor counting.
VisitorID
A server-derived UUID5(DeviceID + CookieID). Because it includes the cookie, it changes when cookies are cleared. Many VisitorIDs can map to one DeviceID.
UserHID
Your own account identifier, passed in from the snippet. It must be hashed or pseudonymous, never a raw email or login. ShieldLabs does not derive it.
WebRtcHIP
A hashed network identifier used to correlate events; it is not a raw IP and cannot deanonymize a visitor.
Risk Score and signals
See Risk Score and Signals. Risk Score An explainable score from 0 to 100 (hard-capped at 100) attached to each visit. Higher means more anonymous, masked, or abusive. It is a weighted sum of the signals that fired. ShieldLabs reports the score; your own code decides what to do with it. Band The four labels the Risk Score maps to: Clean (0 to 9), Low (10 to 29), Medium (30 to 59), High (60 to 100). There is no other band. Details The explainable breakdown that ships with every score. An array of entries, each{ "Value": <points>, "Description": "<signal>" }, naming the signal that fired and the points it contributed.
Signal
One detectable property of a visit that contributes points to the Risk Score, such as VPN, Tor, OS Mismatch, or Anti-detect Browser. The full catalog and its weights are on Signals.
Anonymity and connections
See Anonymity detection. Anonymity detection The set of checks that determine how masked a visit is: VPN, proxy, Tor, Privacy Relay, datacenter, IP reputation, anti-detect browsers, and location/timezone spoofing. Connection Type The classification of a visit’s connection: Direct, Mobile, VPN, Proxy, Tor, Privacy Relay, or Unknown. Surfaced in the dashboard and on the stored snapshot. Privacy Relay iCloud Private Relay or a similar relay service. Treated as lower risk than a generic VPN, because it usually signals a privacy-conscious user rather than masking intent. Anti-detect browser A browser built to spoof or randomize its fingerprint to evade identification. ShieldLabs surfaces it through cross-layer signals without naming specific tools. Mismatch A contradiction between what the browser claims and what the network shows. Examples: OS Mismatch (the claimed OS versus the observed OS), Timezone Mismatch (browser timezone versus IP timezone), IP Mismatch (the reported and observed IP addresses disagree). Device Intelligence The discipline of combining a device fingerprint with network analysis, risk signals, and mismatch detection into one profile, returned as a persistent DeviceID plus signals. See Device Intelligence.Abuse patterns
See Abuse Patterns. Abuse Pattern One of eight relationship patterns computed server-side from historical data and shown on the dashboard Patterns tab (for example, Many Accounts on One Device). Patterns are distinct from the per-request scoring signals and are not in the webhook or API payload. Local IP The customer-facing name for a private network identifier used to group entities in abuse patterns (for example, Many Accounts on One Local IP). Normal / Suspicious / Dangerous The three grades an entity can receive in a pattern, based on how many linked identifiers it accumulates in a time window. Normal is the default (uncrossed) state; Suspicious and Dangerous are the flagged states. A grade never downgrades.Analytics
See Visitors and Traffic Sources. Visitor / New Visitor The dashboard’s estimated count of unique people, computed by fingerprint-derived identity (DeviceID) rather than a single cookie. A New Visitor is one first seen within the selected date range. The number is an estimate, not an exact headcount. Traffic Risk (Traffic Score) The average Risk Score across all checked requests in a period, shown as a gauge on the dashboard Overview. Traffic Source The acquisition channel, referrer, and UTM attribution captured on each request, used to rank sources by the risk and anonymous-traffic share they deliver. See Traffic Sources. Channel The resolved acquisition channel for a request: Google Ads, Meta, TikTok, LinkedIn, X, Organic Search, Referral, Direct, or Other.Integration
See Install the snippet and the API overview. Snippet The ShieldLabs JavaScript agent, an ES module loaded fromcdn.shieldlabs.ai that collects signals in the browser. It is not an npm package or a native mobile SDK.
Public Key
The per-domain key placed in the snippet URL. It identifies the domain and is safe to expose in the browser.
Secret Key
The per-domain key used only on your backend, to verify webhook signatures and authenticate the Management API as {domain}:{secret}. Never ship it to the browser.
Webhook
The server-to-server delivery of a scored result to your callback URL. It fires with Phase: "initial" and may fire again with Phase: "update". Delivery is at-most-once with no retries. See Webhooks.
Assing
The literal field name of the HMAC-SHA256 signature inside the webhook envelope, computed over the Data object and keyed by your Secret Key. Verify it before trusting a payload.
Phase
Which delivery a webhook represents: initial (the first score, about a second after the visit) or update (a recomputed delta after a follow-up network check).
Management API
The server-side API at api.shieldlabs.ai/{domain}:{secret}/ for reading your profile, setting the webhook callback, and searching history. See Management API.
History API
The GET /history/{type}/{value} endpoint of the Management API. It returns stored snapshots by identifier and is the guaranteed-read fallback when a webhook may have been missed.
Snapshot
A stored record of one scored identification. A superset of the webhook body that also carries connection and network fields. Returned by the History API.
Request
The billing unit. One identification is one request. The History API bills one request per returned row. Webhooks, dashboard views, and exports are free. See Billing.