Identifiers

ShieldLabs uses several identifiers in every webhook payload. Each tracks a different dimension of the user session.

RequestID

550e8400-e29b-41d4-a716-446655440000

Type: UUID v4
Scope: Single check The RequestID identifies one specific fingerprint submission. Every call to checkAnonymous() or checkAuthenticatedUser() generates a new RequestID. Use RequestID to:

Correlate the browser callback with the incoming webhook
Look up a specific session in the dashboard
Query via Pub API: debug/request_id/{uuid}

SessionID

7a1b2c3d-e89f-4a1b-9c2d-3e4f5a6b7c8d

Type: UUID
Scope: Browser tab session (~10 minutes) Stored in sessionStorage. A new SessionID is created when the session expires or forceCheck* clears storage.

CookieID

3f2e1d0c-b9a8-7f6e-5d4c-3b2a1f0e9d8c

Type: UUID
Scope: Persistent visitor Generated on first visit and stored in:

localStorage key visitorID
First-party cookie visitorID (2-year expiry, SameSite=Lax)

Survives page refreshes and browser restarts. Cleared when the user clears site data.

DeviceID

6ba7b810-9dad-11d1-80b4-00c04fd430c9

Type: UUID (deterministic)
Scope: Device hardware + browser environment Computed server-side from stable MixVisit fingerprint components (canvas, WebGL, fonts, screen, navigator, etc.) using UUID v5 (SHA-1):

DeviceID = UUIDv5(stable_components, namespace)

Volatile components (speech voices, storage quota, DOM-dependent values) are excluded for stability.

Stable across sessions on the same device/profile
Changes if hardware or browser profile changes significantly
Anti-detect browsers may cycle DeviceIDs when randomizing fingerprint components

VisitorID

a1b2c3d4-e5f6-7890-abcd-ef1234567890

Type: UUID (deterministic)
Scope: Device + cookie pair Derived server-side from the pair (DeviceID, CookieID):

VisitorID = UUIDv5(device_id + cookie_id, namespace)

Links the persistent cookie identity to the current device fingerprint. Not the raw localStorage UUID — it is recomputed when DeviceID or CookieID changes.

UserHID

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Type: String (typically SHA-256 hex, 64 chars)
Scope: Authenticated user The value you pass to checkAuthenticatedUser(). Must be a stable, hashed identifier — never raw user ID or email.

"anonymous" when checkAnonymous() is used
Query all sessions: history/user_hid/{hash}

Summary

Identifier	Tracks	Changes when
`RequestID`	Single check	Every `check*` call
`SessionID`	Browser session	~10 min TTL or `forceCheck*`
`CookieID`	Visitor cookie	Site data cleared
`DeviceID`	Fingerprint	Hardware/profile change
`VisitorID`	Device + cookie pair	DeviceID or CookieID changes
`UserHID`	Your user	You pass a different value

Querying by identifier

Base URL: https://account.shieldlabs.ai

GET /pub/{public_key}/{secret_key}/history/user_hid/{hashed_user_id}
GET /pub/{public_key}/{secret_key}/history/device_id/{device_id}
GET /pub/{public_key}/{secret_key}/history/visitor_id/{visitor_id}
GET /pub/{public_key}/{secret_key}/history/cookie_id/{cookie_id}
GET /pub/{public_key}/{secret_key}/history/session_id/{session_id}
GET /pub/{public_key}/{secret_key}/debug/request_id/{request_id}

See API Reference — History for full details.

​Identifiers

​RequestID

​SessionID

​CookieID

​DeviceID

​VisitorID

​UserHID

​Summary

​Querying by identifier