How it works
Drop the Shield widget script into your page and add a hidden input to your form. When a user submits, Shield runs silently in the background — no checkbox, no image puzzle. On your server, call the /shield/siteverify endpoint with the token from the form submission. The response tells you whether the submission is human or bot.
1. Embed the widget
Add one <script> tag to your page and a hidden <input name="shield-token"> to your form. Zero UX impact.
2. Verify on your server
POST the token to /shield/siteverify with your secret key. Receive a verdict and risk score in the JSON response.
Detection signals
| Signal | Description |
|---|---|
| Proof-of-Work challenge | Forces the browser to solve a CPU-bound puzzle before submission — trivial for humans, expensive for bots. |
| Browser fingerprinting | Detects headless browsers, automation frameworks, and bot-like device characteristics. |
| Honeypot detection | Hidden fields that real users never touch; bots fill them in automatically. |
| Timing & keystroke analysis | Flags suspiciously fast or scripted interaction patterns. |
| Geo / ASN risk scoring | Scores submissions based on originating country and network reputation. |
| DNS blocklist checks | Checks the submitter IP against Spamhaus and Barracuda blocklists in real time. |
| Spam text classification | Analyses free-text fields for spam patterns before the form ever reaches your backend. |
| Email rule enforcement | Optionally runs Verifence email rules at siteverify — block disposable addresses at the form level. |
Invisible by default
Shield runs in form execution mode — fully invisible. No CAPTCHA images, no "I'm not a robot" checkbox, no accessibility problems. The challenge runs in the background when the user interacts with the page, completing before they even hit submit.
Multiple sites
Create separate site keys for each domain or form you want to protect. Each site key has its own usage dashboard and alert thresholds. Usage alerts fire at 80% and 100% of your monthly verification limit so you're never caught off guard.
Availability & fail-open behaviour
Shield is designed to never block your users due to a Verifence outage. If the /shield/siteverify endpoint is unreachable or returns a server error, your integration should allow the submission through and log the failure — this is called fail-open.
During a service disruption your forms stay fully functional. Bot protection resumes automatically once the service recovers. We recommend setting a 3-second timeout on the siteverify call and logging any service_error or service_unavailable responses so you can correlate them with our status page. See the API docs for ready-to-use Node.js and Python examples.
Advanced siteverify options
In addition to the required token and secret, the siteverify endpoint accepts optional fields to layer extra checks on the same request:
email— Runs the submitted email address through your account's Email Rules (blocks disposable, role, or geo-restricted addresses at the form level)text— Passes a message body through the spam text classifier; returns aspam_scoreand detected languagehoneypot— Pass the value of your hidden honeypot field; any non-empty value is an immediate bot signal
Allowed domains
Restrict a site key to specific origins from your dashboard. Requests from unlisted origins are blocked before any challenge is issued, preventing key misuse if your site key is ever exposed.
Auto-blocking
IPs that fail more than 20 challenges within an hour are automatically blocked for 24 hours. This limits the impact of persistent bot operators without any configuration on your part.
Limits
Shield verifications are counted per site per month and are separate from your scanning credit pool. Free plans include 1,000 verifications/mo; paid plans range from 10,000 to 1,000,000.