Your backend calls Prosopo to verify each protected request. Prosopo scores the request for bot-likeness, applies any access rules you've configured (by IP, ASN, country, TLS fingerprint and so on), and returns a verified/not-verified result along with the risk score. Your backend then decides whether to fulfil the request, ask for additional verification, or reject it.
API Protection
Prosopo's API Protection puts a bot-aware verification step in front of the API endpoints attackers actually target — login, signup, password reset, checkout, and any endpoint exposed to the internet.
Every request is scored for automation risk, evaluated against your access rules, and either passed through, challenged, or rejected outright. You decide the policy per endpoint, and the same risk score is returned to your backend so you can layer your own logic on top.
How it works
Why our API Protection stands out
Built around bot-aware verification, not generic rule packs.
Integrate without re-routing traffic
Add a verification call to your backend and you're protected — no DNS changes, no edge proxy, no architectural rewrites.
Stop credential stuffing and token replay
Catch automation against login, signup and password-reset endpoints before it reaches your authentication layer.
Tunable per endpoint
Apply tight policies to high-value endpoints (checkout, money movement) and lighter policies elsewhere — without changing your code.
Why Prosopo
The benefits of choosing Prosopo API Protection
Targets automated abuse
Built specifically to stop credential stuffing, scraping, account-takeover automation and other bot-driven API abuse — not a generic WAF.
Risk score on every request
Each verified request returns a 0–1 risk score your backend can use to drive its own decisions — flag, step-up, or block.
Access rules per endpoint
Block by IP, IP range, ASN, country, TLS fingerprint or user agent. Layer broad defaults with targeted overrides.
No DNS changes required
Integrate with a verification call from your backend. No traffic re-routing, no DNS migration, no edge-network setup.
Audit trail for every verification
Review individual verification outcomes by IP, fingerprint, geolocation and score — useful for investigations and tuning policy.
How Prosopo API Protection works
Most API abuse is automated. Credential stuffing, scraping, fake-signup pipelines, ticket-bot drops, content theft — they're all run from scripts hitting your endpoints in volume. A WAF catches the bad payload shapes; Prosopo catches the bad actor regardless of payload.
Your backend calls Prosopo to verify each protected request before acting on it. The verification returns:
- A verified/not-verified result — pass or fail.
- A risk score between 0 and 1, surfaced on paid tiers, that your code can use however you want.
- A specific reason if the request was rejected — so you can show users an actionable message instead of a generic failure.
Where to deploy it
API Protection is most useful in front of endpoints where automation is expensive for you and rewarding for attackers:
| Endpoint type | What it stops |
|---|---|
| Login / authentication | Credential stuffing, brute force, password-spray attacks |
| Signup / registration | Fake-account creation, throwaway-email signups |
| Password reset | Account-takeover reconnaissance |
| Checkout / payment | Card-testing, inventory hoarding, ticket scalping |
| Search / catalogue | Scraping of pricing, listings, or proprietary content |
| Comment / review submission | Spam and astroturfing |
| Anything triggering an email / SMS | Abuse that drives your messaging bills up |
Deploy at the edge or in your backend
API Protection is a single HTTP call to Prosopo's verification API — so it runs wherever your code runs. The same integration works at the CDN edge or in your origin servers:
- AWS Lambda@Edge and CloudFront Functions. Verify at the closest CloudFront PoP before the request reaches your origin. Bot traffic gets stopped before it ever enters your AWS account.
- Cloudflare Workers. Add the verification check inside an existing Worker handling routing, auth or cache decisions — no separate hop and no traffic re-routing.
- Fastly Compute@Edge and VCL. Verify in front of cached and uncached content at Fastly's edge. See the step-by-step Fastly CDN integration guide.
- Direct backend integration. Call the verification endpoint straight from your application — Node, Go, Python, Java, Ruby, PHP, .NET, anywhere that can make an HTTPS POST. The simplest possible integration: one call to
/siteverifybefore your business logic runs.
Built for low latency
The verification call is a single HTTPS request to globally-distributed endpoints. From an edge runtime (Lambda@Edge, Workers, Fastly) the round-trip is typically a handful of milliseconds — small enough to live on the request path without users noticing. From an origin server it's still short enough to keep on the hot path of authentication, checkout and other latency-sensitive operations.
Verification at the edge has a second payoff: your origin only sees traffic that's already been scored. Bot load that used to hit your auth or checkout servers gets absorbed at the CDN, freeing origin capacity for real users.
What you get to control
Every protected endpoint can be tuned independently:
- Bot-detection strictness via the Safety Threshold — tighter for checkout, looser for low-risk paths.
- Access rules by IP, IP range, ASN, country, TLS fingerprint, user agent, or user ID. Useful for blocking specific hosting networks, applying tighter rules to high-risk regions, or whitelisting partner integrations.
- Custom decision logic through Decision Machines — combine Prosopo's score with your own signals (account age, purchase value, device history) before deciding.
- Hard auto-ban above a score threshold of your choice, so unambiguous abuse never gets a challenge.
How Prosopo API Protection compares
Full capability Partial / caveat Not available
| Capability | Prosopo API Protection | Traditional WAF | reCAPTCHA Enterprise |
|---|---|---|---|
| Designed for automation detection (not payload inspection) | ● | ● | ● |
| Risk score returned to your backend | ● Paid tiers | ● | ● |
| Access rules by ASN / TLS fingerprint | ● | ● Limited | ● |
| Per-endpoint policy | ● | ● | ● Limited |
| No DNS changes or traffic re-routing | ● | ● Varies | ● |
| Custom decision logic on the verification path | ● | ● | ● Limited |
| GDPR-compliant data handling | ● | ● Varies | ● |
Common use cases
- Stop credential stuffing on login endpoints.
- Block scraping of pricing, catalogue and content APIs.
- Defend ticket-drop endpoints against bot inventory hoarding.
- Prevent denial-of-inventory attacks during high-demand events.
- Stop account takeover with risk-tiered policies on auth APIs.
Configuration reference
- Server-side verification — how the verification call works.
- Access Control Rules — per-request policy by IP, ASN, fingerprint and more.
- Safety Threshold — control how strict bot detection is.
Request a Demo of Prosopo API Protection
Protect your API infrastructure with our industry-leading solution. Contact our sales team for a customized implementation plan.
By the numbers
Trusted by companies of all sizes.
Active websites
0+
Monthly verifications
0+
Bots stopped per month
0+
Reviews
Our customers love us.
Hundreds of businesses have made the switch from reCAPTCHA and hCaptcha to Prosopo. Here's what they have to say.
Frequently Asked Questions
How does API Protection work?
Do I need to re-route my API traffic through Prosopo?
No. Prosopo isn't a proxy and doesn't sit in your request path. You add a verification call to your backend at the points you want to protect. There are no DNS changes and no edge-network setup.
Does it work with any API style?
Yes. Because Prosopo verifies tokens rather than inspecting traffic, the same integration works for REST, GraphQL, gRPC and any other API style — your code just makes a verification call before fulfilling the protected operation.
Can I apply different rules to different endpoints?
Yes. Each site key can carry its own access rules and policy, and you can use separate site keys for endpoints with different risk profiles — for example tighter rules for checkout and login, lighter rules for read endpoints.
How is this different from a Web Application Firewall (WAF)?
A WAF mostly catches known attack signatures (SQL injection, XSS, OWASP categories). Prosopo focuses on the harder problem of telling humans from automation — the score is built from browser fingerprints, behaviour and network reputation, not pattern matching on payloads. The two are complementary; many of our customers run both.
More from Prosopo
What else can Prosopo protect for you?
No matter the threat, we have a solution to keep your business safe.
Product
Access Control
Prosopo's Access Control dynamically generates rules to protect your website from bots and spam.
Learn more
Product
API Protection
Stop automated abuse of your API endpoints with Prosopo's bot-aware verification and access control.
Learn moreProduct
Risk Scoring
Prosopo's Risk Scoring provides real-time analysis of user behavior to identify potential threats.
Learn more
Product
Spam Bot Protection: Stop Form Spam Before It Lands
Spam bot protection that blocks fake signups, throwaway emails and abusive networks before they reach your forms — without breaking the experience for real users.
Learn more
Product
Procaptcha - GDPR Compliant CAPTCHA
With Prosopo's GDPR friendly captcha, enjoy seamless website security. Protect users, prevent bots, and stay compliant - all while keeping it simple.
Learn more
Product
Invisible CAPTCHA
Prosopo's Invisible CAPTCHA provides seamless bot protection without disrupting the user experience.
Learn more