Sign up at
prynt.id and navigate to
API Keys in the dashboard. You'll get two keys:
# Public key — used in the client SDK (safe to expose) PRYNT_PUBLIC_KEY="pk_live_xxxxxxxxxxxxxxxxxxxxxxxx" # Secret key — used server-side only (NEVER expose in client code) PRYNT_SECRET_KEY="sk_live_xxxxxxxxxxxxxxxxxxxxxxxx"
⚠️
Keep your secret key safe. The secret key (sk_live_...) should only be used on your server. Never include it in client-side code, mobile apps, or version control.
Choose your platform and install the Prynt SDK. All SDKs follow the same identify → verify pattern.
# JavaScript / TypeScript npm install @prynt/sdk # Or, add via CDN (no build step) # <script src="https://cdn.prynt.io/v1/agent.js"></script> # iOS (Swift Package Manager) # Add: https://github.com/prynt-io/prynt-ios-sdk # Android (Gradle) # implementation("io.prynt:sdk:3.2.0") # Flutter # flutter pub add prynt_sdk # React Native # npm install @prynt/react-native
💡
Server-side SDK too. For Step 4, install the server library: npm install @prynt/node or pip install prynt or use the REST API directly.
Initialize the SDK with your public key and call identify(). This collects device signals, sends them to Prynt, and returns a visitor ID and request ID.
import { Prynt } from '@prynt/sdk';
// Initialize once — ideally on page load const prynt = new Prynt({ apiKey: 'pk_live_xxxxxxxxxxxxxxxxxxxxxxxx',
region: 'us', // 'us' | 'eu' | 'ap' endpoint: '/prynt', // optional: custom subdomain proxy });
// Identify the current visitor const result = await prynt.identify();
console.log(result.visitorId); // "pv_8kX2mNqR3jT7p"
console.log(result.requestId); // "req_1707832921_a7f2c9" // → Send requestId to your server for verification await fetch('/api/verify', { method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ requestId: result.requestId }),
});
📌
When to call identify(). Call on page load for analytics and bot detection. Call on specific events (login, registration, checkout) for fraud prevention. You can call it multiple times — each call generates a new requestId linked to the same visitorId.
Client-side response:
{ "visitorId": "pv_8kX2mNqR3jT7p",
"requestId": "req_1707832921_a7f2c9",
"confidence": 0.995,
"visitorFound": true }
Never trust client-side results alone. Send the requestId to your server, then use the Server API with your secret key to retrieve the full, verified identification result.
import { PryntServer } from '@prynt/node';
const prynt = new PryntServer({ secretKey: process.env.PRYNT_SECRET_KEY,
});
// Your API endpoint that receives the requestId from the client
app.post('/api/verify', async (req, res) => { const { requestId } = req.body;
// Retrieve the full identification result const event = await prynt.getEvent(requestId);
// Access all signals and verdict const { visitorId, confidence, signals, scores, verdict } = event;
// Make decisions based on signals if (signals.bot.detected) { return res.status(403).json({ error: 'Bot detected' });
} if (verdict === 'challenge') { return res.json({ action: 'require_mfa' });
} // All clear — proceed
res.json({ action: 'allow', visitorId });
});
🔒
Always verify server-side. Client results can be tampered with. The Server API returns cryptographically verified data using your secret key. This is the source of truth for all fraud decisions.
Or use the REST API directly:
curl https://api.prynt.io/v1/events/req_1707832921_a7f2c9 \
-H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json"
The Server API returns the full identification result: visitor ID, confidence, Smart Signals, ML scores, behavioral data, and — if you have rules configured — a verdict.
{ "requestId": "req_1707832921_a7f2c9",
"visitorId": "pv_8kX2mNqR3jT7p",
"visitorFound": true,
"confidence": 0.995,
"firstSeenAt": "2025-09-14T08:12:33Z",
"lastSeenAt": "2026-02-14T11:45:22Z",
"device": { "platform": "macOS",
"browser": "Chrome 121",
"gpu": "Apple M3 Pro",
"type": "desktop" },
// Smart Signals (available on all plans) "signals": { "bot": { "detected": false },
"vpn": { "detected": false },
"incognito": false,
"tampered": false,
"emulator": false },
// ML Scores (Pro plan and above) "scores": { "abuse": 0.03,
"ato": 0.01,
"bot": 0.02,
"suspect": 4 },
// Rules Engine Verdict (if rules configured) "verdict": "allow",
"policy": null // no rule matched → default allow }
Key fields to use in your app:
✓visitorId — Persistent device ID. Use to recognize returning visitors and link sessions.
✓confidence — How confident Prynt is in the match. Gate high-risk actions on 0.9+.
✓signals.bot — Is this a bot? Block registrations, logins, and payments from bots.
✓signals.vpn — Is this a VPN/proxy? Challenge logins from unexpected locations.
✓scores.suspect — Overall risk score (0-100). Higher = riskier. Use as a general gate.
✓verdict — Rules engine result: allow, challenge, or block.
🚀
That's it — you're live! Your app is now identifying visitors and receiving signals. From here, you can configure rules in the dashboard, enable webhooks, set up custom velocity metrics, and more.