Skip to main content
When you identify browsers or devices with Fingerprint, you get back the visitor_id value.
You can use this value in your business logic to find suspicious activity or for marketing analytics.
By default, this value is sent back to your browser or device where you can read it and do something with it, e.g. send it to your server for storage and analysis.
This works fine in most cases, but sometimes you want to not receive the visitorId value from Fingerprint back to your devices. In security-critical applications, you want to hide that value and only read it on the server with your secret API key.
Instead, you get back a random event_id value that you can use later to read the actual visitor_id server-side.
This mode of running the identification and not sending the visitor_id back to the client device is called Zero Trust Mode. The Fingerprint API supports Zero Trust Mode to make it very difficult to send malicious identification requests that impersonate other visitors.
Zero Trust Mode is implemented internally by identification result hiding and strict origin-checking features.

Identification Result Hiding

Zero Trust Mode requires this feature to avoid sending the identification results to end-user browsers. When enabled, the visitor_id field will not be sent to the end-user browser. The event_id field will still be returned to get the full results later using our Server API.
Importantly, when Zero Trust Mode is enabled, you will still get full results through the webhook. In addition to the event_id, the JavaScript agent response will include a new field called zero_trust that will list all the fields that were hidden: 
{
  "event_id": "...",
  "zero_trust": {
    "hidden_fields": ["visitor_id"],
    "comment": "The result was hidden because of the subscription configuration."
  }
}
Likewise, the iOS and Android client agents will not receive the visitor_id directly, only a event_id and other metadata.

Strict Origin Checking

In all modern browsers, the Origin header is automatically included in all cross-origin requests.
Websites cannot spoof this header. However, some signals collected by the JavaScript agent can be spoofed. When Zero Trust Mode is enabled, the strict origin-checking feature detects inconsistencies between the data collected by the JavaScript agent and the request headers that cannot be spoofed by the browser. These headers are the Origin and the Referer. Identification requests with inconsistencies are rejected by the server. This ensures that the url and client_referrer values can’t be spoofed. That is important because url and client_referrer are exposed in our Server API and Webhook responses. You can use Zero Trust Mode with the request filtering feature for additional security. This mode is only available for the Enterprise plan. It can be enabled on a per-workspace level.
If you would like to try this mode or learn more, please contact our support team.