Web SDK — 600+ signals, every fingerprint surface, plus AI agents.

Everything a modern web fingerprint library does, delivered as a ~65 KB on-device module. No backend, no per-event fees, and the only one that names AI agents on sight.

At a glance

Drop in. Get a report. Decide.

  • ~65 KB gzipped core; signal modules lazy-loaded on demand.
  • ESM, CJS, UMD. <script> tag or npm i @burein/web.
  • Works in iframes, cross-origin under postMessage relay.
  • Optional WebAssembly module for canvas / WebGL / audio entropy.
  • Deterministic, signed BureinReport. JSON / CBOR / protobuf.
  • Time-to-first-usable-report < 250 ms cold. Full 1000-signal report < 1.2 s.
web.ts
// 3-line integration. No backend required from us.
import { Burein } from "@burein/web";

const burein = await Burein.init({
  publicKey: process.env.BUREIN_REPORT_PUBKEY,
  riskProfile: { domain: "banking", sensitivity: "high" }
});

const report = await burein.collect();
await fetch("/risk/ingest", {
  method: "POST",
  headers: { "content-type": "application/cbor" },
  body: report.toCBOR()
});
Signal categories

600+ signals across 12 categories.

A representative slice — see the full signal catalog for the complete enumeration.

Hardware & platform 45

CPU class, hardware concurrency, deviceMemory, GPU, screens, sensors.

  • WebGL extensions & parameters (~70)
  • WebGPU adapter info
  • Touch points, pointer types
  • Battery, Bluetooth, USB, HID, gamepad

OS & locale 28

Platform string, UA Client Hints (full set), timezone, locale.

  • Full UA-CH brands, model, formFactor
  • navigator.languages ordering
  • Intl date/number format inference

Browser & APIs 110

UA, vendor, plugins, MIME types, ~200 API feature presence vector.

  • Permissions matrix (~30 perms × 4 states)
  • JS engine quirks fingerprint
  • CSS feature support matrix

Rendering fingerprints 60

Canvas, WebGL, Audio, video/audio codec capabilities.

  • Canvas noise/randomizer detection
  • OfflineAudioContext signature
  • Media Capabilities API responses

Fonts & text 35

JSFontList enumeration, Local Font Access API where granted.

  • ~300 fonts via measurement
  • Emoji rendering fingerprint
  • Speech synthesis voices

Storage 18

localStorage, sessionStorage, IndexedDB, Cache API, quotas.

  • 1st & 3rd party cookie write tests
  • StorageManager.estimate
  • Persistent storage permission

Network 22

connection.effectiveType, WebRTC ICE, RTT inference, SW state.

  • WebRTC local IPs (mDNS-respectful)
  • HTTP/2 vs HTTP/3 inference
  • CORS preflight fingerprint

Permissions 40

Full state matrix for every Permissions API surface.

  • geolocation / notifications / camera / mic
  • clipboard-read / clipboard-write
  • persistent-storage

Behavioral 95

Mouse, keyboard, scroll, touch, focus, form-fill entropy.

  • Keystroke dynamics (dwell, flight)
  • Mouse curvature distribution
  • Idle / tab focus cadence

Privacy & anti-detect 55

Tor, Brave, Mullvad, Multilogin, Kameleo, Dolphin, AdsPower.

  • Canvas/audio randomizer detection
  • UA / timezone / language inconsistency
  • Headless Chrome ~40 known tells

Agentic & automation 90

Playwright, Puppeteer, Selenium, CDP, browser-use, Computer Use, Operator.

  • Vision-loop cadence detection
  • Token-boundary typing signature
  • Kinematic implausibility

Inconsistency cross-checks 22

Claim vs. reality. The strongest anti-spoof signals come from disagreement.

  • Claimed UA vs platform tells
  • Timezone vs IP geo
  • Screen size vs window
Performance

Built for the critical path.

≤ 65 KBgzipped core
< 250 mstime to first report (cold)
< 1.2 sfull 1,000-signal report
< 8% CPUpeak during collection (mid-tier)
< 18 MBRSS during collection
0%background CPU when idle

Want to go deeper?

Talk to us about your fraud and integrity goals — we'll show you the signals that matter for your stack.

Talk to us See the platform