Score Your Traffic in 5 Minutes

Three curl commands from zero to a bot-or-human verdict on real traffic. No SDK, no JavaScript challenge, no user friction. Built for ad-fraud, fake-signup, and account-abuse pipelines.

1. Get a free API key

100 scored sessions per month, no credit card.

bash# Free sandbox key — 100 evaluations/month
curl -X POST https://detectionlab.app/api/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "you@company.com"}'

# Response:
{
  "api_key": "detlab_xxxxxxxxxxxxxxxxxxxxxxxx",
  "tier": "sandbox",
  "credits": 100,
  "rate_limit_per_minute": 10
}

Store the key server-side. It is shown once and never again (we keep only a SHA-256 hash).

2. Score a session

POST behavioral events — mouse moves, clicks, keystrokes, scrolls — and get a 0–100 score with a per-signal breakdown in under 50ms. The payload below is a minimal real example you can run right now:

bashcurl -X POST https://detectionlab.app/api/score \
  -H "Content-Type: application/json" \
  -H "X-API-Key: detlab_your_key_here" \
  -d '{
    "events": [
      {"type": "mousemove", "x": 102, "y": 340, "timestamp_ms": 1000},
      {"type": "mousemove", "x": 131, "y": 322, "timestamp_ms": 1016},
      {"type": "mousemove", "x": 178, "y": 301, "timestamp_ms": 1033},
      {"type": "mousemove", "x": 240, "y": 287, "timestamp_ms": 1049},
      {"type": "mousemove", "x": 310, "y": 280, "timestamp_ms": 1066},
      {"type": "click", "x": 312, "y": 281, "elem_center_x": 315,
       "elem_center_y": 283, "element_id": "signup-btn", "timestamp_ms": 1250},
      {"type": "keydown", "key": "j", "delay_ms": 0,   "timestamp_ms": 2100},
      {"type": "keydown", "key": "a", "delay_ms": 112, "timestamp_ms": 2212},
      {"type": "keydown", "key": "n", "delay_ms": 87,  "timestamp_ms": 2299},
      {"type": "keydown", "key": "e", "delay_ms": 134, "timestamp_ms": 2433},
      {"type": "scroll", "delta_y": 120, "pause_after_ms": 450, "timestamp_ms": 3000},
      {"type": "scroll", "delta_y": 96,  "pause_after_ms": 800, "timestamp_ms": 3600}
    ]
  }'

response{
  "overall_score": 87.3,
  "verdict": "PASS",
  "signals": {
    "mouse_curvature":  { "score": 91.2, "weight": 0.15 },
    "keystroke_timing": { "score": 84.7, "weight": 0.15 },
    "scroll_behavior":  { "score": 88.0, "weight": 0.10 }
    // ... full breakdown across 34 signals
  },
  "_meta": { "credits_remaining": 99, "rate_limit": 10 }
}

Tip: add the header X-Ephemeral: true while integrating — requests are scored but don't consume credits or write usage logs.

3. Act on the verdict

Score	Verdict	Typical action
70–100	PASS	Human-like — allow, count as billable/valid traffic
40–70	REVIEW	Ambiguous — step-up verification, hold attribution, sample for manual review
0–40	FAIL	Automation — block, discard from campaign metrics, flag the account

Unlike opaque risk scores, every verdict ships with the full per-signal breakdown — so you can audit why a session failed, tune thresholds per traffic source, and defend chargeback or refund decisions with evidence.

4. Wire it into your traffic

Collect events in the browser, batch them, and score server-side (keep your API key off the client):

html<!-- 1. Collect events on your page -->
<script>
  var dl = { events: [], t0: Date.now() };
  document.addEventListener('mousemove', function (e) {
    dl.events.push({ type: 'mousemove', x: e.clientX, y: e.clientY,
                     timestamp_ms: Date.now() - dl.t0 });
  });
  document.addEventListener('click', function (e) {
    var r = e.target.getBoundingClientRect();
    dl.events.push({ type: 'click', x: e.clientX, y: e.clientY,
                     elem_center_x: r.left + r.width / 2,
                     elem_center_y: r.top + r.height / 2,
                     element_id: e.target.id || e.target.tagName,
                     timestamp_ms: Date.now() - dl.t0 });
  });
  // keydown + scroll listeners follow the same pattern…

  // 2. On form submit (or every N seconds), send to YOUR backend
  function flush() {
    navigator.sendBeacon('/internal/score-session',
                         JSON.stringify({ events: dl.events }));
  }
</script>

your backend# 3. Your backend forwards the bundle with the secret key
curl -X POST https://detectionlab.app/api/score \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $DETECTION_LAB_KEY" \
  -d "$EVENT_BUNDLE"

Scoring is stateless — you can also batch-score historical sessions from your data warehouse: replay each session's events through /api/score and join the verdicts back onto your traffic table. That's how most adtech teams run their first audit.

5. Bot verification (the other direction)

Running agents that should be trusted? POST /api/verify-bot proves an entity is a bot and issues a signed JWT trust token for downstream services. Same key, same event format. See the full API reference.

Production limits

Sandbox — free, 100 credits/mo, 10 req/min
Pro — $29/mo, 10,000 credits, 100 req/min
Scale — $99/mo, 100,000 credits, 500 req/min
Enterprise — custom volume, SLA, on-prem scoring: talk to us

One credit = one scored session. Rate-limit state is returned on every response via X-RateLimit-* headers.

Score your traffic free → Full API reference Pricing OpenAPI spec