Fingerprinting is a core component of a Castle integration that enhances Castle’s ability to detect fraudulent and malicious abuse of in-application activity.
Step 1. Add Castle.js
Castle.js is Castle’s proprietary fingerprinting script. It is available to fetch from a global CDN, or it can also be installed via
There are two ways to add Castle.js to pages:
We recommend adding Castle.js as high in the
<head> tag of your page HTML as possible, because the script will start fingerprinting for bot behavior as soon as it loads. Using a tag manager is not recommended.
Adding Castle.js via CDN link
Step 2. Forward the request token
Once Castle.js is running on your web pages, you need to ensure that the
request_token value generated by Castle.js is passed to your application server where the Castle server-side SDK will be able to extract the
request_token value. This value gets assigned to the
request_token property in requests to Castle.
Sometimes you may want to recapture a request token after the html page loads - this is often relevant for pages with dynamic content or modal login forms. To send the most up-to-date request token on the page, recapture the
request_token and add it as a hidden field in your login form. Make sure your backend team is able to locate this value and set it as the
request_token in the backend events.
The Castle.js script sets the
_castle(...) method on the global
window object for the page. You can automatically populate include the proper hidden field named
castle_request_token by using castle form submit handler as in the example below
<form onsubmit="_castle('onFormSubmit', event)"> // .... </form>
or fetch the token and include it in the request by yourself