Your backend calls Prosopo to verify each protected request. Prosopo scores the request for bot-likeness, applies any access rules you've configured (by IP, ASN, country, TLS fingerprint and so on), and returns a verified/not-verified result along with the risk score. Your backend then decides whether to fulfil the request, ask for additional verification, or reject it.
API Protection
Prosopo's API Protection puts a bot-aware verification step in front of the API endpoints attackers actually target — login, signup, password reset, checkout, and any endpoint exposed to the internet.
Every request is scored for automation risk, evaluated against your access rules, and either passed through, challenged, or rejected outright. You decide the policy per endpoint, and the same risk score is returned to your backend so you can layer your own logic on top.
Why our API Protection stands out
Built around bot-aware verification, not generic rule packs.
Integrate without re-routing traffic
Add a verification call to your backend and you're protected — no DNS changes, no edge proxy, no architectural rewrites.
Stop credential stuffing and token replay
Catch automation against login, signup and password-reset endpoints before it reaches your authentication layer.
Tunable per endpoint
Apply tight policies to high-value endpoints (checkout, money movement) and lighter policies elsewhere — without changing your code.
The benefits of choosing Prosopo API Protection
Targets automated abuse
Built specifically to stop credential stuffing, scraping, account-takeover automation and other bot-driven API abuse — not a generic WAF.
Risk score on every request
Each verified request returns a 0–1 risk score your backend can use to drive its own decisions — flag, step-up, or block.
Access rules per endpoint
Block by IP, IP range, ASN, country, TLS fingerprint or user agent. Layer broad defaults with targeted overrides.
No DNS changes required
Integrate with a verification call from your backend. No traffic re-routing, no DNS migration, no edge-network setup.
Audit trail for every verification
Review individual verification outcomes by IP, fingerprint, geolocation and score — useful for investigations and tuning policy.
How Prosopo API Protection works
Most API abuse is automated. Credential stuffing, scraping, fake-signup pipelines, ticket-bot drops, content theft — they're all run from scripts hitting your endpoints in volume. A WAF catches the bad payload shapes; Prosopo catches the bad actor regardless of payload.
Your backend calls Prosopo to verify each protected request before acting on it. The verification returns:
- A verified/not-verified result — pass or fail.
- A risk score between 0 and 1, surfaced on paid tiers, that your code can use however you want.
- A specific reason if the request was rejected — so you can show users an actionable message instead of a generic failure.
Where to deploy it
API Protection is most useful in front of endpoints where automation is expensive for you and rewarding for attackers:
| Endpoint type | What it stops |
|---|---|
| Login / authentication | Credential stuffing, brute force, password-spray attacks |
| Signup / registration | Fake-account creation, throwaway-email signups |
| Password reset | Account-takeover reconnaissance |
| Checkout / payment | Card-testing, inventory hoarding, ticket scalping |
| Search / catalogue | Scraping of pricing, listings, or proprietary content |
| Comment / review submission | Spam and astroturfing |
| Anything triggering an email / SMS | Abuse that drives your messaging bills up |
What you get to control
Every protected endpoint can be tuned independently:
- Bot-detection strictness via the Safety Threshold — tighter for checkout, looser for low-risk paths.
- Access rules by IP, IP range, ASN, country, TLS fingerprint, user agent, or user ID. Useful for blocking specific hosting networks, applying tighter rules to high-risk regions, or whitelisting partner integrations.
- Custom decision logic through Decision Machines — combine Prosopo's score with your own signals (account age, purchase value, device history) before deciding.
- Hard auto-ban above a score threshold of your choice, so unambiguous abuse never gets a challenge.
How Prosopo API Protection compares
| Prosopo API Protection | Traditional WAF | reCAPTCHA Enterprise | |
|---|---|---|---|
| Designed for automation detection (not payload inspection) | ✓ | ✗ | ✓ |
| Risk score returned to your backend | ✓ (paid tiers) | ✗ | ✓ |
| Access rules by ASN / TLS fingerprint | ✓ | Limited | ✗ |
| Per-endpoint policy | ✓ | ✓ | Limited |
| No DNS changes or traffic re-routing | ✓ | Varies | ✓ |
| Custom decision logic on the verification path | ✓ | ✗ | Limited |
| GDPR-compliant data handling | ✓ | Varies | ✗ |
Common use cases
- Stop credential stuffing on login endpoints.
- Block scraping of pricing, catalogue and content APIs.
- Defend ticket-drop endpoints against bot inventory hoarding.
- Prevent denial-of-inventory attacks during high-demand events.
- Stop account takeover with risk-tiered policies on auth APIs.
Configuration reference
- Server-side verification — how the verification call works.
- Access Control Rules — per-request policy by IP, ASN, fingerprint and more.
- Safety Threshold — control how strict bot detection is.
Request a Demo of Prosopo API Protection
Protect your API infrastructure with our industry-leading solution. Contact our sales team for a customized implementation plan.
Trusted by companies of all sizes
- 1000+
- active websites
- 1B+
- monthly secure verifications
- 100M+
- bots stopped per month
Our customers love us
Hundreds of businesses have made the switch from reCAPTCHA and hCaptcha to us. Here's what they have to say.
Frequently Asked Questions
How does API Protection work?
Do I need to re-route my API traffic through Prosopo?
No. Prosopo isn't a proxy and doesn't sit in your request path. You add a verification call to your backend at the points you want to protect. There are no DNS changes and no edge-network setup.
Does it work with any API style?
Yes. Because Prosopo verifies tokens rather than inspecting traffic, the same integration works for REST, GraphQL, gRPC and any other API style — your code just makes a verification call before fulfilling the protected operation.
Can I apply different rules to different endpoints?
Yes. Each site key can carry its own access rules and policy, and you can use separate site keys for endpoints with different risk profiles — for example tighter rules for checkout and login, lighter rules for read endpoints.
How is this different from a Web Application Firewall (WAF)?
A WAF mostly catches known attack signatures (SQL injection, XSS, OWASP categories). Prosopo focuses on the harder problem of telling humans from automation — the score is built from browser fingerprints, behaviour and network reputation, not pattern matching on payloads. The two are complementary; many of our customers run both.
What else can Prosopo protect for you?
No matter the threat, we have a solution to keep your business safe.
PRODUCT
Access Control
Prosopo's Access Control dynamically generates rules to protect your website from bots and spam.
PRODUCT
API Protection
Stop automated abuse of your API endpoints with Prosopo's bot-aware verification and access control.
PRODUCT
Procaptcha - GDPR Compliant CAPTCHA
With Prosopo's GDPR friendly captcha, enjoy seamless website security. Protect users, prevent bots, and stay compliant - all while keeping it simple.
PRODUCT
Invisible CAPTCHA
Prosopo's Invisible CAPTCHA provides seamless bot protection without disrupting the user experience.
PRODUCT
Risk Scoring
Prosopo's Risk Scoring provides real-time analysis of user behavior to identify potential threats.
PRODUCT
Spam Filter
Prosopo's Spam Filter blocks fake signups, throwaway emails, and abusive networks before they reach your forms.
