FingerprintJS
FingerprintJS is a browser fingerprinting library that queries browser attributes and computes a hashed visitor identifier from them.
Websites Using FingerprintJS
No websites detected yet. Analyze a website to contribute data.
What Is FingerprintJS?
FingerprintJS is a JavaScript library for browser fingerprinting, a technique that identifies and re-recognizes a visitor's device by collecting a combination of signals from their browser and hardware. Rather than relying solely on cookies, which users can clear and browsers increasingly restrict, FingerprintJS derives a stable identifier from attributes like the browser's rendering behavior, installed fonts, screen characteristics, and dozens of other properties. It is widely used for fraud prevention, bot detection, and identifying returning users even when traditional tracking methods are unavailable.
FingerprintJS is a client-side library that runs in the browser, not a server platform or a browser extension. A developer adds the library to a web page, it gathers signals from the visitor's environment, and it computes an identifier, either entirely in the browser with the open-source version or in combination with a hosted API in the commercial Fingerprint Pro product. Because some part of the process always executes in the page, FingerprintJS leaves recognizable traces in a site's JavaScript and network activity that can be detected from the outside.
It is important to distinguish the two main flavors of the project. The original, open-source library, historically branded FingerprintJS and now often referred to as the community or open-source edition, runs purely in the browser and produces a fingerprint hash from locally gathered attributes. The commercial product, Fingerprint Pro (from the company Fingerprint, formerly FingerprintJS, Inc.), augments that with a server-side API and additional signals to deliver much higher accuracy and stability, along with features like bot detection and incognito-mode detection. When people say a site "uses FingerprintJS," they may mean either the free in-browser library or the paid Pro service, and the detection signals differ slightly between them.
FingerprintJS is widely recognized as one of the most prominent device-identification solutions available to developers. It addresses a real and growing problem: as browsers phase out third-party cookies and tighten privacy controls, businesses that need to recognize devices for security reasons, stopping account takeovers, detecting payment fraud, blocking bots, can no longer depend on cookies alone. Device fingerprinting offers a cookieless way to assign a probabilistic identity to a visitor, which is why the library appears frequently on login pages, checkout flows, and signup forms across the web.
Because fingerprinting touches on privacy, it is worth being clear about the boundary. FingerprintJS is a tool for identifying devices; how an organization uses that capability, and whether it does so transparently and in compliance with privacy laws, is a separate matter of policy and consent. The library itself is a technical mechanism, and detecting its presence on a site simply tells you the site is performing some form of device identification, not how that information is ultimately used.
How FingerprintJS Works
FingerprintJS works by collecting a broad set of attributes from the browser and combining them into a single identifier. The signals it gathers can include the user agent and platform, screen resolution and color depth, time zone, installed fonts, language settings, hardware concurrency, available memory hints, audio-processing characteristics, and the results of canvas and WebGL rendering tests. Each of these contributes entropy, that is, distinguishing information, and the combination of many low-entropy signals can produce a surprisingly unique profile of a device.
Two of the most powerful and well-known techniques are canvas fingerprinting and WebGL fingerprinting. In canvas fingerprinting, the library asks the browser to draw text and shapes onto an off-screen canvas element and then reads back the rendered pixels. Subtle differences in graphics hardware, drivers, operating system, and font rendering cause the output to vary slightly between devices, and that variation becomes part of the fingerprint. WebGL fingerprinting applies the same idea to 3D rendering, extracting details about the graphics stack. Audio fingerprinting similarly measures tiny differences in how the device's audio pipeline processes a generated signal.
In the open-source edition, all of this happens in the browser. The library runs its collection routines, hashes the combined signals, and returns a visitor identifier that the page can send to its own back end or use directly. The accuracy is good but limited, because browsers that look identical, for example two clean installs of the same browser on the same hardware, can produce the same fingerprint, and the identifier can drift over time as the browser updates.
The commercial Fingerprint Pro product adds a server-side component. The browser still collects signals, but they are sent to Fingerprint's API, which applies additional server-side signals, machine learning, and historical matching to return a far more stable and accurate visitor identifier. Pro also exposes "smart signals" such as bot detection, VPN and proxy detection, incognito-mode detection, and tampering detection. This hybrid client-plus-server architecture is what allows Pro to achieve much higher identification accuracy than any purely in-browser approach.
When integrated, the typical flow is straightforward. The site loads the FingerprintJS agent script, often asynchronously, and calls its load() function to initialize the library. It then calls a get() method, which runs the collection process and resolves with a visitor identifier and, in Pro, a set of associated signals. The site uses that identifier for its security or analytics logic, comparing it against known good or bad devices, gating risky actions, or enriching a user record. The Pro agent communicates with Fingerprint's endpoints during this process, which is one of the network signals that reveals its presence.
It is worth emphasizing that fingerprinting is probabilistic rather than absolute. Unlike a cookie, which stores an exact identifier, a fingerprint infers identity from observed characteristics, so there is always some chance of two different devices colliding or one device changing enough to look new. The commercial product invests heavily in reducing that uncertainty through server-side matching, while the open-source library accepts a higher error rate in exchange for running entirely in the browser with no external dependency. Understanding this distinction explains both why organizations pay for the hosted version and why the two editions leave different network footprints.
How to Tell if a Website Uses FingerprintJS
FingerprintJS leaves several detectable signals, though they require a bit more care to read than a typical UI library because the code is often loaded asynchronously and sometimes through a customer's own subdomain. StackOptic inspects these from the server side, and you can verify them with browser tools and network analysis. As always, combining signals yields the most reliable conclusion.
Script filenames and package paths. The most direct signal is a request for the FingerprintJS agent. Look for script URLs containing fingerprintjs, @fingerprintjs/fingerprintjs, or @fingerprintjs/fingerprintjs-pro, often loaded from a CDN such as jsDelivr, unpkg, or cdnjs. These package names are distinctive.
Network requests to Fingerprint endpoints. The commercial Pro agent communicates with Fingerprint's API. In the DevTools Network tab you may see requests to api.fpjs.io, *.fpjs.io, or a customer-configured subdomain that proxies to Fingerprint. These API calls are a strong indicator of Fingerprint Pro specifically.
JavaScript globals and method calls. When loaded, the library is typically referenced through a FingerprintJS object with a load() method, or via an imported module. Searching the page's scripts for FingerprintJS.load or fpjsClient style calls can reveal the integration, and in some setups the global is accessible in the DevTools Console.
Canvas and WebGL probing behavior. Fingerprinting libraries draw to off-screen canvas and WebGL contexts to read back rendering. While this behavior is shared by several fingerprinting tools and is not unique to FingerprintJS, observing canvas read-back operations (for example via privacy extensions that warn about canvas access) alongside the script signals reinforces the conclusion.
Subresource hints and bundled code. On sites that bundle their JavaScript, the FingerprintJS package name may not appear as a separate file. In those cases, searching the bundled source for distinctive strings, or watching for the characteristic network calls of the Pro agent, is the more reliable route.
Here is how to check each signal yourself:
| Method | What to do | What FingerprintJS reveals |
|---|---|---|
| View Source | "View Page Source" and search for "fingerprint" | <script> references to the FingerprintJS agent or package |
| DevTools (Network) | Reload with the Network tab open; filter for "fpjs" or "fingerprint" | Agent script downloads and Pro API calls to *.fpjs.io |
| DevTools (Console) | Type FingerprintJS and press Enter | A defined object indicates the library is loaded in the page scope |
| DevTools (Sources) | Search loaded scripts for FingerprintJS.load or fpjs | Integration code, even within larger bundles |
| curl | Run curl -s https://example.com | grep -i fingerprint | Matches on agent script references in the static HTML |
| Wappalyzer | Run the extension on the live page | Often identifies "FingerprintJS" under security or analytics |
A quick command-line starting point is curl -s https://example.com | grep -io "fingerprintjs" | head. Because the agent is frequently loaded dynamically, the absence of a match in the static HTML does not rule it out, so pair the source scan with a look at the Network tab. For broader methodology, see our guides on how to find out what technology a website uses and how to check what JavaScript libraries a website uses.
A few practical notes help interpret these signals. Fingerprint Pro customers can route the agent and API traffic through their own subdomain (a technique sometimes used to improve reliability and avoid ad blockers), which means the obvious fpjs.io hostname may be replaced by a first-party domain. In that case, the request paths and payload patterns still resemble the Pro agent even though the hostname is custom, so analysts look at the shape of the traffic rather than the hostname alone. The open-source edition, by contrast, makes no external API calls at all, so it is identified purely by the presence of its script and globals. Observing the network behavior is also informative for security research, because it shows what data leaves the browser; for background on reading delivered headers and responses, see how to read a website's HTTP headers.
Key Features
- Cookieless device identification. Generates a visitor identifier from browser and hardware signals, working even when cookies are cleared or blocked.
- Broad signal collection. Combines canvas, WebGL, audio, fonts, screen, time zone, and many other attributes for entropy.
- Open-source and commercial editions. A free in-browser library and a hosted Pro service with server-side matching for far higher accuracy.
- Smart signals (Pro). Bot detection, VPN and proxy detection, incognito-mode detection, and tampering detection beyond a basic fingerprint.
- Stable identifiers (Pro). Server-side machine learning and historical matching reduce drift and collisions for reliable re-identification.
- Simple integration API. A
load()andget()pattern returns the visitor identifier and associated signals to the application. - Cross-browser coverage. Designed to work across modern browsers and devices, including mobile.
Pros and Cons
Pros
- Recognizes returning and suspicious devices without relying on cookies, which are increasingly restricted.
- The Pro service offers high identification accuracy suitable for fraud and security use cases.
- An open-source edition lets developers experiment and run fingerprinting entirely client-side at no cost.
- Useful security signals (bots, proxies, incognito) extend it well beyond simple identification.
Cons
- Fingerprinting raises privacy considerations and may require disclosure and consent depending on jurisdiction and use.
- The open-source edition's accuracy is limited and identifiers can drift, making it unsuitable for high-stakes decisions alone.
- The Pro product is a paid commercial service, with cost scaling by API usage.
- Some browsers and privacy tools actively resist fingerprinting, which can reduce reliability.
FingerprintJS vs Alternatives
FingerprintJS competes with other device-identification and fraud-prevention solutions. The table below clarifies where it fits.
| Solution | Type | Strength | Notes |
|---|---|---|---|
| FingerprintJS (open source) | In-browser library | Free, runs client-side | Lower accuracy; identifiers can drift |
| Fingerprint Pro | Hosted device-ID service | High-accuracy identification plus smart signals | Commercial; client-plus-server architecture |
| ClientJS | In-browser library | Lightweight fingerprinting | Simpler and less actively positioned for fraud |
| Castle / Sift / similar | Fraud-detection platforms | Full risk-scoring suites | Broader than fingerprinting; service-based |
| Cookie-based tracking | Storage-based | Exact identifier when allowed | Defeated by cookie clearing and blocking |
If you find a site is identifying devices but not via FingerprintJS, the same network-and-script inspection identifies the actual tool. Fingerprinting also frequently appears alongside general-purpose utility libraries like Lodash in a site's bundled JavaScript, and because it often sits next to analytics, our guide on how to find out what analytics a website uses is a useful companion for mapping a site's full measurement and identification stack.
Use Cases
FingerprintJS is most commonly deployed for fraud prevention and account security. On login pages it helps detect account takeover attempts by recognizing when a familiar account is suddenly accessed from an unfamiliar device. In checkout and payment flows it supports fraud scoring by flagging devices associated with prior chargebacks or suspicious behavior. On signup forms it helps catch users creating many fake accounts from a single device to abuse free trials, promotions, or referral programs.
Beyond security, the library is used for bot and automation detection, distinguishing real human visitors from scripted traffic that fakes user agents and cookies. Subscription and paywall businesses use it to enforce limits and detect credential sharing. Some analytics and personalization systems use device identification to recognize returning visitors across sessions when cookies are unavailable, though privacy-conscious teams approach this carefully and with appropriate disclosure.
Consider a few concrete scenarios. A fintech application might run Fingerprint Pro on its login and transfer screens, using the stable device identifier and bot signal to require step-up authentication when a high-value action originates from a new or suspicious device. An ecommerce platform might use fingerprinting at checkout to block orders from devices linked to fraud rings, reducing chargebacks. A SaaS company offering a free trial might use device identification at signup to prevent a single user from spinning up dozens of trial accounts. In each case the goal is to assign a durable identity to a device in order to make a security or abuse-prevention decision.
From a technology-research perspective, detecting FingerprintJS, and especially Fingerprint Pro, is a meaningful signal. It indicates an organization that takes fraud, security, or abuse prevention seriously, which often correlates with fintech, ecommerce, marketplaces, gaming, and other high-risk sectors. For vendors selling security, identity, or anti-fraud products, that is a valuable qualifying signal; for analysts profiling a company's stack, it reveals investment in risk infrastructure. Surfacing that signal across many domains at once is exactly the kind of insight a technology-detection scan provides; for the broader sales angle, see what is technographics: using tech-stack data to qualify leads.
Frequently Asked Questions
Is FingerprintJS free?
There are two editions. The open-source FingerprintJS library is free and runs entirely in the browser, producing a fingerprint from locally gathered signals; its accuracy is limited and identifiers can drift over time. Fingerprint Pro is a paid commercial service that adds a server-side API, machine-learning matching, and extra security signals to deliver much higher accuracy. Whether a given site uses the free or paid version affects which detection signals you will see.
How accurate is browser fingerprinting?
It is probabilistic, not exact. The open-source library combines many browser and hardware signals to produce a reasonably distinctive identifier, but two similar devices can collide and a single device's fingerprint can change as its browser updates. The commercial Pro product significantly improves accuracy by adding server-side signals and historical matching, which is why organizations needing dependable identification for fraud prevention typically choose the hosted service.
Is using FingerprintJS legal and private?
The library is a technical tool; the legality and privacy implications depend on how an organization uses it and the laws that apply to them, such as regional privacy and consent regulations. Fingerprinting can be used for legitimate, security-focused purposes like fraud prevention, and responsible operators disclose their practices and honor applicable consent requirements. Detecting the library on a site tells you device identification is happening, not how the resulting data is handled.
How do I tell the open-source version from Fingerprint Pro?
Watch the network activity. The open-source edition runs entirely in the browser and makes no calls to Fingerprint's servers, so you will see only the agent script. Fingerprint Pro sends signals to Fingerprint's API, so the Network tab typically shows requests to *.fpjs.io or to a customer subdomain that proxies the Pro agent. The presence of those API calls is the clearest way to identify the commercial product.
Can fingerprinting be blocked?
To a degree. Some browsers include anti-fingerprinting protections, and privacy extensions can warn about or interfere with canvas and WebGL read-back, which fingerprinting relies on. These measures reduce reliability but rarely eliminate identification entirely, which is part of why the commercial product invests in server-side matching to compensate. From a detection standpoint, even when a fingerprint is degraded, the agent script and network calls usually remain visible.
Want to detect FingerprintJS and the full stack behind any site in seconds? Try StackOptic at https://stackoptic.com.
Alternatives to FingerprintJS
Compare FingerprintJS
Analyze a Website
Check if any website uses FingerprintJS and discover its full technology stack.
Analyze Now