Question 1

What is Foil and how does it work?

Accepted Answer

Foil is a device intelligence platform that tells you exactly who and what is visiting your site or mobile app. It works by embedding a lightweight SDK into your web, iOS, or Android application that live-streams 350+ device, network, and behavioral signals to the Foil scoring API. These signals are analyzed server-side in real time to produce risk scores, device classifications, and AI agent identifications, all without adding any user-facing friction like CAPTCHAs or challenges.

Question 2

How does Foil detect AI agents and bots?

Accepted Answer

Foil identifies AI agents and bots by combining multiple layers of detection that can't be spoofed from JavaScript alone. This includes TLS fingerprinting, hardware signal verification, network forensics, and behavioral analysis such as mouse movement patterns, touch events, and scroll behavior. Foil maintains a taxonomy of hundreds of known AI agents, crawlers, and bot types, each classified and named, so you get specific identification rather than a generic bot/not-bot score.

Question 3

How is Foil different from CAPTCHAs and reCAPTCHA?

Accepted Answer

CAPTCHAs add friction to the user experience by requiring visitors to solve puzzles or click checkboxes, and sophisticated bots can often bypass them. Foil works entirely behind the scenes with zero user-facing friction. It collects device and behavioral signals passively, scores them server-side, and gives you a detailed risk assessment, including the specific type of bot or AI agent, without ever interrupting the user. This means legitimate users have a seamless experience while you get far more detailed intelligence about suspicious visitors.

Question 4

What platforms and SDKs does Foil support?

Accepted Answer

Foil provides native SDKs for Web (JavaScript), iOS (Swift), and Android (Kotlin). Each SDK collects 350+ signals specific to its platform and streams encrypted telemetry to the Foil scoring API. Integration typically requires just a few lines of code, add the SDK, initialize it, and start receiving risk scores and device intelligence through the API or dashboard.

Question 5

Can Foil distinguish between good bots and bad bots?

Accepted Answer

Yes. Foil includes a comprehensive agent taxonomy with Web Bot Auth verification that cryptographically validates whether a bot is who it claims to be. This lets you allow legitimate crawlers like Googlebot and authorized AI agents while blocking scrapers, headless browsers, and malicious automation. You can set policies to allow, throttle, or block AI agents based on their verified identity and risk characteristics.

Question 6

How does Foil detect device spoofing and anti-detect browsers?

Accepted Answer

Foil cross-references signals that originate at different layers of the stack, hardware capabilities, TLS handshake parameters, network characteristics, and browser APIs, to detect inconsistencies that reveal spoofing. For example, if a browser claims to be Chrome on macOS but its TLS fingerprint, GPU renderer, or hardware concurrency doesn't match, Foil flags the mismatch. This approach catches anti-detect browsers like Multilogin and GoLogin, headless browsers like Puppeteer and Playwright, and devices with tampered user agents or screen resolutions.

Question 7

What data does Foil collect, and is it privacy-friendly?

Accepted Answer

Foil collects device signals and behavioral patterns, not personal information. It captures things like hardware characteristics, browser configuration, TLS parameters, mouse movements, touch events, and scroll patterns, but it never records what users type. All telemetry is encrypted in transit, scoring happens entirely server-side in a sealed environment, and the platform is designed with privacy by design principles from the ground up. Foil publishes a Data Processing Addendum (DPA) for customers who need compliance documentation.

Question 8

What fraud and abuse use cases does Foil address?

Accepted Answer

Foil addresses a wide range of fraud and abuse scenarios: account takeover detection by identifying devices that don't match a user's known profile, fake account and free tier abuse prevention using durable device identity that persists across resets and incognito mode, payment fraud detection by flagging spoofed devices at checkout, content scraping defense by identifying headless and stealth automation, AI agent access control for managing which AI agents can interact with your product, and safe AI agent onboarding to let your users sign up using legitimate AI agents while blocking malicious ones.

Question 9

How does Foil's device fingerprinting and identity work?

Accepted Answer

Foil generates a durable device identity by combining hundreds of stable hardware, software, and configuration signals into a unique fingerprint. Unlike cookie-based tracking, this identity persists across browser resets, incognito sessions, and new account signups on the same device. This makes it effective for detecting users who create multiple fake accounts, abuse free tiers, or attempt to evade bans, because the underlying device remains identifiable even when surface-level identifiers change.

Question 10

How is the Foil SDK protected from tampering and reverse engineering?

Accepted Answer

The Foil SDK is hardened using multiple layers of protection: WebAssembly (WASM) for core logic that's difficult to decompile, chain hashing to detect any modification of collected signals, and sealed server-side scoring so that risk assessment logic is never exposed to the client. The SDK is regularly red-teamed to identify and close potential bypass vectors. This means even sophisticated attackers can't easily inspect, modify, or replay the signals that Foil collects.

Question 11

How do I integrate Foil into my application?

Accepted Answer

Integration takes just a few minutes. Install the Foil SDK for your platform (npm package for Web, CocoaPod for iOS, or Gradle dependency for Android), initialize it with your API key, and Foil starts collecting signals automatically. Risk scores and device intelligence are available through the REST API or the Foil dashboard, where you can review sessions, inspect individual signals, and configure rules. Full documentation and integration guides are available at usefoil.com/docs.

Question 12

Is Foil free to use?

Accepted Answer

Foil is completely free while in beta. You can sign up from the dashboard at dashboard.usefoil.com, start integrating immediately with no credit card required, and get full access to all SDKs, the scoring API, and the dashboard. The beta is a great opportunity to integrate Foil into your stack and evaluate its impact before paid plans are introduced.

Detect AI agents and malicious devices abusing your business

Highlights

Session

Runtime Integrity

Network Intelligence

Network fingerprint Mismatches UA

Network fingerprint Matches UA

What is Foil?

High security device intelligence

Detect high risk people, bots and agents

Spot lying devices

Catch repeat offenders

Security without CAPTCHA

Protection on web and mobile

Analyze user behavior with AI automation

Fraud, replayed in 4K

We test Foil against the best
stealth browsers, and share the results

Use cases