Quickstart
Add BrowserID to any website in two minutes. No account required to start — the fingerprinting runs entirely client-side.
Option A — Script Tag (zero config)
<!-- 1. Add the script to your page -->
<script src="https://webbrowsers.id/browserid.js" defer></script>
<!-- 2. Listen for the identity event -->
<script>
window.addEventListener('browserid:ready', (e) => {
const { browserID, coreID, cryptoID } = e.detail;
// Send to your backend
fetch('/api/your-endpoint', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ browserID })
});
});
</script>Option B — npm package
npm install @webbrowsers/browseridimport { getOrInitBrowserID } from '@webbrowsers/browserid';
const identity = await getOrInitBrowserID();
console.log(identity.browserID); // Full fingerprint hash
console.log(identity.coreID); // Hardware-stable ID (survives updates)
console.log(identity.cryptoID); // Cryptographic keypair ID
console.log(identity.source); // 'opfs' | 'indexeddb' | 'fingerprint-fuzzy' | ...Note: GPS coordinates are only collected if the user has already granted geolocation permission. BrowserID never triggers the browser permission prompt.
How It Works
BrowserID generates a persistent identifier from hardware-level browser signals. Unlike cookies, it survives clearing browser data, private mode, and VPN switching.
Canvas Fingerprint
GPU-rendered text differences expose hardware/driver signatures unique per machine.
WebGL Hash
GPU vendor, renderer string, and shader language version — stable across browser updates.
Audio Context
Audio processing pipeline produces a hardware-specific numeric signature.
Hardware Signals
CPU core count, device memory, screen DPI, color depth — hard to spoof consistently.
Multi-sink Storage
ID stored in OPFS, IndexedDB, Cache API, and localStorage — survives partial clears.
Fuzzy Matching
Even after full storage wipe, re-identifies by scoring fingerprint similarity (score ≥ 60).
API Reference
Base URL: https://webbrowsers.id/api
Tracking
Identity
Forensics
Alert Types
Alerts are returned in the alerts[] array on every POST to /api/logs.
vpn_timezone_mismatch
Browser JS timezone does not match the timezone of the IP geolocation.
vpn_gps_ip_mismatch
GPS coordinates (if granted) are >150km from IP geolocation. Strong VPN/proxy indicator.
vpn_ports_open
Server-side port scan found VPN daemon ports open on the client IP (OpenVPN, WireGuard, PPTP, etc.).
vpn_known_provider
IP ISP/org matches a known VPN provider or datacenter ASN.
ai_agent_detected
Browser property analysis indicates an LLM agent, headless browser, or automation framework.
incognito_mode
Private/incognito browsing detected via storage quota, IndexedDB, or localStorage behavior.
impossible_travel
Same BrowserID appeared at two geolocations implying travel >800 km/h since last event.
Identity Tiers
BrowserID uses a 5-tier identity resolution chain. Each tier is more persistent than the last.
Storage Sinks
browserIDOPFS → IndexedDB → Cache API → localStorage. Survives cookie clears. Falls back through sinks automatically.
Core ID
coreIDHardware-only signals: WebGL, audio, CPU cores, screen, DPI, platform. Survives browser updates, UA changes, font installs.
Crypto ID
cryptoIDECDSA P-256 keypair, private key non-extractable, stored in IndexedDB. Survives storage wipes if IndexedDB is preserved.
Fuzzy Match
browserID (recovered)After full storage wipe, re-identifies by scoring fingerprint similarity against known identities. Score ≥ 60 = match.
Behavioral
browserID (recovered)Cosine similarity over behavioral vectors (typing cadence, mouse movement, scroll patterns). Cosine ≥ 0.92 = match.