Skip to main content


Hitprobe protects websites, apps, and ecommerce transactions against bad actors. Stop bonus abuse, reduce chargebacks, block multiple signups, limit credential sharing, limit free content, and more. Hitprobe shows you the true picture behind every event.

  • Device and browser fingerprinting: Hitprobe provides a stable device ID that remains consistent even when visitors attempt to look like a new user (i.e. using a VPN, switching to incognito, etc.). Our technology combines fingerprinting, probabilistic matching, and server-side techniques.
  • Counts and cardinality metrics: See how many times a device has been seen (per hour, day, month, etc.), and the unique IP networks, email addresses, and phone numbers linked to it. Act instantly on API responses, or dig into the details with the Hitprobe console.
  • Plug and play risk protection: Ready made smart rules help you to protect your app from risks such as remote geolocation (block countries), automated bots, anonymous users (VPN, Tor, etc.), throwaway email addresses, and more.
  • Extended email, phone, IP, and address checks: Check email deliverability, disposable domains, phone number reachability, parse addresses, and much more. Also provides country and timezone.
  • Easy-to-use console: For reviewing events, configuring rules, and one-click allowlisting of safe emails or IP addresses.

You can learn more about Hitprobe on the main website.

New here?

Need something specific?

⏱️ 5 minute quick start

Very short on time? Implement Hitprobe in 5 minutes. Make sure you've created an account and added a site.

Include the agent script in the <head> section of the page:

<script src="" async defer></script>

Then, create a hidden form field that will hold the probe_id generated by the agent. It can have any name but we'll call it probe_id here. It must have a data-hp-site-key attribute with your site key (you can get this from site settings in the console):

<input type="hidden" name="probe_id" data-hp-site-key="<INSERT_SITE_KEY>">
Does your site use a Content Security Policy (CSP)?

You'll need to add some Hitprobe domains to allow the agent to work:

DirectiveAdd the domain
script-src*, *
connect-src*, *

You should now turn your attention to the server. Check you are now receiving a probe_id field alongside the regular fields on the form. Go ahead and send it to the event API along with the person's details and the secret_key that you can also copy from the console.

curl '' \
-H 'Content-Type: application/json' \
--data '{
"email": "[email protected]",
"probe_id": "<INSERT_PROBE_ID>",
"secret_key": "<INSERT_SECRET_KEY>"

You should get back a 200 status response with your first event result:

"id": "d4bhu2b1hGOpMn1a76SXl",
"url": "",
"external_id": null,
"outcome": "allow",
"rules": [],
"device": {
"success": true,
"valid": true,
"probe_id": "ctwCYFyAUteNpsBgAw7xYL",
"probe_created_at": "2024-05-20 09:10:27.656374",
"probe_mins_elapsed": 10,
"probe_unique": true,
"probe_ip_match": true,
"probe_suspect": false,
"device_id": "kMZNtJAbyZtFBSZesnNnwg",
"ipv4": "",
"ipv6": "2041:0000:140f::875b:131b",
"browser_name": "Chrome",
"private_browsing": false,
"headless_browser": false,
"platform": "MacIntel",
"vendor": "Google Inc.",
"memory": 8,
"hardware_concurrency": 10,
"language": "en-GB",
"screen_resolution": "3440x1440",
"timezone": "Europe/London",
"timezone_mismatch": false,
"bot": false,
"anonymous": false,
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36",
"ua_browser_family": "Chrome",
"ua_browser_version": "124.0.0",
"ua_os_family": "Mac OS X",
"ua_os_version": "10.15.7",
"ua_device_family": "Mac",
"ua_device_brand": "Apple",
"ua_device_model": "Mac",
"ua_mobile": false,
"ua_tablet": false,
"ua_touch_capable": false,
"ua_pc": true,
"ua_crawler": false,
"first_seen": "2024-05-20 09:10:27.832895",
"last_seen": "2024-05-20 09:18:05.526443",
"seen_hour": 1,
"seen_day": 1,
"seen_month": 1,
"seen_quarter": 1,
"unique_networks": 1,
"unique_emails": 1,
"unique_phone_numbers": 1,
"unique_postal_codes": 1
"email": {
"success": true,
"valid": true,
"email": "[email protected]",
"local_part": "dan",
"normalized_email": "[email protected]",
"normalized_local_part": "dan",
"domain": "",
"domain_tld": "com",
"domain_tld_high_risk": false,
"digits_count": 0,
"name_match": true,
"free": true,
"disposable": false,
"business": false,
"breaches_count": 8,
"breaches_list": [
"seen_hour": 1,
"seen_day": 1,
"seen_month": 1,
"seen_quarter": 1,
"unique_devices": 1
"ip": {
"success": true,
"in_country": true,
"ip": "",
"ip_network": "204.158.96",
"isp": "Comcast Cable Communications LLC",
"organization": "Comcast Cable Communications LLC",
"carrier": "Verizon",
"type": "business",
"city": "Minneapolis",
"state": "Minnesota",
"country_name": "United States",
"country_code": "US",
"postal_code": "55400",
"timezone": "America/Chicago",
"latitude": 40.9255,
"longitude": -89.3034,
"vpn": true,
"relay": false,
"proxy": false,
"tor": false,
"hosting": false,
"threat": false,
"bogon": false,
"seen_hour": 1,
"seen_day": 1,
"seen_month": 1,
"seen_quarter": 1

Set your application to respond to a block or block_review outcome by preventing the flow from continuing.

🥳 That's the basics done. We recommend you now review the full getting started guide to understand how to strengthen the implementation.