Frequently Asked Questions

The IsAgent SDK is a JavaScript library that enables you to detect whether a client is likely an AI agent or a human user. It provides both low-level functions and high-level React components for seamless integration into your applications.

IsAgent is designed to help website owners deliver a better Agent Experience. Learn more in our blog post: Introducing IsAgent.

The SDK makes a client-side API call to Stytch's agent detection service, which analyzes client hints and signals to determine if the visitor is likely an AI agent. The detection is based on factors like:

• User agent string
• TLS fingerprint
• Other network characteristics

No, agent detection is not 100% accurate. The technology relies on heuristics and patterns, which means there's always a possibility of false positives or negatives. It is also possible for clients to manipulate the inputs, like the User Agent string, to produce different results.

We recommend using the detection as a hint rather than a definitive identifier, and always providing a fallback experience for users regardless of their detected status.

At Stytch, we are also working with leaders like Browserbase to enable optional self-identification of agents through web standards. If enabled, the agents would send cryptographically-signed messages so that website owners can actually verify identities, unlike the easily-spoofable User Agent string.

You'll need to sign up for a free Stytch account:

1. Visit the Stytch Dashboard and sign up to create a free account.
2. Create a new Workspace by clicking "Create Workspace" and entering your details.
3. Select B2B SaaS as your project type and click "Create account".
4. Scroll down to the Project ID & API keys section and copy the public_token.

IsAgent is free to use for up to 10,000 calls per month. If you are interested in a larger number of calls, please contact isagent@stytch.com.

Yes! While we provide convenient React components and hooks, you can also use the low-level isAgent function directly:

No, IsAgent is intended for analytics and agent experience. It is not a good fit for security use cases.

IsAgent is a lightweight frontend integration to help you identify agents and bots quickly. But malicious actors can always tamper with frontend logic, so think of the results as a “client hint”, not a security guarantee. You should use IsAgent for analytics and to nudge bots towards different flows, rather than to block bots entirely.

Stytch Device Fingerprinting is a better fit for blocking bad bots. It uses similar technology under-the-hood, but has a deeper integration with a dedicated frontend script and backend Lookup API in order to detect deception and other client-side manipulation. Organizations like Calendly and Replit trust Stytch Device Fingerprinting to defend against sophisticated bots and bad actors.

During development, you can test both agent and human detection paths:

• For human detection: Simply visit your app in a regular browser.
• For agent detection: Set your user agent to include the string "testbot".

Here are some recommended practices when implementing IsAgent:

• Always provide a fallback experience for both agents and humans.
• Test your implementation with both human and agent scenarios.
• Don't rely on frontend agent detection for security-critical decisions.
• Handle loading and error states gracefully.
• Monitor detection accuracy and user feedback.

It might help to think of IsAgent as a form of progressive enhancement or accessibility attributes (like ARIA), but targeted towards AI agents.