// telltales/registry/registry.go
func NewDefaultRegistry() *Registry {
r := &Registry{} // 100+ detection rules
r.Register(TelltaleDefinition{
ID: "TT-071", Name: "property_descriptor_spoofed",
Category: Fingerprint, Weight: 0.85,
Evaluate: func(ctx *EvalContext) bool {
return ctx.PropertyDescriptorSpoofed
},
})
r.Register(TelltaleDefinition{
ID: "TT-076", Name: "canvas_noise_injected",
Category: Fingerprint, Weight: 0.85,
Evaluate: func(ctx *EvalContext) bool {
return ctx.CanvasNoiseInjected
},
})
r.Register(TelltaleDefinition{
ID: "TT-082", Name: "mouse_bezier_synthetic",
Category: Behavioral, Weight: 0.80,
Evaluate: func(ctx *EvalContext) bool {
return ctx.MouseBezierSynthetic
},
})
r.Register(TelltaleDefinition{
ID: "TT-089", Name: "stealth_plugin_partial_patch",
Category: Fingerprint, Weight: 0.85,
Evaluate: func(ctx *EvalContext) bool {
return ctx.StealthPluginPartialPatch
},
})
r.Register(TelltaleDefinition{
ID: "TT-063", Name: "client_hints_inconsistency",
Category: Network, Weight: 0.70,
Evaluate: func(ctx *EvalContext) bool {
return ctx.ClientHintsInconsistent
},
})
// ... 95+ more rules across 6 categories
// score = fired_weights / total_weights * 100
return r
}
Real-time monitoring of every visitor. 100+ behavioural signals when it's a human. RFC 9421 cryptographic verification and a 4-tier trust ladder when it's an AI agent. Every decision traceable to exactly which signals fired.
60 days free · $3/mo to monitor · $29/mo to enforce
100+ telltale rules across 6 categories. Every decision traceable to exactly which signals fired and why.
Drop the SDK into any page. It collects 100+ signals across behavioral biometrics, environment probes (AudioContext, WebGL, canvas, fonts, emoji rendering, Web Workers), JS integrity checks (prototype tampering, property descriptors, stealth plugin detection), and cryptographic chain verification. Streams everything over WebSocket. No UI. No pop-ups. Users never know it's there.
When data-enforce="true", the SDK auto-injects a __zgate_token hidden field on form submit. Extract it server-side, call /v1/siteverify, and act on the verdict.
Z-Gate's edge middleware runs at the CDN layer — Vercel, Cloudflare, any edge runtime. Every request gets a pre-score before it ever touches your origin. Bots that don't even load JavaScript get caught here.
After a visitor passes behavioral analysis, the edge signs an HMAC cookie. Next request? Middleware reads the cookie, verifies the signature, lets them through. No SDK load. No WebSocket. No scoring. Verified humans get the fastest possible path.
python-requests/2.28 with no Accept-Language and no Sec-Fetch-Mode? That's a 75 before a single behavioral signal fires. Z-Gate runs 12 network-level checks — Client Hints consistency, Sec-Fetch validation, header order analysis, Accept patterns, Connection anomalies, stale UA detection — plus 22+ known bot signatures including Puppeteer, Playwright, and headless Chrome.
Datacenter CIDR? Tor exit node? Known bad actor? The edge caches IP reputation lists and checks every request in <1ms. No external API call. No latency penalty. Lists refresh every 5 minutes from your Z-Gate instance.
IP check + header heuristics run entirely at the edge. No round-trip to origin. Bots that don't even load JavaScript get caught here.
Verified visitors bypass all checks. Signed with SHA-256. Tamper-proof. 24h TTL. Returning humans get the fastest possible path.
Datacenter CIDRs, Tor exits, blocked ranges. In-memory. No external dependency. Lists refresh every 5 minutes from your instance.
npm i @zgate/next
Bots rotate fingerprints. Z-Gate correlates hardware signals across sessions to identify the physical device behind them — even when the browser fingerprint changes.
Renders audio through an OfflineAudioContext with oscillator + compressor and hashes the output. Real browsers produce unique waveforms from their audio stack. Headless browsers return silence — instant detection.
Executes a 128-iteration sin/cos fragment shader and measures GPU execution time across 5 runs. Real GPUs have scheduling jitter. Software renderers (SwiftShader) are impossibly fast with zero variance. Pixel output is hashed to detect known software renderer signatures.
Groups devices by physical hardware signals — GPU renderer, screen resolution, CPU cores, timezone, IP range. When a bot rotates browser fingerprints, Z-Gate sees the same physical device underneath. More than 3 identities from one device = flagged.
Every device gets a unique, persistent identity. The network graph reveals hidden connections — bot farms sharing IPs, fingerprint rotators on the same physical machine. Click any node to see every session, every IP, every identity change.
GPTBot, ClaudeBot, Perplexity, ChatGPT-User, Bytespider. You can't just block them. You can't just allow them. Z-Gate classifies every AI actor on three axes — Operator × Purpose × Accountability — so you set policy the way the web actually looks in 2026.
User-agent strings lie. IP ranges drift. Z-Gate implements HTTP Message Signatures (RFC 9421) — the IETF Web Bot Auth standard Cloudflare, OpenAI, and Perplexity already ship. Bots that sign their requests get cryptographic attribution. Everyone else falls down the 4-tier ladder automatically.
/.well-known/http-message-signatures-directoryGET /blog/ai-ethics HTTP/1.1 Host: yoursite.com User-Agent: GPTBot/1.2 Signature-Input: sig1=("@method" "@authority" "@target-uri"); created=1712345678; keyid="openai/k1"; alg="ed25519" Signature: sig1=:BASE64…:
/.well-known/…-directoryWhen behavioral analysis isn't enough and proof of work gets bypassed, Gatekeeper steps in. A friendly chat with quick questions and interactive micro-games — trivial for humans, impossible for scripts. No image grids. No frustration. Just a 30-second conversation.
Available on Pro & Enterprise plansAn ever-growing bank of challenges across multiple categories — speed tests, trick questions, opinion prompts, absurd scenarios. The mix changes every session. Every keystroke, pause, and correction is measured. LLMs can answer the questions, but they can't fake the typing.
Interactive challenges mixed into the conversation — catch a falling ball, rotate an arrow to a random target, long press, double tap. Each one samples mouse trajectories, measures precision timing, and captures behavioral signals that require a real browser with a real human behind it.
Every exchange is a data stream. Think time, typing cadence, keystroke variance, corrections, mouse trajectories, solve precision. All scored server-side in real time — the client sends raw behavioral data, the server computes the score. No client-side manipulation possible.
The gatekeeper doesn't use AI to judge responses. Questions come from a static bank with validators. Scoring is pure math — weighted behavioral signals with known thresholds. Every decision is traceable to exactly which signals fired and why.
Every request flows through the same pipeline. Edge pre-scoring catches the obvious. Behavioral analysis catches the sophisticated. PoW, tarpit, and the gatekeeper handle the gray zone. No image grids. No "select all traffic lights."
Traffic time-series. Historical analytics. Session replay with mouse trail playback. Click any session to drill down into every signal, or watch the bot move in real time. Mark false positives. Get webhook alerts on block spikes.
Get notified when your block rate spikes. Z-Gate monitors a 5-minute sliding window and fires a POST to your webhook URL when blocks exceed your threshold. Slack, PagerDuty, anything that accepts HTTP.
Mark any session as false positive or false negative directly from the dashboard. Track your detection accuracy over time and build confidence before switching from Monitor to Enforce mode.
Volume trends, score distributions, top telltales, and worst offender IPs — sliced by 24h, 7d, or 30d. Postgres-backed, not just in-memory. See patterns that real-time dashboards miss.
Hotjar, Microsoft Clarity, Mouseflow show you every click. Z-Gate shows you every click with identity. Filter heatmaps, scroll maps and rage events by human, by AI agent, by operator — and get UX data that isn't polluted by scrapers.
/pricing · last 30dEvery session gets a score. Every score triggers a response. Automatic escalation from allow to block — plus manual interventions when you need surgical control.
One click to permanently block any IP address. See every session from that address, unique fingerprints, block rate, and first/last seen. Unblock anytime from the dashboard.
Flag any device for a conversational challenge on their next visit. Useful when a session looks suspicious but the score is borderline. The device gets Gatekeeper regardless of score.
Mark any session as false positive, false negative, confirmed bot, or confirmed human. Add notes. Track feedback stats across your account. Every label improves your understanding.
Three install tiers. Each one catches more. No gating, no plan differences — pick based on what your infrastructure allows.
| Visitor type | Tier 1Script tag only | Tier 2+ SDK-fetch logging | Tier 3+ @zgate/next middleware |
|---|---|---|---|
| Humans in a browser full behavioural + fingerprint |
✓ | ✓ | ✓ |
| ChatGPT / Perplexity / Claude browsers full Chromium, executes JS |
✓ | ✓ | ✓ |
| Googlebot, Bingbot JS with a budget |
✓ | ✓ | ✓ |
| ClaudeBot, Bytespider, Amazonbot HTML-parsing AI crawlers |
✗ | ◯ weak | ✓ |
| GPTBot, CCBot, Meta-ExternalAgent training crawlers |
✗ | ◯ weak | ✓ |
| curl, WebFetch, Playwright (no JS) raw HTTP — never parses HTML |
✗ | ✗ | ✓ |
| Monitoring pings Pingdom, UptimeRobot |
✗ | ✗ | ✓ |
| RFC 9421 signed agents cryptographic operator attribution |
✗ | ✗ | ✓ |
<script src="zgate.dev/static/zgate.js?k=pk_...">
npm i @zgate/nextmiddleware.ts.
Every account starts with a 60-day free trial — no card required. Full dashboard, every signal, every rule. Then $3 to keep monitoring or $29 to enforce policies live.
hello@zgate.dev
Deploy Z-Gate in minutes. 100+ telltale rules. Hardware probes. Device correlation. Every decision explained.