@2stars/verifai-web

Zero-knowledge device trust for browser apps. Same surface as com.github.2stars-io:verifai-android — pairs with the same backend at https://api.2stars.io/verifai/v1.

import { VerifAI } from '@2stars/verifai-web';

VerifAI.init({ apiKey: 'hbs_live_…' });
VerifAI.attachPasswordField(document.getElementById('password'));

const r = await VerifAI.verify(userEmail);
switch (r.status) {
  case 'TRUSTED':    allow(); break;
  case 'NEW_DEVICE': showApprovalPending(r.sessionId); break;
  case 'REJECTED':   blockWith(r.reason); break;
  default:           retryOrError();
}

Install

npm install @2stars/verifai-web

Or via <script type="module"> if you prefer no bundler:

<script type="module">
  import { VerifAI } from 'https://unpkg.com/@2stars/verifai-web/src/index.js';
  VerifAI.init({ apiKey: 'hbs_live_…' });
</script>

Pure ESM. No build step. Works in every evergreen browser. Node ≥ 18 for the test harness.

What this SDK does

Three independent axes of trust, each opt-in by your API key's feature flags:

| Axis | Catches | Feature flag | |---|---|---| | Device fingerprint (11 signal categories — UA, locale, canvas, WebGL, audio, hardware, etc.) | Different browser / device | verifai-patterns + verifai-verification | | Behavioral biometrics (mouse velocity / curvature, click rhythm, cursor region, scroll velocity, keystroke flight time + bigram timing) | Wrong human on right browser | verifai-behavioral | | Server-side patterns | Re-registration cadence, multi-user device, long absence, impossible travel | always-on alongside verification |

Everything is hashed in the browser. The server only ever sees opaque SHA-256 fingerprints.

Full API surface

| Method | Purpose | |---|---| | init(opts) | One-time SDK init. opts = { apiKey, baseUrl?, timeoutMs? } | | register(userId) | First-ever login on this browser | | verify(userId) | Every subsequent login | | getTrustScore(userId) | Lookup current trust level + score | | listDevices(userId) | All trusted devices for the user | | removeDevice(deviceId) | Forget a device | | approveDevice(sessionId, approvedBy?) | Approve another device from this trusted one | | rejectDevice(sessionId, reason?) | Reject a pending session | | isSameNetwork(remoteIP) | Local IP comparison for proximity gates | | attachPasswordField(input) | Capture keystroke timing on a password field | | getBehavioralCapture() | Live counts of captured gestures (debug UI) |

Response shape (verify)

{
  status: 'TRUSTED' | 'NEW_DEVICE' | 'PENDING' | 'REJECTED' | 'FEATURE_DISABLED' | 'ERROR',
  trustScore: number,                         // 0-100 composite (3.2.0+ server)
  trustLevel: 'BASELINE' | 'MEDIUM' | 'HIGH' | 'VERY_HIGH',
  deviceId: string,
  sessionId: string | null,                   // present on NEW_DEVICE
  scoreBreakdown?: Record<string, number>,    // per-axis 0-100 (3.2.0+ server)
  behavioral?: BehavioralReport,
  patterns?: PatternsReport,
  strictMode?: StrictModeReport,
  advanced?: AdvancedReport,                  // 3.2.0+ server
  reason?: string,
  error?: string,
}

Versioning

Current: 3.1.0 — 11 signal categories, 6 mouse-behavioral categories + 3 keystroke categories. Mirror of the Android SDK's behavioral coverage adapted to web inputs.

Privacy

• No raw signals leave the browser. Every signal is hashed locally with a per-device salt.
• No tracking pixels. Calls go only to the API base you configure (default https://api.2stars.io/verifai/v1).
• No third-party deps at runtime. Pure browser APIs.

Companion SDKs

• com.github.2stars-io:verifai-android — same surface for Android
• @2stars/video-js — 2Stars video platform core SDK
• OpenAPI spec — generate a client in any language

License

MIT — see LICENSE.