Reverse Engineering Vercel's BotID

Summary

Reverse Engineering Vercel's BotIDPreamble I’m conflicted every time I write one of these posts. On one hand, anti-bots are important. They help stop credential stuffing attacks1, block denial-of-service attempts, and keep bad faith scrapers from inflating hosting costs2 (especially in the era of AI). If you’re running a business on the internet these days, it’s hard to survive without some kind of bot protection in place. On the other hand, I kind of hate them. Most anti-bots rely on aggressive browser fingerprinting3, collecting a plethora of device signals4, and quietly deciding whether you're “human enough”. They often break for those using Linux, smaller browsers like Ladybird5, or even privacy-focused ones like Brave. They push the web toward a monoculture where only certain OS/browser combos are considered legitimate. So I sit in this weird middle ground. I get why they exist. I get why companies use them. But I also worry about what they're doing to the open web. This blog post doesn’t present anything particularly groundbreaking. In fact, much of it revisits topics covered before on this site. My goal here is simply to invite discussion and hear different perspectives on the matter. Introduction Vercel recently announced BotID, "an invisible CAPTCHA that protects against sophisticated bots without showing visible challenges or requiring manual intervention". It’s available in two modes: Basic and Deep Analysis. The Basic tier is free for all users. Deep Analysis costs $1 per 1,000 requests. Both modes rely on client-side signals to detect bots, however, Deep Analysis is powered by Kasada's anti-bot script and is meant to catch more sophisticated bots. This post primarily focuses on Basic mode, however, Deep Analysis leverages scripts we've covered in a previous series. Setup for both is pretty straightforward. Setting up BotID You can start by adding BotID to your existing Next.js project like this: yarn add botid Then, protect a route using the following c...