A practical comparison of the leading browser fingerprinting libraries. FingerprintJS has the widest signal set, ThumbmarkJS and ClientJS are simple drop-ins, CreepJS is a research tool, and Benny the Doorman adds a cross-browser hardware ID and free anti-spoof. Here is how to choose.
A browser fingerprinting library reads signals from the browser, things like the canvas rendering, the audio stack, installed fonts, and the GPU, and turns them into a stable identifier you can use to recognize a returning visitor or device with no cookie required. The libraries below all run client-side in JavaScript and return that identifier as a hash.
Where they differ is licensing, whether they recognize the same device across different browsers, whether they detect spoofing, and how much you have to build yourself. This guide compares the five that matter, then gives a plain rule of thumb for picking one.
What to look for in a fingerprinting library
- Licensing and source availability: MIT, source-available, or closed. This matters for audits, internal security review, and the ability to fork.
- Cross-browser identity: does the same physical device produce a stable ID in Chrome, Safari, and Firefox, or a different hash in each browser?
- Comparison logic: does it ship an API to score how similar two fingerprints are, or do you write that matching code yourself?
- Anti-spoof: does it flag automation, anti-detect browsers, and tampered signals, and is that free or gated to a paid tier?
- Dependencies and runtime: zero-dependency and client-only, or does it need a server roundtrip and an account?
Browser fingerprinting libraries at a glance
| Library | License | Output | Cross-browser ID | Anti-spoof | Best for |
|---|---|---|---|---|---|
| FingerprintJS (OSS) | Open source | Single hash | No | No | Widest signal set, drop-in |
| FingerprintJS Pro | Commercial | Server visitor ID | Yes (server) | Yes (ML, paid) | Enterprise device intelligence |
| ThumbmarkJS | MIT | Single hash | No | Partial / paid | Simple drop-in with a paid tier |
| ClientJS | Apache 2.0 | Single hash | No | No | Lightweight, legacy-friendly |
| CreepJS | MIT | Detailed report + trust score | No | Yes (detection-focused) | Research, auditing your own entropy |
| Benny the Doorman | Free (closed source) | Two hashes (per-browser + hardware) | Yes (client-side) | Yes (free) | Cross-browser device matching + free anti-spoof |
FingerprintJS
FingerprintJS is the most widely known name in browser fingerprinting. The open-source library produces a single hash from a large signal set and is a solid drop-in for recognizing a returning visitor inside the same browser.
Its cross-browser identity, server-resolved persistent IDs, IP intelligence, and anti-spoof live in the paid Pro tier, which is a full device-intelligence platform rather than a library. If you need that platform and have the budget, Pro is the most mature option. If you only need a client-side hash, the breadth of the open-source collector set is its main draw. The Benny vs FingerprintJS comparison breaks down the OSS and Pro tiers in detail.
ThumbmarkJS
ThumbmarkJS is a modern, MIT-licensed library that reached the free-fingerprinting space early. It produces a single hash, is genuinely simple to drop in, and has a published paid tier for teams that want hosted infrastructure.
It does not split hardware from engine signals, so it does not give you a deterministic cross-browser device ID, and its anti-spoof coverage is limited in the free tier. For a single-hash model with a clear pricing ladder and an open-source license, it is a strong pick. The Benny vs ThumbmarkJS comparison covers the specifics.
ClientJS
ClientJS is one of the older open-source fingerprinting libraries, Apache-2.0-licensed and lightweight. It wraps a set of browser properties into a single numeric fingerprint and is easy to read and integrate.
It has not kept pace with newer signal techniques like WebGL pixel readback or WebGPU, it has no cross-browser identity or anti-spoof, and its last release was in 2021. It is a reasonable choice for simple, low-stakes recognition, or for projects that value a small, readable dependency over maximum entropy.
CreepJS
CreepJS is different from the others: it is a research and demonstration project, not a production identification library. It collects an unusually deep set of signals and focuses on detecting lies, such as spoofed user agents, anti-detect browsers, and tampered APIs, and presents a detailed trust report.
Developers use it to understand how identifiable their own browser is and to study anti-detect techniques. It is excellent for auditing and learning, but it is not designed to be dropped into an app as a stable device ID.
Benny the Doorman
Benny the Doorman is the library this site maintains, so treat this entry as the vendor's own view. Its distinguishing feature is that it tags every signal as hardware-bound or engine-bound and returns two hashes: a per-browser fingerprint, and a hardwareFingerprint that stays identical across Chrome, Safari, Firefox, and Brave on the same device.
It ships a compareFingerprints API with six match modes and a rule-based anti-spoof consistency score on every result, all in the free tier and all client-side. It has a narrower raw signal count than FingerprintJS and is closed-source, which are real trade-offs. It is the cleanest fit when you need cross-browser device matching or free anti-spoof without standing up a server.
How to choose
Match the tool to the job. If you need an enterprise platform with server-resolved identity, IP intelligence, and native mobile SDKs, FingerprintJS Pro is built for that. If you need a simple per-browser hash with an MIT license, ThumbmarkJS or ClientJS will do it. If you are auditing your own fingerprint or studying anti-detect browsers, CreepJS is the research tool.
If your problem is recognizing the same device across browsers, the common case in anti-fraud, trial-abuse prevention, and duplicate-account detection, you need hardware-bound identity, which is where Benny's two-hash model is aimed.
Most teams overestimate how much signal breadth they need and underestimate how often the same user returns in a different browser. A single per-browser hash reads that user as two devices. If that failure mode matters for your use case, prioritize cross-browser identity over raw collector count.
Frequently asked questions
What is the best free browser fingerprinting library?
It depends on the job. For a simple open-source per-browser hash, ThumbmarkJS and ClientJS are strong free options. For cross-browser device identity and free anti-spoof without a server, Benny the Doorman is purpose-built. FingerprintJS's open-source library has the widest signal set but no cross-browser matching or anti-spoof in the free version.
What is the best open-source alternative to FingerprintJS?
If you want an MIT-licensed drop-in, ThumbmarkJS is the closest modern equivalent to the open-source FingerprintJS library, with ClientJS as a lighter, older option. If your real need is cross-browser device matching, which FingerprintJS only offers in its paid Pro tier, Benny the Doorman provides a deterministic cross-browser hardware ID for free, though it is closed-source.
Is FingerprintJS free?
FingerprintJS has a free open-source library that returns a single per-browser hash. Its cross-browser identity, persistent server-side visitor IDs, IP intelligence, and anti-spoof detection are part of the paid FingerprintJS Pro platform, which is priced per identification above a monthly free allowance.
Do browser fingerprinting libraries work in incognito or private mode?
Yes. Fingerprinting reads device and browser characteristics rather than stored cookies, so most signals are still available in incognito or private mode. Hardware-bound signals in particular stay the same between a normal and a private session on the same device, which is why a fingerprint survives where a cookie does not.
What is CreepJS used for?
CreepJS is a research and demonstration tool that detects fingerprint spoofing and shows how identifiable a browser is. It is meant for auditing your own entropy and studying anti-detect browsers, not for use as a production device identifier. For a stable ID in your application, a library like FingerprintJS, ThumbmarkJS, or Benny the Doorman is the right category.
Are browser fingerprinting libraries legal to use?
Fingerprinting is legal in most jurisdictions but regulated. The EU ePrivacy Directive and GDPR, the UK GDPR, and various national and US state laws govern it, and many include an exemption for fraud prevention and security. Legality depends on your purpose, your disclosure, and your region. This is engineering guidance, not legal advice.
Get started
Need cross-browser device identity?
Benny the Doorman returns a per-browser fingerprint and a deterministic cross-browser hardware ID in one client-side call, with free anti-spoof scoring. One npm install, no account, no cookies.
Last reviewed June 9, 2026
