What it does
FingerprintJS reads what the browser reports. DeviceSignal measures what the hardware does.
Every signal it collects is tagged either hardware-bound (GPU model, screen geometry, installed fonts, CPU architecture, timezone, attached media devices — stable across Chrome, Safari, Firefox, and Brave on the same machine) or engine-bound (audio DSP output, canvas rasterisation, WebGL caps, math floating-point — differs between browser engines even on identical hardware). That split is the wedge.
Two fingerprints, one collection pass
| Field | Source | Stable across browsers? | Use it for |
|---|---|---|---|
| fingerprint | All 15 signals fused | No — engine signals differ per browser | Recognising a returning user in the same browser |
| hardwareFingerprint | 5 hardware signals fused | Yes | Cross-browser device matching, MFA, anti-fraud, license enforcement |
The 15 signals at a glance
Nine signals run by default (tier 1). Four more are opt-in for broader coverage (tier 2). Two are niche / low-entropy (tier 3).
Signal catalogue
| # | Signal | Binding | Tier |
|---|---|---|---|
| 1 | audio | engine | 1 |
| 2 | canvas | engine | 1 |
| 3 | webgl_gpu_identity | hardware | 1 |
| 4 | webgl_params | engine | 1 |
| 5 | screen | engine | 1 |
| 6 | platform | hardware | 1 |
| 7 | timezone | hardware | 1 |
| 8 | fonts | hardware | 1 |
| 9 | math | engine | 1 |
| 10 | css_probe | engine | 2 |
| 11 | media_devices | hardware | 2 |
| 12 | webgl_gpu_trace | engine | 2 |
| 13 | webgpu | engine | 2 |
| 14 | speech_voices | engine | 3 |
| 15 | storage_quota | engine | 3 |
Three independent risk tracks
Every result includes three scoring blocks that should be reasoned about independently — the evidence sets barely overlap. Consistency catches anti-detect browsers that spoof signals to look like a real human (10 flags → spoofLikelihood). Automation catches drivers like Puppeteer / Playwright / Selenium that just want to work (12 flags → automationLikelihood). Incognito is informational only — private browsing is a legitimate feature, not evidence of fraud (4 flags → incognitoLikelihood).
Where to go next
Read Install & Quick Start to ship the library in five minutes. Read Configuration for tier / timeout / exclude options. Browse the API Reference for the four public functions. Open any Signal page to see exactly what is collected, how it is hashed, and which anti-fingerprinting tools defeat it.
