Orange textured background

Docs

Get Started in five minutes

A high-entropy device fingerprinting library that returns two hashes: a per-browser fingerprint and a cross-browser hardware ID. Zero dependencies. ~39 KB minified. TypeScript-native.

Reviewed

What it does

FingerprintJS reads what the browser reports. Benny measures what the hardware does.

Every signal it collects is tagged either hardware-bound (properties of the physical device and OS, stable across Chrome, Safari, Firefox, and Brave on the same machine) or engine-bound (properties of how the browser engine processes or renders content, differing between engines even on identical hardware). That split is the wedge.

Two fingerprints, one collection pass

FieldSourceStable across browsers?Use it for
fingerprintAll 26 signals fusedNo. Engine signals differ per browserRecognising a returning user in the same browser
hardwareFingerprint6 hardware signals fusedYesCross-browser device matching, MFA, anti-fraud, license enforcement

The 26 signals at a glance

Seventeen signals run by default (tier 1). Seven more are opt-in for broader coverage (tier 2). Two are niche, low-entropy (tier 3).

Signal catalogue

#SignalBindingTierAdded
1audioengine11.0.0
2canvasengine11.0.0
3webgl_gpu_identityhardware11.0.0
4webgl_paramsengine11.0.0
5screenengine11.0.0
6platformhardware11.0.0
7timezonehardware11.0.0
8fontshardware11.0.0
9mathengine11.0.0
10css_probeengine21.0.0
11media_deviceshardware21.0.0
12webgl_gpu_traceengine21.0.0
13webgpuengine21.0.0
14speech_voicesengine31.0.0
15storage_quotaengine31.0.0
16architecturehardware11.5.0
17apple_payengine11.5.0
18audio_base_latencyengine11.6.0
19screen_frameengine11.6.0
20js_heap_size_limitengine11.7.0
21font_preferencesengine11.7.0
22webgl_pixel_readbackengine21.8.0
23user_agent_dataengine11.9.0
24error_stack_engineengine11.19.0
25permissionsengine21.21.0
26webrtc_sdpengine21.23.0

Three independent risk tracks

Every result includes three scoring blocks that should be reasoned about independently, because the evidence sets barely overlap. Consistency catches anti-detect browsers that spoof signals to look like a real human (Consistency flags feeding spoofLikelihood). Automation catches drivers like Puppeteer, Playwright, and Selenium that just want to work (Automation flags feeding automationLikelihood). Incognito is informational only. Private browsing is a legitimate feature, not evidence of fraud (Incognito flags feeding incognitoLikelihood).

Consistency flags

Consistency flags cover cross-signal contradiction checks (e.g. WebGL renderer OS string vs. navigator.platform, installed fonts vs. reported OS), per-call noise detection (canvas, WebGL, audio), UA cross-checks, and browser-specific suppression patterns such as Brave farbling and Firefox resistFingerprinting. A subset of flags feeds directly into the spoofLikelihood computation; others are informational. Illustrative examples: canvas_noise_uniform (canvas noise is uniformly +-1, an anti-detect tool pattern) and brave_shields_active (Brave per-eTLD+1 farbling signature detected, auto-suppressed from spoofLikelihood for real Brave users).

Native Android & iOS

Benny ships native Android and iOS SDKs alongside the web library. They run the same fusion algorithm over the same hardware-bound signals, so a native app produces a hardwareFingerprint comparable to the one the web library produces for the same physical device. The result is cross-surface device matching: recognising that a browser visit and a native-app session came from the same hardware, with no manual identity stitching by the developer.

The Android SDK is available now on Maven Central (requires minSdk 24). Beyond the cross-surface fingerprint it adds mobile-native capabilities with no web equivalent: tamper and emulator detection, hardware-backed attestation, and a reinstall-persistent device ID. The iOS SDK is in preview — reach out for early access.

kotlin
repositories {
    mavenCentral()
}
dependencies {
    implementation("io.github.miri-san-so:doorman-benny:0.1.0")
}

Android — app build.gradle.kts (transitive dependencies resolve automatically)

Where to go next

Read Install & Quick Start to ship the library in five minutes. Read Configuration for tier / timeout / exclude options. Browse the API Reference for the four public functions. Open any Signal page to see exactly what is collected, how it is hashed, and which anti-fingerprinting tools defeat it.

Last reviewed 2026-06-18