Benny the Doorman vs CreepJS, a library vs a research tool

TL;DR

CreepJS and Benny look related, but they are built for different jobs. CreepJS is an open-source, MIT-licensed research and education project that collects an unusually deep set of signals to detect lying, spoofed user agents, anti-detect browsers, and tampered APIs, and presents a trust score and a detailed report. Its own README says it is not meant to be a fingerprinting library.

It ships as a hosted demo and source you clone, with no npm package, and it does not return a stable device ID you would build an app on.

Benny is a production library. It returns a per-browser fingerprint and a deterministic cross-browser hardwareFingerprint, ships a compareFingerprints API with six modes, and runs a free rule-based anti-spoof check on every result. If you want to audit your own entropy or study anti-detect browsers, use CreepJS. If you want a stable identity to ship, that is Benny.

At a glance

	Benny	CreepJS
Purpose	Production device identity	Research + spoof-detection audit
License	Closed-source	MIT (open source)
Distribution	npm package	Hosted demo + source, no npm
Primary output	Two hashes (per-browser + hardware)	Trust score + lie report
Stable device ID	Yes	No (not its goal)
Deterministic cross-browser ID	Yes (`hardwareFingerprint`)	No
Comparison API	Built in, 6 modes	Not applicable
Spoof / lie detection	Yes (free, on every result)	Yes (its core focus)
Drop into your app	Yes, one install	No, clone and host yourself
Maintenance	Active	Active

Different jobs: library vs research tool

This is not a like-for-like comparison, and it would be dishonest to pretend it is. CreepJS is a research and education project. Its goal, stated plainly in its own README, is to study how identifiable browsers are and how anti-detect tooling lies, not to be a drop-in fingerprinting library.

Benny is a production library with one job: return a stable device identity you can build on, with a comparison API and anti-spoof in the box. People often find CreepJS first, because it is the most impressive public demonstration of fingerprinting, then realize they cannot actually install it as their identity layer.

So read this page as follows: if CreepJS is what sent you down this path, here is what you were probably looking for, and where CreepJS is still the better tool.

Distribution: install it vs host it

CreepJS has no npm package. The supported way to use it is the hosted demo, or cloning the source and standing it up yourself. That is entirely reasonable for a research tool you run to inspect a browser, and awkward for a dependency you want in production.

Benny is an npm install and a function call. No account, no API key, no cookies, no server to host. The identity comes back client-side in one call.

If your plan was to install CreepJS and call it, that path does not exist. Benny is the library-shaped option.

What you get: a stable ID vs a trust report

CreepJS produces a trust score and a detailed, per-signal breakdown built to expose inconsistencies. It is excellent for understanding entropy and catching browsers that lie. It is not built to hand you the same identifier reliably on the next visit, which is the one thing an identity layer has to do.

Benny returns two hashes designed to be stable: a per-browser fingerprint, and a hardwareFingerprint that stays identical across Chrome, Safari, Firefox, and Brave on the same device. Plus compareFingerprints to score how similar two of them are.

Trust report versus stable ID is the core split. They are complementary outputs, not interchangeable ones.

Anti-spoof: both do it, different shapes

Spoof detection is where the two genuinely overlap. CreepJS is arguably the deepest public exploration of lie detection: cross-property consistency, anti-detect browser signatures, and headless and tampered-API checks. As a research surface for studying evasion, it is hard to beat.

Benny ships a narrower, rule-based consistency check inside a production library. Every fingerprint result carries a score, a list of flags, and a spoofLikelihood rating of low, medium, or high, in the free tier. It is built to run on every request in production, not to be read by a human auditor.

If your goal is to study spoofing, CreepJS goes deeper. If your goal is a spoof signal attached to a usable identity, that is Benny.

Where CreepJS is ahead

Honesty time. For its actual purpose, CreepJS is excellent, and Benny does not try to replace it.

It is fully open and MIT-licensed. You can read every check, fork it, and learn from it. Benny is closed-source. If you want to study exactly how lie detection is implemented, CreepJS is the better teacher.

It is the canonical entropy-audit tool. For inspecting how identifiable a specific browser is, or testing an anti-detect setup, CreepJS's depth and its live demo are the standard. Use it for auditing and research; that is what it is built for.

Frequently asked questions

Can I use CreepJS as a fingerprinting library in my app?

Not really. CreepJS is a research and education tool with no npm package, and its README explicitly says it is not meant to be a fingerprinting library. It produces a trust score and a lie-detection report rather than a stable identifier you would build on. For a production device ID, a library like Benny the Doorman is the right category.

What is the difference between CreepJS and Benny the Doorman?

CreepJS is an open-source research tool that detects spoofing and shows how identifiable a browser is. Benny is a production library that returns a stable per-browser fingerprint and a cross-browser hardwareFingerprint, with a comparison API and anti-spoof built in. One is for auditing, the other is for shipping an identity layer.

Is CreepJS open source?

Yes. CreepJS is MIT-licensed and its full source is on GitHub, which is part of why it is such a good teaching and auditing tool. Benny is closed-source. If reading and forking the implementation matters to you, CreepJS is the more open option.

Which should I use for production anti-fraud, CreepJS or Benny?

Benny. CreepJS is built for research and runs as a hosted demo, not as an installable production dependency, and it does not return a stable ID. Benny ships an npm package with a stable identity, a compareFingerprints API, and a free anti-spoof score designed to run on every request.

What is CreepJS best for?

Auditing your own entropy and studying anti-detect browsers. It is the canonical tool for seeing how identifiable a specific browser is and how tampered or spoofed browsers reveal themselves. For a stable identifier in an application, use a library such as Benny the Doorman instead.

Benny is best for you if…

You need a stable device identity you can install and ship, not a report to read.
You need to recognize the same device across Chrome, Safari, and Firefox without standing up a server.
You are building anti-fraud and want a compareFingerprints API plus a free anti-spoof signal on every result.
You want a maintained npm package with no account and no server to host.

CreepJS is better for you if…

You are auditing how identifiable your own browser or anti-detect setup is.
You are researching or learning how fingerprinting and lie detection actually work.
You want fully open, MIT-licensed source you can read and fork.
You do not need a stable identifier or a library you can install in production.

Or use them together

These two compose naturally, because one is for studying the problem and the other is for shipping the solution.

Audit with CreepJS, ship with Benny
Use CreepJS to understand how identifiable your traffic is and where entropy comes from, then deploy Benny as the production identity and anti-spoof layer once you know what you are working with.
Study evasion, then defend against it
Use CreepJS to research how anti-detect browsers lie, then rely on Benny's consistency check to flag those same patterns in production on every request.
Validate your signals
Run CreepJS against the browsers you care about to sanity-check which signals carry entropy, and let that inform how you weight Benny's compareFingerprints modes.