Skip to main content

Overview

This tutorial walks through implementing Fingerprint to prevent coupon abuse, where customers or fraudsters repeatedly redeem a discount code meant for one-per-user use. You’ll begin with a starter app that includes a mock checkout page and a basic coupon flow. From there, you’ll add the Fingerprint JavaScript agent to identify each visitor and use server-side logic with Fingerprint data to check if they’ve already redeemed the coupon. This way, you can block repeat coupon redemptions from the same visitor. By the end, you’ll have a sample app that enforces one-time coupon usage per visitor and can be customized to fit your use case and business rules. This tutorial uses just plain JavaScript and a Node server with SQLite on the back end. For language- or framework-specific setups, see our quickstarts.
Estimated time: < 15 minutes

Prerequisites

Before you begin, make sure you have the following:
  • A copy of the starter repository (clone with Git or download as a ZIP)
  • Node.js (v20 or later) and npm installed
  • Your favorite code editor
  • Basic knowledge of JavaScript

1. Create a Fingerprint account and get your API keys

  1. Sign up for a free Fingerprint trial, or log in if you already have an account.
  2. After signing in, go to the API keys page in the dashboard.
  3. Save your public API key, which you’ll use to initialize the Fingerprint JavaScript agent.
  4. Create and securely store a secret API key for your server. Never expose it on the client side. You’ll use this key on the backend to retrieve full visitor information through the Fingerprint Server API.

2. Set up your project

  1. Clone or download the starter repository and open it in your editor.
Terminal
git clone https://github.com/fingerprintjs/use-case-tutorials.git
  1. This tutorial will be using the coupon-abuse folder. The project is organized as follows:
Project structure
.
├── public/
│   ├── index.html    # Checkout page with a coupon form
│   └── index.js      # Front-end logic to handle form submission
├── server/
│   ├── server.js     # Serves static files and coupon validation endpoint
│   ├── db.js         # Initializes SQLite and exports a database connection
│   └── coupons.js    # Coupon validation logic
└── .env.example      # Example environment variables
  1. Install dependencies:
Terminal
npm install
  1. Copy or rename .env.example to .env, then add your Fingerprint API keys:
Terminal
FP_PUBLIC_API_KEY=your-public-key
FP_SECRET_API_KEY=your-secret-key
  1. Start the server:
Terminal
npm run dev
  1. Visit http://localhost:3000 to view the mock checkout page from the starter app. You can test out the basic coupon flow by entering a valid coupon code (e.g., WELCOME20, SAVE10) and clicking Apply. You’ll notice the same coupon can currently be redeemed multiple times.

3. Add Fingerprint to the front end

In this step, you’ll load the Fingerprint client when the page loads and trigger identification when the user clicks Apply. The client returns both a visitorId and a requestId. Instead of relying on the visitorId from the browser, you’ll send the requestId to your server along with the coupon code. The server will then call the Fingerprint Events API to securely retrieve the full identification details, including the verified visitorId and risk signals such as browser tampering or bot activity.
  1. At the top of public/index.js, load the Fingerprint JavaScript agent:
public/index.js
const fpPromise = import(
  `https://fpjscdn.net/v3/${window.FP_PUBLIC_API_KEY}`
).then((FingerprintJS) => FingerprintJS.load({ region: "us" }));
  1. Make sure to change region to match your workspace region (e.g., eu for Europe, ap for Asia, us for Global (default)).
  2. Near the bottom of public/index.js, the Apply button already has an event handler set up for submitting a coupon. Inside this handler, request visitor identification from Fingerprint using the get() method and include the returned requestId when sending the coupon code to the server:
public/index.js
applyBtn.addEventListener("click", async () => {
  // ...

  const fp = await fpPromise;
  const { requestId } = await fp.get();

  try {
    const res = await fetch("/api/validate-coupon", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ coupon: code, requestId }),
    });
    const data = await res.json();

    // ...
  }
});
The get() method sends signals collected from the browser to Fingerprint servers, where they are analyzed to identify the visitor. The returned requestId acts as a reference to this specific identification event, which your server can later use to fetch the full visitor details. For lower latency in production, check out our documentation on using Sealed Client Results to return full identification details as an encrypted payload from the get() method.

4. Receive and use the request ID to get visitor insights

Next, pass the requestId through to your coupon validation logic, initialize the Fingerprint Server API client, and fetch the full visitor identification event so you can access the trusted visitorId and Smart Signals.
  1. In the back end, the server/server.js file defines the API routes for the app. Update the /api/validate-coupon route there to also extract requestId from the request body and pass it into the validateCoupon function.
server/server.js
app.post("/api/validate-coupon", async (req, reply) => {
  const { coupon, requestId } = req.body || {};
  const code = (coupon || "").toUpperCase().trim();

  const result = await validateCoupon(code, requestId);
  return reply.send(result);
});
  1. The server/coupons.js file contains the logic for validating coupons. Start by importing and initializing the Fingerprint Server API client there, and load your environment variables with dotenv.
server/coupons.js
import { db } from "./db.js";
import { config } from "dotenv";
import {
  FingerprintJsServerApiClient,
  Region,
} from "@fingerprintjs/fingerprintjs-pro-server-api";

config();

const fpServerApiClient = new FingerprintJsServerApiClient({
  apiKey: process.env.FP_SECRET_API_KEY,
  region: Region.Global,
});
  1. Make sure to change region to match your workspace region (e.g., EU for Europe, AP for Asia, Global for Global (default)).
  2. Update the validateCoupon function to accept requestId and use it to fetch the full identification event details from Fingerprint:
server/coupons.js
export async function validateCoupon(code, requestId) {
  if (!code) {
    console.error("Missing coupon code.");
    return { success: false, error: "Coupon validation failed." };
  }

  if (!requestId) {
    console.error("Missing requestId.");
    return { success: false, error: "Coupon validation failed." };
  }

  const coupon = getValidCoupon(code);
  if (!coupon) {
    console.error("Invalid coupon code.");
    return { success: false, error: "Coupon validation failed." };
  }

  const event = await fpServerApiClient.getEvent(requestId);

  // ...
}
Using the requestId, the Fingerprint server client will retrieve the full data for the visitor identification request. The returned object will contain the visitor ID, IP address, device, and browser details, and Smart Signals like bot detection, browser tampering detection, VPN detection, and more. You can see a full example of the event structure and test it with your own device in our demo playground. For additional checks to ensure the validity of the data coming from your front end, view how to protect from client-side tampering and replay attacks in our documentation.

5. Block bots and suspicious devices

This optional step uses the Bot Detection and Suspect Score Smart Signals, which are only available on paid plans.
A simple but powerful way to prevent fraudulent coupon abuse is to block automated applications that come from bots. The event object includes the Bot Detection Smart Signal that flags automated activity, making it easy to reject bot traffic. This signal returns good for known bots like search engines, bad for automation tools, headless browsers, or other signs of automation, and notDetected when no bot activity is found.
  1. Continuing in the validateCoupon function in server/coupons.js, check the bot signal returned in the event object:
server/coupons.js
export async function validateCoupon(code, requestId) {
  // ...

  const event = await fpServerApiClient.getEvent(requestId);

  const botDetected = event.products?.botd?.data?.bot?.result !== "notDetected";

  if (botDetected) {
    console.error("Bot detected.");
    return { success: false, error: "Coupon validation failed." };
  }

  // ...
}
You can also use Fingerprint’s Suspect Score to flag suspicious coupon redemption attempts. The Suspect Score is a weighted representation of all Smart Signals present in the identification payload, helping to identify suspicious activity. While it’s not typical to block actions based solely on a high risk score, this example shows how you might incorporate it. In a real application, a better approach would be to flag the attempt for review or add some additional friction.
  1. Below the bot detection check, add a condition that reads the Suspect Score from the event object and blocks the coupon if it exceeds a chosen threshold (for example, 20):
server/coupons.js
export async function validateCoupon(code, requestId) {
  // ...

  const suspectScore = event.products?.suspectScore?.data?.result || 0;

  if (suspectScore > 20) {
    console.error(`High Suspect Score detected: ${suspectScore}`);
    return { success: false, error: "Coupon validation failed." };
  }

  // ...
}

6. Prevent multiple uses of coupons per visitor

Next, use the trusted visitorId from the event object to enforce one-time coupon usage per visitor. If the same visitorId tries to reuse the same coupon code, return a failure; otherwise, record the redemption and allow it. (This example simplifies coupon redemption logic for demonstration purposes.) This makes coupon rules enforceable at the device level, not just the account level. Even if someone creates new accounts or checks out as a guest, the redemption is still linked to their device, keeping one-time coupons truly one-time. Note: The starter app includes a SQLite database with these tables already created for you:
SQLite database tables
coupons - Stores available coupon codes and discounts
  code TEXT PRIMARY KEY
  discountPct INTEGER NOT NULL

redemptions - Records which devices (visitorId) have redeemed a coupon
  id INTEGER PRIMARY KEY AUTOINCREMENT
  code TEXT NOT NULL
  visitorId TEXT
  createdAt INTEGER NOT NULL
  1. Add some helper functions to the bottom of the server/coupons.js file to check and record coupon redemptions:
server/coupons.js
// Check if the visitor has already redeemed the coupon code
function hasRedeemed(code, visitorId) {
  return !!db
    .prepare(
      `SELECT 1 FROM redemptions WHERE code = ? AND visitorId = ? LIMIT 1`
    )
    .get(code, visitorId);
}

// Record the visitor redeeming the coupon
function recordRedemption(code, visitorId) {
  db.prepare(
    `INSERT INTO redemptions (code, visitorId, createdAt) VALUES (?, ?, ?)`
  ).run(code, visitorId, Date.now());
}
  1. Update validateCoupon to retrieve the visitorId and use it to enforce the one-per-visitor coupon redemption rule and record successful redemptions:
server/coupons.js
export async function validateCoupon(code, requestId) {
  // ...

  if (botDetected) {
    console.error("Bot detected.");
    return { success: false, error: "Coupon validation failed." };
  }

  const visitorId = event.products.identification.data.visitorId;

  if (hasRedeemed(coupon.code, visitorId)) {
    console.error("Coupon has already been redeemed.");
    return { success: false, error: "Coupon has already been redeemed." };
  }

  recordRedemption(coupon.code, visitorId);

  return { success: true, ...coupon };
}
This gives you a system to detect and block coupon abuse. You can extend it by allowing a limited number of redemptions per device, tailoring responses to your business rules, checking only recent redemption activity, etc.
This is a minimal example to show how to implement Fingerprint. In a real application, make sure to implement proper security practices, error checking, and data handling that align with your production standards.

7. Test your implementation

Now that everything is wired up, you can test the full protected coupon flow using the checkout page.
  1. Start your server if it isn’t already running and open http://localhost:3000:
Terminal
npm run dev
  1. In the checkout form, enter a valid coupon (e.g., WELCOME20, SAVE10) and click Apply. You will see the discount applied.
  2. Try applying the same coupon again. The second attempt will be rejected since the visitor has already redeemed that coupon.
  3. Open the page in incognito and try to use the coupon again, your visitor ID will remain the same and the redemption is still blocked.
  4. Bonus: Test the flow using a headless browser or automation tool to see bot detection in action. A sample script is available in test-bot.js. While your app is running, run the script with node test-bot.js in your terminal and observe that the automated coupon redemptions are blocked.

Next steps

You now have a working coupon redemption flow secured with Fingerprint. From here, you can expand the logic with more Smart Signals, fine-tune rules based on your business policies, or layer in additional checks for suspicious visitors. To dive deeper, explore our other use case tutorials for more step-by-step examples. Check out these related resources: