> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fingerprint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Protecting from payload replay attacks

> Identify malicious actors that capture and replay the client-side request payload using the replayed flag.

The `replayed` flag is a security mechanism designed to detect and mitigate **replay attacks** by verifying the uniqueness of the payload generated by our **JavaScript agent**. If the same payload is seen more than once, the `replayed` flag is raised **silently**, without exposing any information to the attacker.

## Purpose

This flag helps protect against abuse scenarios where attackers attempt to reuse a previously captured payload to manipulate the output of their visitor ID or Smart Signals. The attacker might be trying to evade your Fingerprint-based site protections or simply cause damage by inflating your API call volume.

<Note>
  **Request vs. response replay attacks**

  The `replayed` flag is designed to prevent payload replay attacks targeted against the Fingerprint API. To prevent replay attacks against your own server endpoints, where the attacker reuses something from the Fingerprint API **response** (`event_id` or `visitor_id`), see [Protecting from client-side tampering](/docs/protecting-from-client-side-tampering).
</Note>

### Prevent replay attacks

The `replayed` flag is specifically designed to detect the reuse of payloads generated by our **JavaScript agent**. If an attacker captures and attempts to reuse one of these payloads to spoof a legitimate `visitor_id`, the system sets the `replayed` flag to `true`.

The `replayed` flag is shown in:

* [Sealed Client Results](/docs/sealed-client-results)
* [Server API responses](/reference/server-api)
* [Webhooks](/docs/webhooks)

See the snippet below for an example of protecting your identification logic and preventing account takeovers, session spoofing, and other impersonation attacks.

Note: When using the [JavaScript agent v4](/reference/js-agent-get-function), serialize `sealed_result` before sending it to your server, for example with `result.sealed_result.base64()`.

```javascript theme={"theme":"github-dark-dimmed"}
// ...
export async function loginHandler(request) {
  const { sealed_result_base64 } = await request.json();
  // see our Sealed Client Results guide for more information
  // /docs/sealed-client-results
  const result = unsealEvent(sealed_result_base64); // result is the event payload

  if (result.replayed) {
    return Response.json(
      { message: "Suspicious identification payload detected." },
      { status: 403 },
    );
  }
  // ...
}
```

### Block fraudulent IP addresses

Replay activity frequently originates from bots or attackers operating behind suspicious IP addresses. By monitoring for the `replayed` flag, you can identify and filter out these potentially malicious sources. A common approach is to set up a webhook that inspects incoming traffic for `replayed: true` flags.

```javascript theme={"theme":"github-dark-dimmed"}
// ...
export async function webhookHandler(request: Request) {
  const event = await request.json();

  if (event.replayed) {
    saveIpForBlocklistExport(event.ip)
  }

  fingerprintWebhookDatabase.add(event);
  return Response.json({ message: 'Webhook received', status: 200 });
}
```

When such a flag is detected, you can save the IP address and temporarily add the associated IP address to our request filtering blocklist through the [Dashboard](/docs/network-request-filtering). The blocklist should be cleared after a few days to prevent false positives caused by IP rotations.

### Notice malicious behavior

Replayed payloads are a strong signal of potentially harmful behavior. While legitimate traffic rarely triggers this flag, attackers using automation or engaging in abusive activity—such as scraping, credential stuffing, or API probing—often might. By tracking and analyzing these replay flags, you can proactively detect and mitigate broader patterns of malicious behavior.

This becomes even more effective when combined with other [Smart Signals](/docs/smart-signals-reference) like [`datacenter`](/docs/smart-signals-reference#ip-geolocation) or [`bot`](/docs/smart-signals-reference#browser-bot-detection).

```sql theme={"theme":"github-dark-dimmed"}
SELECT ip, visitorId, jsonExtract("ip_info", "v4.geolocation.country.code")
FROM my_fingerprint_webhook_backups
WHERE replayed = "true" AND
(
  jsonExtract("bot", "result") = "bad" OR
  jsonExtract("ip_info", "v4.geolocation.datacenter") = "true"
)
```

## Availability

The `replayed` flag is available to **all customers**, as part of our core security feature set.
