> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fingerprint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Zero Trust Mode

When you identify browsers or devices with Fingerprint, you get back the visitor ID value.\
You can use this value in your business logic to find suspicious activity or for marketing analytics.\
By default, this value is sent back to your browser or device where you can read it and do something with it, e.g. send it to your server for storage and analysis.\
This works fine in most cases, but sometimes you want to **not** receive the visitor ID value from Fingerprint back to your devices. In security-critical applications, you want to hide that value and only read it on the server with your secret API key.\
Instead, you get back a random event ID value that you can use later to [read the actual visitor ID server-side](/reference/server-api-v4-get-event).\
This mode of running the identification and not sending the visitor ID back to the client device is called **Zero Trust Mode**.

The Fingerprint API supports **Zero Trust Mode** to make it very difficult to send malicious identification requests that impersonate other visitors.\
Zero Trust Mode is implemented internally by *identification result hiding* and *strict origin-checking* features.

## Identification Result Hiding

Zero Trust Mode requires this feature to avoid sending the identification results to end-user browsers.

When enabled, the `visitor_id` field will not be sent to the end-user browser. The [event\_id](/reference/js-agent-v4-get-function#event_id) field will still be returned to get the full results later using our [Server API](/reference/server-api-v4-get-event).\
Importantly, when Zero Trust Mode is enabled, you will still get full results through the [webhook](/reference/posteventwebhook).

In addition to the `event_id`, the [JavaScript agent response](/reference/js-agent-v4-get-function#get-response) will include a new field called `zero_trust` that will list all the fields that were hidden:

```json theme={"theme":"github-dark-dimmed"}
{
  "event_id": "...",
  "zero_trust": {
    "hidden_fields": ["visitor_id"],
    "comment": "The result was hidden because of the workspace configuration."
  }
}
```

Likewise, the iOS and Android client agents will not receive the visitor ID directly, only an event ID and other metadata.

## Strict Origin Checking

In all modern browsers, the [Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) header is automatically included in all cross-origin requests.\
Websites cannot spoof this header. However, some signals collected by the [JavaScript agent](/reference/js-agent-v4) can be spoofed.

When Zero Trust Mode is enabled, the *strict origin-checking* feature detects inconsistencies between the data collected by the JavaScript agent and the request headers that cannot be spoofed by the browser. These headers are the [Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) and the [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer). Identification requests with inconsistencies are rejected by the server. This ensures that the `url` and `client_referrer` values can’t be spoofed. That is important because `url` and `client_referrer` are exposed in our Server API and Webhook responses.

You can use Zero Trust Mode with the [request filtering](/docs/request-filtering) feature for additional security.

This mode is only available for the [Enterprise](https://fingerprintjs.com/pricing/) plan. It can be enabled on a per-workspace level.

<Note>
  If you would like to try this mode or learn more, please contact [our support team](https://fingerprint.com/support/).
</Note>
