Modern sophisticated bots don’t look like bots. They execute JavaScript, solve CAPTCHAs, and navigate interfaces like real users. Tools like Playwright and Puppeteer can script human-like behavior from page load to form submission.
Traditional defenses like checking headers or rate limits aren't enough. Bots that blend in by design are hard to detect and expensive to ignore.
Enter BotID: A new layer of protection on Vercel.
Think of it as an invisible CAPTCHA to stop browser automation before it reaches your backend. It’s built to protect critical routes where automated abuse has real cost such as checkouts, logins, signups, APIs, or actions that trigger expensive backend operations like LLM-powered endpoints.
import { checkBotId } from "botid/server";
export async function POST(req: Request) { const { isBot } = await checkBotId();
if (isBot) { return new Response("Access Denied", { status: 403 }); }
const result = await expensiveOrCriticalOperation();
return new Response("Success!");}Setup is simple with no config files or tuning required. Install the package, setup rewrites, mount the client, and verify requests server-side.
Link to headingHow BotID works
BotID is available in two modes: Basic (enabled by default) and Deep Analysis, which adds advanced detection checks.
Detection starts at the session level. BotID injects lightweight, obfuscated code into the requester’s environment that evolves on every load and is designed to resist replay, tampering, and static analysis. It runs invisibly with no CAPTCHAs or changes to the user experience.
Unlike traditional defenses, BotID doesn’t rely on static signals like user-agent headers or IP ranges, which are easy to fake and become outdated. It also avoids more intrusive methods like CAPTCHAs, heuristics, and reputation scores, which can frustrate or block real users.
Instead, BotID counters the most advanced bots by:
Silently collecting thousands of signals that distinguish human users from bots
Mutating detection logic on every load to prevent reverse engineering and making spoofing difficult
Feeding attack patterns into a global machine learning network that continuously improves protection for all
BotID is fast, reliable, and built for developers. Server-side verification takes a single function call. There's nothing to configure, no API keys to manage, and no scores or thresholds to tune. Requests that are tested for validation are returned with an unambiguous pass or fail answer.
Link to headingDeep Analysis powered by Kasada
BotID with Deep Analysis is powered by Kasada, whose detection engine protects some of the most targeted platforms on the internet. Their system is hardened against real-world adversaries: bots that retool quickly, replay sessions, and adapt to static defenses.
Because Kasada is integrated directly into the Vercel platform, there’s no separate service to sign up for or set up. Just install the package, define routes you want to block automation on, and deploy.
We've been using Kasada’s enterprise-grade defenses to protect our high-value apps, such as v0.app, for a while now. Now you can do the same. Kasada’s detection runs automatically with your deployment, bringing enterprise-grade protection to your most critical routes.
Link to headingBotID: For teams of all sizes
BotID is designed for teams dealing with targeted automation that slips past conventional defenses. These aren’t generic bots. They behave like real users and move through high-value flows, creating real cost when left unchecked.
That might look like scalpers attacking limited checkouts, fake accounts flooding signups, or credential stuffing targeting login endpoints. It also includes scraping dashboards, pricing pages, or APIs that expose business logic or drive up compute usage.
BotID is built to protect the parts of your app that matter most, without getting in the way of actual users.
Link to headingAvailable now
We already protect against automated traffic with platform-level measures such as DDoS mitigation, WAF rules, and bot challenges for non-browser clients. BotID extends that protection with a new, sophisticated layer designed to block automation that mimics real users and targets the most critical routes.
BotID is now available to all teams, with Deep Analysis powered by Kasada available to Pro and Enterprise teams.
Protect your AI endpoints with Vercel BotID
Stop bots from draining your AI budget: see how to gate your endpoints with Vercel BotID in a few steps.
Read the guide