Validate - tracenow

POST https://api.tracenow.io/validate The /validate endpoint verifies a device token issued by /identify, enforces single-use replay protection, and returns automation signals for the device. Call this server-side when you receive a dt_... token from the browser. Device tokens are single-use — attempting to validate the same token twice returns an error. This endpoint uses a publishable key.

Request

{
  "publishable_key": "pk_live_xxxxxxxxxxxxxxxxxxxx",
  "device_token": "dt_eyJ..."
}

Field	Type	Required	Description
`publishable_key`	string	Yes	Publishable key from your dashboard (`pk_live_...`).
`device_token`	string	Yes	Device token (`dt_...`) returned by `/identify`.

Response

{
  "valid": true,
  "visitor_id": "vis_01J9ZQK2XVBP3N7M4FGHD8R5TW",
  "is_headless": false,
  "automation_detected": false,
  "canvas_randomized": false,
  "timezone_ip_mismatch": false
}

Field	Type	Description
`valid`	boolean	True if the token signature is valid and has not been replayed.
`visitor_id`	string	Stable device identifier. Consistent with the `visitor_id` returned by `/identify`.
`is_headless`	boolean	True if the browser was identified as a headless environment (e.g. Puppeteer, Playwright).
`automation_detected`	boolean	True if automation framework signals were detected (e.g. `navigator.webdriver = true`).
`canvas_randomized`	boolean	True if canvas output differs from baseline in a pattern consistent with anti-fingerprint tooling.
`timezone_ip_mismatch`	boolean	True if the browser-reported timezone does not match the expected timezone for the IP geolocation.

Error responses

Status	Body	Meaning
`401`	`invalid_token`	Token signature is invalid or expired.
`409`	`token_replayed`	This token has already been validated (single-use enforcement).
`422`	`invalid_key`	Publishable key not found or inactive.

​Request

​Response

​Error responses

Request

Response

Error responses