ClickProtect
Real-time click-fraud verdicts for your affiliate and paid-traffic clicks.
What is ClickProtect?
ClickProtect is a drop-in JavaScript tag that scores every click on your tracker or landing page in under 100 milliseconds. Each click receives a verdict — clean, review, or fraud — based on 12 fraud signals including IP reputation, headless-browser detection, geographic mismatch, and cross-affiliate fingerprint correlation.
If the verdict is fraud, fraudulent visitors are redirected to a safe URL of your choosing. Real visitors continue to your offer with zero added latency.
How it works
They arrive at your tracker or landing page where the clickprotect.js tag is loaded asynchronously.
The script generates a SHA-256 fingerprint from canvas rendering, user-agent, screen dimensions, timezone, and hardware. No cookies, no PII.
The API runs the click through 12 fraud signals: datacenter / VPN / Tor IPs, headless flags, geo mismatch, click velocity, cross-affiliate fingerprint correlation, and more.
Returns clean (load offer), review (manual approval recommended), or fraud (redirect to safe URL). A click_id is stored in localStorage for later conversion validation.
Two-page integration pattern
ClickProtect needs two script placements: one on your landing page where the visitor arrives (fires /v3/click), and one on your thank-you / conversion page where the visitor completes the action (fires /v3/conversion-check). The click_id is automatically carried between them via localStorage. Both pages must be on the same origin (same scheme + host + port) for localStorage to be shared.
Setup — one script tag
Paste this tag on your tracker or landing page. The script tag works on any tracker — Voluum, Binom, RedTrack, BeMob, or your own.
<script src="https://cdn.zerobot.info/clickprotect.js" data-key="YOUR_LICENSE_KEY" data-campaign="CAMPAIGN_42" data-affiliate="AFF_198" data-fraud-redirect="https://example.com/safe"></script>
Required and optional attributes
data-key— Your ZeroBot license key (required).data-campaign— Campaign identifier you choose (recommended).data-affiliate— Affiliate ID — enables cross-affiliate fraud detection.data-fraud-redirect— Safe URL to redirect fraud verdicts (optional).data-allow-countries— Comma-separated 2-letter country codes (e.g. "US" or "US,CA"). When set, visitors whose IP-geo country is not in the list get an instant fraud verdict. Use for geo-targeted CPA offers.data-conversion-only— Set to "1" on thank-you / conversion pages so the script skips firing /v3/click (which would otherwise create a duplicate empty click_event). The conversion() API still works.data-country— Visitor's claimed country code (optional).
Understanding verdicts
Score below 50. No suspicious signals. Load your offer normally.
Score 50 to 69. Some suspicious signals but not conclusive. Visitor continues; flag for manual review.
Score 70 or higher. Strong fraud signals. Visitor is redirected to the safe URL if data-fraud-redirect is set.
Per-license settings
Every license has its own ClickProtect tuning panel under Dashboard → ClickProtect → Settings. The free tier exposes two safe defaults; paid plans unlock the rest.
Real humans take time to fill out a form. Instant conversions are almost always bots replaying click events. Set the floor and we refuse anything faster.
Default: 3 seconds. Range: 0–3600. When the elapsed time between the click and the conversion postback is below this value, the conversion is refused with reason conversion_velocity. Set to 0 to disable this check entirely.
Trackers sometimes retry the conversion postback on network glitches. Dedupe so those retries don’t inflate your stats.
Default: on. When on, the second (and later) call to /v3/conversion-check for the same click_id returns the original verdict without writing a new row. When off, every call writes a new row and is re-scored independently.
Flag when the same IP submits multiple conversions for your license. Useful for one-lead-per-person offers like loan applications, credit-card signups or insurance quotes.
Default: 1. The Nth conversion from the same IP (within the lookback window below) is flagged.
Default: 24 hours. Range: 1–720. How far back we look when counting prior conversions from this IP.
Default: off. When on, exceeding the threshold instantly refuses the conversion (score 100, reason conversion_ip_repeat_strict). When off, it adds 25 points to the score so other signals can combine before a verdict is reached.
Stronger than IP — catches the same physical device even when it changes IPs (NAT, mobile carrier rotation, VPN cycling).
Default: 1. The Nth conversion from the same browser fingerprint (within the window below) is flagged.
Default: 7 days. Range: 1–90. How far back we look when counting prior conversions from this fingerprint.
Default: off. When on, exceeding the threshold instantly refuses (score 100, reason conversion_fp_repeat_strict). When off, it adds 35 points to the score.
By default, visitors in incognito / private mode get a +15 score with reason incognito_browser. Real users use incognito too (privacy, shared computers, journalists), so turn this off if your audience leans privacy-conscious.
Default: off (apply the +15 penalty). When on, incognito visitors are scored exactly like normal visitors and the incognito_browser reason is suppressed.
Conversion postback
On your thank-you / conversion page, call ZBClickProtect.conversion() to validate whether the converting click was clean. The return verdict — paid, review, or refused — lets you reconcile conversions with your traffic source.
<script> ZBClickProtect.conversion().then(v => { // v.verdict = "paid" | "review" | "refused" console.log(v); }); </script>
Subscription tiers
Every license starts with a 100-event free trial. Pick a plan to unlock continued protection and tier-specific features.
- Free trial — 100 lifetime events · all 12 fraud signals · 7-day history
- Starter — $100/mo — 10,000 events/mo · 7-day history · email support
- Growth — $300/mo — 100,000 events/mo · 30-day history · per-affiliate dashboard · CSV export · priority support
- Network — $800/mo — 1,000,000 events/mo · 90-day history · webhook stream · reputation API · Slack support
Frequently asked questions
How is ClickProtect different from the standard ZeroBot AntiBot plan?
AntiBot protects the affiliate link itself — bots get redirected before reaching your offer. ClickProtect operates on the tracker / landing-page layer, giving you a per-click verdict so you can dispute fraudulent traffic with your traffic source. Many customers run both.
Does it slow down my landing page?
The script is under 6 KB gzipped and runs asynchronously after page render. Measured impact on Largest Contentful Paint is under 15 milliseconds.
What happens when I hit my monthly limit?
The /v3/click endpoint returns HTTP 429 and stops scoring new clicks. Your visitors continue normally — they are never blocked on billing state. Upgrade your plan or wait for the next billing period to resume protection.
How does cross-affiliate fingerprint correlation work?
Every click writes a fingerprint hash to our database. When a new click arrives, we look up the last 60 minutes of clicks with the same fingerprint across your entire affiliate base. If 3 or more distinct affiliate IDs match, the score is escalated. This catches bot farms cycling through subs of the same offer — impossible to detect with single-affiliate tools.
Need help? Our support team is always ready to assist via Telegram or the ZeroBot dashboard chat.