Login Protection

Protect your login flow from credential stuffing, brute force, and account takeover attacks.

Login pages are the #1 target for automated attacks. This guide shows how to integrate VerifyStack to block credential stuffing, brute force, and account takeover attempts without adding friction for legitimate users.

Architecture

Flowtext

User submits login form
  → Browser SDK collects signals (automatic)
  → vs.decide({ action: 'login', userId })
  → VerifyStack returns decision
  → Your app: allow / challenge (MFA) / deny

Client-Side Integration

import { VerifyStack } from 'https://verifystack.io/sdk/browser.mjs';

const vs = new VerifyStack({
  apiKey: 'pk_live_xxxxxxxxx',
  endpoint: 'https://verifystack.io'
});

async function handleLogin(email, password) {
  const decision = await vs.decide({
    action: 'login',
    userId: email,
    email
  });

  if (decision.decision === 'deny') {
    showError('Login blocked for security reasons.');
    return;
  }

  if (decision.decision === 'challenge') {
    await showMfaChallenge();
  }

  const response = await fetch('/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, password, requestId: decision.requestId })
  });

  const result = await response.json();
  if (!result.success) {
    // Send feedback from your server (never expose sk_ keys in client code)
    await fetch('/api/verifystack-feedback', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        decisionId: decision.requestId,
        actualOutcome: 'fraud',
        notes: 'credential_failure'
      })
    });
  }
}

Recommended Policies

Block > 5 failed logins from the same IP in 10 minutes
Challenge logins from new devices or unusual locations
Deny logins from known Tor exit nodes or data center IPs
Challenge logins with impossible travel (e.g. US → Russia in 30 min)

Submit /feedback after confirmed outcomes (fraud or legitimate). This improves calibration and policy quality over time.

/api/v1/policies Payment Fraud

Docs Index

Client-Side Integration

import { VerifyStack } from 'https://verifystack.io/sdk/browser.mjs';

const vs = new VerifyStack({
  apiKey: 'pk_live_xxxxxxxxx',
  endpoint: 'https://verifystack.io'
});

async function handleLogin(email, password) {
  const decision = await vs.decide({
    action: 'login',
    userId: email,
    email
  });

  if (decision.decision === 'deny') {
    showError('Login blocked for security reasons.');
    return;
  }

  if (decision.decision === 'challenge') {
    await showMfaChallenge();
  }

  const response = await fetch('/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, password, requestId: decision.requestId })
  });

  const result = await response.json();
  if (!result.success) {
    // Send feedback from your server (never expose sk_ keys in client code)
    await fetch('/api/verifystack-feedback', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        decisionId: decision.requestId,
        actualOutcome: 'fraud',
        notes: 'credential_failure'
      })
    });
  }
}

Recommended Policies

Block > 5 failed logins from the same IP in 10 minutes

Challenge logins from new devices or unusual locations

Deny logins from known Tor exit nodes or data center IPs

Challenge logins with impossible travel (e.g. US → Russia in 30 min)

Submit /feedback after confirmed outcomes (fraud or legitimate). This improves calibration and policy quality over time.