Vercel BotID protects authentication endpoints by running browser challenges before requests reach your server. The implementation uses Next.js route handlers to run bot checks (since middleware doesn't support checkBotId()), then manually proxies verified requests to the backend. Client-side scripts intercept fetch requests to protected routes and attach challenge headers, while server-side checks classify sessions as human or bot. The solution blocks malicious bots while allowing verified bots like ChatGPT Operator through. Basic tier is free using client signals; Deep Analysis costs $1 per 1,000 checks for asynchronous investigation.
Sort: