Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
Kotlin Module
Kotlin Module
Copy Integration Prompt
Integrate BotBye bot protection into a Kotlin JVM application using the botbye kotlin-module. 1. Add the dependency: Maven: <groupId>com.botbye</groupId> <artifactId>kotlin-module</artifactId> <version>2.1.0</version> Gradle: implementation("com.botbye:kotlin-module:2.1.0") 2. Create BotbyeConfig and instantiate Botbye (create once, reuse): val config = BotbyeConfig(serverKey = "00000000-0000-0000-0000-000000000000") val botbye = Botbye(config) 3. In your request handler (suspend fun), extract headers into Map<String, String>, then call evaluate: val token = req.getParameter("botbye_token") ?: "" val headers = req.headerNames.asSequence().associateWith { req.getHeader(it) } val response = botbye.evaluate(BotbyeValidationEvent( ip = req.remoteAddr, token = token, headers = headers, requestMethod = req.method, requestUri = req.requestURI)) 4. Check the response: if (response.isBlocked) { resp.status = 403; return } Response fields: response.decision (ALLOW/CHALLENGE/BLOCK), response.isBlocked, response.riskScore, response.signals, response.scores 5. There are three event types — choose based on available context: - BotbyeValidationEvent — edge-level bot check (request + token only) - BotbyeRiskScoringEvent — domain-level risk scoring (add user, eventType, eventStatus) - BotbyeFullEvent — both in one call (request, token, user, eventType, eventStatus) Full integration guide: https://botbye.com/docs/server-side/kotlin/kotlin-module.md When the integration is complete, ask for the keys and replace the placeholder in the appropriate places.
Ask ChatGPT
Ask Claude
Ask Perplexity

Install

Add the dependency to the project configuration:

Maven

1
2
3
4
5

<dependency>
    <groupId>com.botbye</groupId>
    <artifactId>kotlin-module</artifactId>
    <version>2.1.0</version>
</dependency>

or

Gradle

1

implementation("com.botbye:kotlin-module:2.1.0")

Configuration

Create BotbyeConfig with your server-key (available inside your Project):

1
2
3

val config = BotbyeConfig(serverKey = "00000000-0000-0000-0000-000000000000") // Use your project server-key

val botbye = Botbye(config)

Usage

Add evaluate to your handler

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

suspend fun doGet(req: HttpServletRequest, resp: HttpServletResponse) {
    val headers = req.headerNames.asSequence()
        .associateWith { req.getHeader(it) }

    // Extract the token from wherever you pass it: query param, header, body, etc.
    val token = req.getParameter("botbye_token") ?: ""

    val response = botbye.evaluate(BotbyeValidationEvent(
        ip = req.remoteAddr,
        token = token,
        headers = headers,
        requestMethod = req.method,
        requestUri = req.requestURI,
    ))

    if (response.isBlocked) {
        resp.status = 403
        return
    }
}

There are three event types — validate, risk, and full — each suited for a different layer of your application.

validate — edge-level bot check

Use at the edge — API gateway, route handler, middleware — when you just want to know: was this request made by a bot? No user or domain context needed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

suspend fun doGet(req: HttpServletRequest, resp: HttpServletResponse) {
    val headers = req.headerNames.asSequence()
        .associateWith { req.getHeader(it) }

    // Extract the token from wherever you pass it: query param, header, body, etc.
    val token = req.getParameter("botbye_token") ?: ""

    val response = botbye.evaluate(BotbyeValidationEvent(
        ip = req.remoteAddr,
        token = token,
        headers = headers,
        requestMethod = req.method,
        requestUri = req.requestURI,
    ))

    if (response.isBlocked) {
        resp.status = 403
        return
    }
}

risk — domain-level risk scoring

Use inside services that already know the user: auth, payments, account management, etc. The purpose shifts from "is this a bot?" to "is something suspicious happening for this user?" — credential stuffing, account takeover, account sharing, logins from a new geo.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

suspend fun onLoginAttempt(ip: String, userId: String, email: String, loginSucceeded: Boolean) {
    val response = botbye.evaluate(BotbyeRiskScoringEvent(
        ip = ip,
        headers = emptyMap(),
        user = BotbyeUserInfo(
            accountId = userId,
            email = email,
        ),
        eventType = "login",
        eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
        botbyeResult = null, // if a validate call was made earlier, pass response.botbyeResult here to link the requests; omit if there was no prior validate
    ))

    if (response.isBlocked) {
        // Lock account, trigger MFA, send alert, etc.
    }
}

Linking validate and risk events

When the same request is evaluated at two layers — for example, once at the edge (validate) and then again inside a domain service (risk) — BotBye can link both events and display them as a single event in the dashboard.

Step 1 — edge layer (filter, interceptor, gateway handler): run validate and capture the result:

1
2
3
4
5
6
7
8
9
10

// e.g. in a filter or interceptor
val edgeResponse = botbye.evaluate(BotbyeValidationEvent(
    ip = req.remoteAddr,
    token = token,
    headers = headers,
    requestMethod = req.method,
    requestUri = req.requestURI,
))
val edgeBotbyeResult = edgeResponse.botbyeResult
// Pass edgeBotbyeResult downstream — a request attribute, function argument, shared context, etc.

Step 2 — domain service (auth, payment, account management): pass it as botbyeResult in the risk call:

1
2
3
4
5
6
7
8
9

// e.g. in AuthService.onLoginAttempt()
val riskResponse = botbye.evaluate(BotbyeRiskScoringEvent(
    ip = ip,
    headers = emptyMap(),
    user = BotbyeUserInfo(accountId = userId, email = email),
    eventType = "login",
    eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
    botbyeResult = edgeBotbyeResult,
))

botbyeResult is null when absent — in that case, omit or pass null and the events will be recorded independently.

full — edge check and domain scoring in one call

Use when you have all context at once: raw request, token, user, and event. A login endpoint is a typical example — it receives the HTTP request and immediately knows the user and outcome.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

suspend fun handleLogin(req: HttpServletRequest, resp: HttpServletResponse) {
    val headers = req.headerNames.asSequence()
        .associateWith { req.getHeader(it) }
    val token = req.getParameter("botbye_token") ?: ""

    val email = req.getParameter("email") ?: ""
    val user = findUser(email)
    val loginSucceeded = user != null && checkPassword(user, req.getParameter("password") ?: "")

    val response = botbye.evaluate(BotbyeFullEvent(
        ip = req.remoteAddr,
        token = token,
        headers = headers,
        requestMethod = req.method,
        requestUri = req.requestURI,
        user = BotbyeUserInfo(
            accountId = user?.id ?: "unknown",
            email = email,
        ),
        eventType = "login",
        eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
    ))

    if (response.isBlocked) {
        resp.status = 403
        return
    }
}

Settings

BotbyeConfig contains next configurable parameters:

Setting Description Required Default Value
botbyeEndpoint Host of the API Server no https://verify.botbye.com
serverKey Your BotBye server-key yes -
contentType Content type for API requests no application/json
readTimeout Read timeout for HTTP client no Duration.ofSeconds(2)
writeTimeout Write timeout for HTTP client no Duration.ofSeconds(2)
connectionTimeout Connection timeout for HTTP client no Duration.ofSeconds(2)
callTimeout Total call timeout no Duration.ofSeconds(5)
maxIdleConnections Max idle connections in the pool no 250
keepAliveDuration Keep-alive duration no Duration.ofSeconds(300)
maxRequestsPerHost Max requests per host no 1500
maxRequests Max requests total no 1500

Examples of BotBye API responses

Blocked (bot detected):

1
2
3
4
5
6
7

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "BLOCK",
  "risk_score": 0.95,
  "scores": { "bot": 0.95 },
  "signals": ["AutomationTool"]
}

Allowed:

1
2
3
4
5
6
7

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "ALLOW",
  "risk_score": 0.05,
  "scores": { "bot": 0.05, "ato": 0.02 },
  "signals": []
}

Challenge:

1
2
3
4
5
6
7
8

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "CHALLENGE",
  "risk_score": 0.65,
  "scores": { "bot": 0.65 },
  "signals": ["SuspiciousFingerprint"],
  "challenge": { "type": "captcha", "token": "..." }
}

Invalid server-key:

1
2
3
4

{
  "decision": "ALLOW",
  "error": { "message": "[BotBye] Bad Request: Invalid Server Key" }
}