Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
Spring (Kotlin)
Spring (Kotlin)
Copy Integration Prompt
Integrate BotBye bot protection into a Spring Boot (Kotlin) application using the botbye kotlin-module. 1. Add the dependency: Maven: <groupId>com.botbye</groupId> <artifactId>kotlin-module</artifactId> <version>2.1.0</version> Gradle: implementation("com.botbye:kotlin-module:2.1.0") 2. Create a Spring @Configuration class that exposes a Botbye @Bean: @Configuration class AppConfig { @Bean fun botbye(): Botbye { val config = BotbyeConfig(serverKey = "00000000-0000-0000-0000-000000000000") return Botbye(config) } } 3. Per-controller: inject Botbye and call evaluate in a suspend handler: val token = request.queryParams.getFirst("botbye_token") ?: "" val headers = request.headers.toSingleValueMap() val response = botbye.evaluate(BotbyeValidationEvent( ip = request.remoteAddress?.address?.hostAddress ?: "", token = token, headers = headers, requestMethod = request.method.name(), requestUri = request.uri.path)) if (response.isBlocked) return ResponseEntity.status(403).body("Access denied") 4. Global filter: create a @Component extending CoWebFilter, call evaluate in suspend filter(), return 403 if result.isBlocked, otherwise call chain.filter(exchange). 5. Response fields: response.decision (ALLOW/CHALLENGE/BLOCK), response.isBlocked, response.riskScore, response.signals, response.scores 6. There are three event types — choose based on available context: - BotbyeValidationEvent — edge-level bot check (request + token only) - BotbyeRiskScoringEvent — domain-level risk scoring (add user, eventType, eventStatus) - BotbyeFullEvent — both in one call (request, token, user, eventType, eventStatus) Full integration guide: https://botbye.com/docs/server-side/kotlin/spring.md When the integration is complete, ask for the keys and replace the placeholder in the appropriate places.
Ask ChatGPT
Ask Claude
Ask Perplexity

Install

Add the dependency to the project configuration:

Maven

1
2
3
4
5

<dependency>
    <groupId>com.botbye</groupId>
    <artifactId>kotlin-module</artifactId>
    <version>2.1.0</version>
</dependency>

or

Gradle

1

implementation("com.botbye:kotlin-module:2.1.0")

Configuration

Create BotbyeConfig with your server-key (available inside your Project):

1
2
3

val config = BotbyeConfig(serverKey = "00000000-0000-0000-0000-000000000000") // Use your project server-key

val botbye = Botbye(config)

Usage

Per-Controller

Add evaluate in your controller for granular control over specific endpoints:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

@RestController
@RequestMapping("/api/demo")
class DemoController(private val botbye: Botbye) {

    @PostMapping
    suspend fun post(request: ServerHttpRequest): ResponseEntity<Any> {
        val headers = request.headers.toSingleValueMap()

        // Extract the token from wherever you pass it: query param, header, body, etc.
        val token = request.queryParams.getFirst("botbye_token") ?: ""

        val response = botbye.evaluate(BotbyeValidationEvent(
            ip = request.remoteAddress?.address?.hostAddress ?: "",
            token = token,
            headers = headers,
            requestMethod = request.method.name(),
            requestUri = request.uri.path,
        ))

        if (response.isBlocked) {
            return ResponseEntity.status(403).body("Access denied")
        }

        return ResponseEntity.ok().body("hello world!")
    }
}

Global Filter (WebFlux CoWebFilter)

To protect all requests, create a Spring WebFlux filter with native coroutine support:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

@Component
class BotbyeFilter(private val botbye: Botbye) : CoWebFilter() {

    override suspend fun filter(exchange: ServerWebExchange, chain: CoWebFilterChain) {
        val request = exchange.request
        val headers = request.headers.toSingleValueMap()

        // Extract the token from wherever you pass it: query param, header, body, etc.
        val token = request.queryParams.getFirst("botbye_token") ?: ""

        val result = botbye.evaluate(BotbyeValidationEvent(
            ip = request.remoteAddress?.address?.hostAddress ?: "",
            token = token,
            headers = headers,
            requestMethod = request.method.name(),
            requestUri = request.uri.path,
        ))

        if (result.isBlocked) {
            exchange.response.statusCode = HttpStatus.FORBIDDEN
            return
        }

        chain.filter(exchange)
    }
}

There are three event types — validate, risk, and full — each suited for a different layer of your application.

validate — edge-level bot check

Use at the edge — API gateway, route handler, middleware — when you just want to know: was this request made by a bot? No user or domain context needed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

@RestController
@RequestMapping("/api/demo")
class DemoController(private val botbye: Botbye) {

    @PostMapping
    suspend fun post(request: ServerHttpRequest): ResponseEntity<Any> {
        val headers = request.headers.toSingleValueMap()

        // Extract the token from wherever you pass it: query param, header, body, etc.
        val token = request.queryParams.getFirst("botbye_token") ?: ""

        val response = botbye.evaluate(BotbyeValidationEvent(
            ip = request.remoteAddress?.address?.hostAddress ?: "",
            token = token,
            headers = headers,
            requestMethod = request.method.name(),
            requestUri = request.uri.path,
        ))

        if (response.isBlocked) {
            return ResponseEntity.status(403).body("Access denied")
        }

        return ResponseEntity.ok().body("hello world!")
    }
}

risk — domain-level risk scoring

Use inside services that already know the user: auth, payments, account management, etc. The purpose shifts from "is this a bot?" to "is something suspicious happening for this user?" — credential stuffing, account takeover, account sharing, logins from a new geo.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

@Service
class AuthService(private val botbye: Botbye) {

    suspend fun onLoginAttempt(ip: String, userId: String, email: String, loginSucceeded: Boolean) {
        val response = botbye.evaluate(BotbyeRiskScoringEvent(
            ip = ip,
            headers = emptyMap(),
            user = BotbyeUserInfo(
                accountId = userId,
                email = email,
            ),
            eventType = "login",
            eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
            botbyeResult = null, // if a validate call was made earlier, pass response.botbyeResult here to link the requests; omit if there was no prior validate
        ))

        if (response.isBlocked) {
            // Lock account, trigger MFA, send alert, etc.
        }
    }
}

Linking validate and risk events

When the same request is evaluated at two layers — for example, once at the edge (validate) and then again inside a domain service (risk) — BotBye can link both events and display them as a single event in the dashboard.

Step 1 — edge layer (filter, interceptor, or route handler): run validate and capture the result:

1
2
3
4
5
6
7
8
9
10

// e.g. in a CoWebFilter or route handler
val edgeResponse = botbye.evaluate(BotbyeValidationEvent(
    ip = request.remoteAddress?.address?.hostAddress ?: "",
    token = token,
    headers = headers,
    requestMethod = request.method.name(),
    requestUri = request.uri.path,
))
val edgeBotbyeResult = edgeResponse.botbyeResult
// Pass edgeBotbyeResult downstream — a request attribute, function argument, shared context, etc.

Step 2 — domain service (auth, payment, account management): pass it as botbyeResult in the risk call:

1
2
3
4
5
6
7
8
9

// e.g. in AuthService.onLoginAttempt()
val riskResponse = botbye.evaluate(BotbyeRiskScoringEvent(
    ip = ip,
    headers = emptyMap(),
    user = BotbyeUserInfo(accountId = userId, email = email),
    eventType = "login",
    eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
    botbyeResult = edgeBotbyeResult,
))

botbyeResult is null when absent — in that case, omit or pass null and the events will be recorded independently.

full — edge check and domain scoring in one call

Use when you have all context at once: raw request, token, user, and event. A login endpoint is a typical example — it receives the HTTP request and immediately knows the user and outcome.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

@RestController
@RequestMapping("/auth")
class LoginController(private val botbye: Botbye) {

    @PostMapping("/login")
    suspend fun login(request: ServerHttpRequest, @RequestBody body: LoginRequest): ResponseEntity<Any> {
        val headers = request.headers.toSingleValueMap()
        val token = request.queryParams.getFirst("botbye_token") ?: ""

        val user = findUser(body.email)
        val loginSucceeded = user != null && checkPassword(user, body.password)

        val response = botbye.evaluate(BotbyeFullEvent(
            ip = request.remoteAddress?.address?.hostAddress ?: "",
            token = token,
            headers = headers,
            requestMethod = request.method.name(),
            requestUri = request.uri.path,
            user = BotbyeUserInfo(
                accountId = user?.id ?: "unknown",
                email = body.email,
            ),
            eventType = "login",
            eventStatus = if (loginSucceeded) BotbyeEventStatus.SUCCESSFUL else BotbyeEventStatus.FAILED,
        ))

        if (response.isBlocked) {
            return ResponseEntity.status(403).body("Access denied")
        }

        return ResponseEntity.ok().body("Login successful")
    }
}

Settings

BotbyeConfig contains next configurable parameters:

Setting Description Required Default Value
botbyeEndpoint Host of the API Server no https://verify.botbye.com
serverKey Your BotBye server-key yes -
contentType Content type for API requests no application/json
readTimeout Read timeout for HTTP client no Duration.ofSeconds(2)
writeTimeout Write timeout for HTTP client no Duration.ofSeconds(2)
connectionTimeout Connection timeout for HTTP client no Duration.ofSeconds(2)
callTimeout Total call timeout no Duration.ofSeconds(5)
maxIdleConnections Max idle connections in the pool no 250
keepAliveDuration Keep-alive duration no Duration.ofSeconds(300)
maxRequestsPerHost Max requests per host no 1500
maxRequests Max requests total no 1500

Examples of BotBye API responses

Blocked (bot detected):

1
2
3
4
5
6
7

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "BLOCK",
  "risk_score": 0.95,
  "scores": { "bot": 0.95 },
  "signals": ["AutomationTool"]
}

Allowed:

1
2
3
4
5
6
7

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "ALLOW",
  "risk_score": 0.05,
  "scores": { "bot": 0.05, "ato": 0.02 },
  "signals": []
}

Challenge:

1
2
3
4
5
6
7
8

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "CHALLENGE",
  "risk_score": 0.65,
  "scores": { "bot": 0.65 },
  "signals": ["SuspiciousFingerprint"],
  "challenge": { "type": "captcha", "token": "..." }
}

Invalid server-key:

1
2
3
4

{
  "decision": "ALLOW",
  "error": { "message": "[BotBye] Bad Request: Invalid Server Key" }
}