Bot Detection

Wristband integrates with Google reCAPTCHA to detect and block automated bot activity. When active, Google reCAPTCHA evaluates each request using risk scoring and may present users with a CAPTCHA challenge if the request appears suspicious. This helps protect against credential stuffing, brute force attacks, and other bot-driven threats.

ℹ️

Note: Bot detection only applies to Wristband-hosted UI pages. Self-hosted UI pages are not protected by Wristband's CAPTCHA enforcement. Bot protection for self-hosted pages is the responsibility of the application.

Protected Pages

CAPTCHA is enforced on the following Wristband-hosted pages:

• Application-level Login Page (Tenant Discovery)
• Tenant-level Login Page
• Application-level Signup Page
• Tenant-level Signup Page

Signup pages always enforce CAPTCHA regardless of policy configuration. Login pages enforce CAPTCHA based on configured Bot Detection Policies. Other Wristband-hosted pages (such as email-based workflow pages and External IdP pages) are protected by the presence of auth code JWTs rather than CAPTCHA.

Bot Detection Policies

Bot Detection Policies controls CAPTCHA enforcement for your application. They are configured under Security → Bot Detection Policies in the Application View of the Wristband Dashboard. Bot Detection Policies are currently configured at the application level only and do not support tenant-level overrides.

• Login CAPTCHA Enforcement Strategy: Controls whether users are required to complete a CAPTCHA challenge on login pages. Can be set to always enforce or never enforce. Does not affect signup pages, which always enforce CAPTCHA.

ℹ️

Note: CAPTCHA cannot be disabled for Production applications. For non-Production applications, CAPTCHA can be optionally disabled. A common use case is disabling bot detection in a development Wristband application when testing locally or running automated test scenarios.