Comparing fraud-check APIs: FingerprintJS, IPQualityScore, Castle, MaxMind
This is a side-by-side comparison of fraud-check APIs available at indie-hacker and small-SaaS price tiers (under $250/month entry). Every price and feature is taken from each vendor's public documentation as of 2026-06-15.
The honest framing: no product in this tier catches all bot traffic. Each ships a different combination of signal layers: header analysis, TLS fingerprinting, IP intelligence, browser fingerprint snippet, JS challenge, behavioral analysis. Sophisticated attackers (real headless Chrome behind residential proxies) defeat most of these. What you're really choosing is which signal combination fits your specific threat model and integration constraints.
What this evaluation looks like in practice
Common scenario: bootstrapped founder of a small B2B SaaS, ~$8K MRR, mostly product-led signups. Stripe Radar already running on the checkout side but the signup form has been getting hit, about 30% of signups never log in a second time, never engage, look like temp-mail fraud. Not catastrophic yet but trending up; the founder wants to add detection before the rate climbs further.
First instinct: try FingerprintJS Pro. Sign up for the free trial. The product looks excellent: the dashboard, the device-fingerprint accuracy, the documentation. But the entry plan is $200/month for 20K identifications. The signup form gets ~5,000 attempts per month. Math: paying $200/mo to protect a signup flow that converts maybe 100 paid users at $30/mo = $3K MRR is hard to justify at $8K MRR total. Cancel the trial.
Second instinct: roll inline header analysis (Pattern B from the Next.js middleware article). Free, no dependency. Catches the most obvious bot traffic (python-requests/2.31.0 and friends) but misses curl_cffi with proper Chrome headers.
Third instinct: combine BotD (free OSS, drops into the frontend) with a $0-$50/mo server-side fraud API. BotD handles browser-side fingerprinting; the server API catches what BotD can't (curl_cffi, no-JS clients). Tries IPQualityScore's $50/mo plan first. IP intelligence is solid, but bot-detection accuracy on residential proxies is weak. The gap surfaces: at this MRR, none of the indie-tier vendors here handles commodity TLS impersonation (curl_cffi with valid Chrome JA3 hashes). The signal class is unrepresented at this price point.
The founder's honest options become: (a) accept the bleed until MRR justifies stepping up to FingerprintJS Pro ($200/mo+), (b) layer Cloudflare Turnstile (free) on the signup form to force some attacker traffic through a JS challenge that curl_cffi can't pass on its own, or (c) roll their own TLS-fingerprint check using a published rule set.
The principle: match the product to the current attack tier and revenue, not to a hypothetical future enemy. At $8K MRR, the right answer might be "live with the 20-30% commodity-bot bleed and revisit at $30K MRR" rather than overpay for coverage you don't yet need.
Pricing entry tiers
| Vendor | Entry tier | Volume at entry | Pricing source |
|---|---|---|---|
| FingerprintJS Pro | $200/mo | 20,000 identifications | fingerprint.com/pricing |
| FingerprintJS BotD (OSS) | $0 | Unlimited (client-side) | github.com/fingerprintjs/BotD |
| IPQualityScore | $50/mo | 10,000 requests | ipqualityscore.com/pricing-plans |
| Castle.io | $199/mo | Custom (event-based) | castle.io/pricing |
| MaxMind minFraud | $0.005–$0.025/req | Pay-as-you-go | maxmind.com/en/minfraud-pricing |
Prices verified against each vendor's public pricing page on the date above. If you're reading this much later and considering one of these vendors, re-validate, fraud-API pricing moves frequently.
Signal layer coverage
What each vendor catches depends on which signal layers their product ships. The table below maps the major signal categories to each vendor based on their public docs. "Yes" means the layer is documented as a product feature; absence means we didn't find it in their public materials at the time of writing.
| Signal layer | FingerprintJS Pro | BotD (OSS) | IPQualityScore | Castle | MaxMind |
|---|---|---|---|---|---|
| Header analysis (Sec-Fetch, RQ4-style) | – | – | – | – | – |
| TLS fingerprinting | – | – | – | – | – |
| IP intelligence (ASN, VPN, DC) | Yes | – | Yes | Yes | Yes |
| Browser fingerprint snippet | Yes | Yes | Partial | Yes | – |
| JS challenge (proof-of-execution) | – | – | – | – | – |
| Behavioral analysis | – | – | – | Yes | – |
| Session-level correlation | Yes | – | – | Yes | – |
Two signal classes are entirely absent at this price tier: header analysis (Sec-Fetch / Client-Hints rule checking, documented openly by the RQ4 specification) and TLS fingerprinting (post-JA3, detecting impersonation libraries by their ClientHello byte patterns). Vendors that ship these typically start at enterprise pricing.
A few honest qualifications:
- FingerprintJS Pro is the strongest browser-fingerprint product. Their snippet is the most thoroughly engineered in this list. They've also built out server-side "Smart Signals" that complement the browser snippet. The price point is enterprise-leaning even at entry.
- BotD is FingerprintJS's open-source bot-vs-human classifier. It runs entirely client-side, catches commodity headless tools, and is free. If you can drop a JS snippet on your frontend and only need bot/not-bot, this is a real choice.
- IPQualityScore is primarily an IP intelligence product. Its bot-detection accuracy on residential proxies (where the attacker rents real residential IPs) is weak, IP-only checks miss this class entirely. Good if your attack pattern is datacenter-IP-based.
- Castle.io is positioned for account takeover and payment fraud, not bot defense per se. Strong behavioral and device-fingerprint coverage; pricing scales with events.
- MaxMind minFraud rides on top of the MaxMind GeoIP database, the IP intelligence is excellent. Bot-specific signals are minimal. Best fit if you want IP/email/phone reputation, not headless-Chrome detection.
Integration model
How you wire each into your stack matters as much as which signals they ship.
| Vendor | Integration |
|---|---|
| FingerprintJS Pro | JS snippet on frontend (collects fingerprint) + server API call to retrieve verdict |
| BotD (OSS) | JS snippet only, client-side classification, no server call needed |
| IPQualityScore | REST API per-request from your backend |
| Castle.io | JS SDK on frontend + REST API from backend |
| MaxMind minFraud | REST API per-request from your backend |
Tradeoffs:
- JS-snippet integration (FingerprintJS, BotD, Castle) catches browser fingerprint signals but requires you to instrument your frontend and accept a JS payload on every page where you want detection.
- Backend API integration (IPQualityScore, MaxMind) keeps detection out of the user's browser; works for non-browser clients (mobile apps, server-to-server); misses browser-only signals (canvas/WebGL/audio).
Which to choose by use case
These are honest matches based on the signal-layer table above.
AI-SaaS founder, signup-credit burn from script kiddies. Most attackers use default curl_cffi or requests libraries. Header + TLS analysis would catch them, but as the table shows, no vendor at this tier ships those signals. The pragmatic stack is BotD (free + your own JS validation) plus Cloudflare Turnstile (free) on the signup form. Don't pay $200/mo for FingerprintJS Pro at this attack tier, you're overinvesting on signals you don't need yet.
SaaS with sophisticated bot problem (Playwright + residential proxies). Browser-side fingerprint is required. FingerprintJS Pro ($200/mo+). For the header + TLS angle, you'll need to roll your own using a published rule set (the RQ4 specification documents the per-request header rules; no commercial vendor at this tier ships them). No product in this tier alone catches a serious Playwright operator.
Ecom checkout / card-testing defense. IP intelligence is essential, behavioral is helpful. IPQualityScore or MaxMind for IP signal; Castle.io if you can budget $199/mo for behavioral. None of these catches curl_cffi-based card-testing via TLS fingerprinting at this price tier; that detection class is a gap in the indie market.
Marketplace / account takeover / payments fraud. Castle.io is the closest match in this tier. Above the tier ($1000+/month) Sift and Sardine.
Indie WordPress / Webflow with form spam. BotD (free) or Cloudflare Turnstile (free). Don't pay for any of the above; the free tier products handle commodity form spam.
Where the open-standards angle matters
Most of the products above are closed-source. Their detection logic is proprietary; their feature lists are what you're told they are. There's no published specification, no third-party verification of detection claims, no way to independently reproduce their results.
A few open standards exist in adjacent layers. RQ4 documents per-request and session-level header-analysis rules derived from the Fetch specification; the rule set is small enough that you could implement it inline in your backend without external dependencies. JA3 (and successors like JA4) document TLS-fingerprint hashing at the protocol level, though the databases that map hashes to client identities remain proprietary across vendors.
If you're evaluating any fraud-API vendor, asking "what specifically do you detect, and how can I verify that you detect it?" sorts the credible products from the ones using fraud-detection as a brand exercise. Open standards make that question answerable.
Limitations of this comparison
- Pricing changes. Re-validate every vendor's pricing page before purchase decision. We re-run the verification snapshot every ~6 months.
- Feature lists from public docs. What a vendor markets is not always what their API actually returns. Test each product against your own attack samples before commitment.
- No enterprise tiers. This list excludes DataDome, Akamai Bot Manager, Kasada, Imperva, Cloudflare Bot Management Enterprise, Sift, Sardine, HUMAN, Arkose Labs. Those start at $1,000+/month and serve a different buyer.
- Static comparison. Vendors ship new features. By the time you read this, the matrix above may have moved.
Common questions
I'm pre-revenue / under $5K MRR. Which of these makes sense for free or near-free?
BotD (free, open source) for browser-side bot detection. Cloudflare Turnstile (free) for JS challenges if you're behind Cloudflare. Inline header analysis in your backend (covered in the Next.js middleware article) for zero added latency. Save the $50-$200/mo products for when you have measurable losses they'd prevent. Don't pre-pay for sophisticated detection your attackers don't yet warrant.
Can I run two of these together (e.g., Cloudflare Turnstile + IPQualityScore)?
Yes, and it's often the right architecture. Turnstile catches the no-JS-execution segment of bot traffic (cheap, primitive scripts). A server-side API like IPQualityScore catches the post-Turnstile segment (the parts of attacker traffic that did execute JS but show suspicious IP signals). The two layers detect different attack tiers. Stacking them increases cost (Turnstile is free, but the API tier you choose) but materially improves coverage.
If I'm only worried about signup spam, do I need any of this or is rate-limiting enough?
Rate-limiting catches volumetric attacks (1000 signups/minute from one IP). It doesn't catch low-and-slow distributed attacks (1 signup every 30 seconds from each of 200 residential-proxy IPs, for a 200-account burst in 30 seconds at the unique-IP rate). If your attackers are sophisticated enough to use proxies, you need detection beyond rate-limiting. If they're not, rate-limiting plus email verification gets you most of the way. The honest answer depends on what you're actually being hit with, log a week of signup attempts and look at the IP and UA distribution before deciding.
I'm getting hammered RIGHT NOW. Which has the fastest integration time?
For an immediate crisis: BotD (drop a <script> tag, ~10 minutes integration if you have frontend access). Cloudflare Turnstile if you're on CF (DNS-level switch, ~30 minutes). Cloudflare WAF Custom Rules (also DNS-level, ~10 minutes if you can write a rule). Server-side API integration takes 1-4 hours including testing. If you're losing $400/day, the few-hours integration cost is irrelevant, pick what catches your specific attack pattern, not what's fastest.
How do I migrate from one to another if I outgrow my first choice?
Easier than it sounds for most of these. The integration code is small (10-30 lines). The hard part is changing your verdict mapping (each vendor's "low_risk" / "suspicious" / "block" thresholds differ) and your downstream logic (what you do with a block verdict). If you're using the same fraud-check API surface across vendors, migration is mechanical. If you're using vendor-specific Smart Signals or behavioral models, migration is harder, try to keep your application logic abstracted from vendor-specific signal names.
Which of these will accept my LLC's credit card without enterprise sales calls?
All of them at entry tier. FingerprintJS Pro, IPQualityScore, Castle, MaxMind, BotD all advertise self-serve signup. Castle's $199/mo tier in particular is a recent shift; it used to be enterprise-only. If you're getting asked to "schedule a demo" before seeing pricing, that's a different tier of vendor (Sift, Sardine, DataDome, Kasada), not on this list because they don't fit the indie/small-SaaS budget.
Related reading
- RQ4 specification and the reference implementation at github.com/rozetyp/rq4, the open standard for the header-layer detection signals discussed above
- Detecting curl_cffi after TLS impersonation, the TLS-layer signal class
- Bot detection middleware for Next.js App Router, practical integration patterns
- Cloudflare Workers normalizes Accept-Encoding before your handler sees it, a Workers gotcha worth knowing when integrating any of these in middleware
- RQ4-S: detecting cookie-reuse handoff, session-level detection that catches an attack class most vendors in this comparison don't address