Bot Management

Fastly's Bot Management product provides you with visibility into bot traffic, allowing you to identify bots and automations directly at Fastly's network edge, closer to where requests arrive and further away from your application layer. Using the knowledge you gain from this detection, you can enforce rulesets and policies in the Next-Gen WAF control panel as part of your web asset and application protection measures. Because not all bots are malicious, Bot Management offers controls that can help you decrease unwanted bot activity by allowing you to customize your interactions and automatically decide which bots are safe to interact with in your ecosystem.

Client fingerprinting

Client fingerprinting incorporates JA3 fingerprinting and allows you to identify client types as long as that information is available as part of the TLS encrypted communication between a specific client and its server. This feature can help you detect bots designed for malicious activities such as credential stuffing, credential cracking, or IP rotation attacks.

Client challenges

Client challenges allow you to require users to prove that they are human or that a connection is happening via a full-fledged browser. For each service, you choose whether these challenges are interactive or non-interactive. Interactive challenges use configurable CAPTCHA-like challenge-response tests that human users must respond to. Non-interactive challenges get sent automatically to each client as JavaScript code embedded in a web page.

To identify when challenges have been initiated and solved, cookies are issued from the customer domain in which the challenges are issued. Specifically:

  • the _fs_ch_st_<RANDOM STRING> challenge start cookie signals the initiation of the challenge and helps mitigate trivial replay of challenge flows by your service
  • the _fs_ch_cp_<RANDOM_STRING> challenge complete cookie signals the completion of the challenge and communicates to your service that access to a resource should be permitted

Verified bots

Verified bots allow you to add a Next-Gen WAF signal to the logic of your active configuration rules that will help validate self-identified bots and thereby allow or block them as appropriate as requests arrive to the web applications you're protecting.

Private Access Tokens


This information is part of a limited availability release. For additional details, read our product and feature lifecycle descriptions.

The Private Access Token (PAT) verification service allows you to protect access to resources on your origin. When an end user requests information from an origin that Fastly protects, the PATs service specifically requires the requestor to prove that they are human and verify their identity, but does so without directly revealing personal information about the requester or requiring them to solve puzzle-based challenges. It does this based on the settings you specify in your Bot Management implementation and then responds to requests by issuing a validation token granting access or blocking access to those protected resources as appropriate.


To purchase Bot Management, you must purchase Fastly's Next-Gen WAF at the Professional or Premier level for deployment on Fastly's Edge Cloud platform. This requires a paid account with a contract for Fastly's services.

Limitations and considerations

Keep in mind the following limitations and considerations for client challenges:

  • The client challenges feature must be enabled for each individual service using your service ID via an API call.
  • When using the client challenges feature, you must choose between either interactive or non-interactive challenges for each service. Both cannot be active on a single service at the same time.
  • Using client challenges for multiple hostnames requires creating a rule that restricts the challenge to a specific hostname. If, for example, a service includes both and as hosts, client challenges will not behave as expected.
  • Exceptions to client challenges can be used to allow some bots access to your site. These exceptions must be explicitly included in any rule that would otherwise exclude them.

In addition, keep in mind the following limitations and considerations specific to PATs:

  • PATs usage is measured based on the number of token redemptions that occur. One token redemption is equal to one request, which affects your billing as described below.
  • PATs challenges can only be issued to Apple-supported devices using iOS 16 or higher or macOS Ventura or higher.
  • Apple-supported devices are limited to 10 tokens per minute, per device, and only 10 tokens per every 5 minutes are allowed for a single origin server or website. Only 1 token per minute is allowed for a single TLS connection to a server.


Fastly charges for Bot Management based on the volume of requests (per millions) processed per month. These charges are separate from and do not include charges associated with the Fastly Full Site Delivery service nor with usage of the Fastly Next-Gen WAF.

For more details about this product, including how to purchase it, contact your account manager or email

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.