Skip to content
BETA

How it works

How it works

Section titled “How it works”

Notabotly flips the traditional CAPTCHA model on its head. Instead of running intrusive heuristics on the user’s browser, we rely on the secure hardware enclave built into modern mobile devices.

The Verification Flow

Section titled “The Verification Flow”
  1. Session Creation: Your backend requests a new session from Notabotly (POST /session/init). We return a unique session_id and a verify_url.
  2. Displaying the QR Code: Your frontend generates a QR code from the verify_url.
  3. Mobile Handoff: The user scans the QR code with their mobile device. We strictly enforce that the device opening the link is a mobile device via User-Agent and Client Hints checks.
  4. Hardware Verification: The user taps “Prove it”. We leverage the native WebAuthn API. The user authenticates using biometric hardware (Face ID, Touch ID, or Android Biometrics). Bots cannot simulate this secure hardware process.
  5. Real-Time Push: Notabotly’s servers receive the cryptographic signature. Upon validation, we push the true result via a Server-Sent Events (SSE) stream back to your waiting backend.
  6. Redirection: The user’s mobile browser is automatically redirected to the redirectUrl you specified in Step 1.

Why Mobile Enforcement?

Section titled “Why Mobile Enforcement?”

By enforcing the verification to occur on a mobile device, we achieve two major security wins:

  • It creates an air-gap structure forcing a physical scanning interaction.
  • It guarantees the presence of high-quality biometric sensors that are incredibly difficult for bots farms to spoof at scale.