Offline Verification
Available only on Enterprise plan
Offline Verification refers to decrypting the inner claims of a solution to avoid calling the Siteverify API altogether.
For debugging, we recommend using this webpage: https://dinochiesa.github.io/jwt/
Pre-requisites
- You must be an Enterprise customer
- You must retrieve the decryption secret from the Dashboard (the secret is hex-encoded)
- You must validate the solution is valid using Offline Validation first
- You must prevent replay attacks
Decrypting the encrypted claims
The encrypted claims are encrypted using
JWE with a pre-shared key
(available on the Dashboard) and AES-256 in GCM mode.
The encrypted claim is the ## claim in the solution payload.
Example
An example encrypted claim is:
eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..zqVbfE9UGMkUjd9I.QLCTfg7jH0EdP25MGovuKYJRDrY6JviA3QXpN4L3Kg.PxjZ5IZHzbsHiDfVHIV3zw
The decryption secret for the used sitekey is
370d1c0b31bf702dc2355337279dbc853017001321969e51c58ecab5ca05469c3
By plugging these two values into the online debugger https://dinochiesa.github.io/jwt/, we get the following result:
{ "automated": false, "checks": []}Claims
The following claims are available:
| Name | Description |
|---|---|
| automated | whether the use of automation software was detected |
| checks | a list of checks that were violated |
| kind | the kind of automation detected (undefined if none) |
Additional claims may be added in the future or used for internal purposes, please do not rely on undocumented claims.
Additional padding
We may add additional padding to the encrypted claims. This padding is added as
a special claim called _ which is a random string with a random length.
This is added to prevent attackers from distinguishing between
{"automated":false,"checks":[]} and
{"automated":true,"checks":["long_check_name"],"kind":"long_kind_name"} by
looking at the length of the encrypted claims.