ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

Can WebRTC reveal a real IP behind a VPN?

Yes, in many configurations. WebRTC gathers network addresses directly from the device, so it can surface a local network address and sometimes the real public one even when other traffic is routed through a VPN. That is why it is described as a leak, and why browsers and privacy tools added controls to limit what WebRTC exposes.

Does WebRTC fingerprinting need permission?

No special permission is required to read the candidate network addresses, because the browser exposes them as part of setting up a connection, and no camera or microphone access is needed for that. Reading the full media device list with labels does require permission, but the network addresses do not.

Is WebRTC leaking my IP address?

It might be. WebRTC can expose your local network address, and in some setups your real public address, even when you are on a VPN, so a site running the check could see an IP your VPN was meant to hide. You can confirm it with a WebRTC leak test, and you can limit it by disabling WebRTC in your browser or using an extension that restricts the addresses it reveals.

How common are WebRTC leaks?

Common enough that browsers and privacy tools added controls for it. Whether a given browser leaks depends on its version and settings: many modern browsers now obscure the local address by default, while others still expose it unless WebRTC is restricted. For a fraud team the takeaway is that a WebRTC-exposed address is a frequent enough signal to be worth reading, but not a guarantee, so it is weighed alongside the rest of the session.

How does ShieldLabs use WebRTC?

ShieldLabs uses WebRTC as part of its network read, never alone. It feeds the anonymity signals that flag a VPN, proxy, or datacenter connection, and helps surface a real origin that does not match what a visitor presents. It contributes to a risk score, your own rules decide the outcome, and the free tier covers your first 5,000 identifications.

Back to blog

June 16, 2026WebRTC Browser fingerprinting Fraud prevention

What is WebRTC fingerprinting? How it reveals a real IP behind a VPN

Vasil MakarchukChief Technology Officer

WebRTC fingerprinting: a browser's real-time connection setup exposing a local and real IP address even behind a VPN

Last updated on June 16, 2026 · 9 min read

WebRTC fingerprinting is a technique that uses a browser's real-time communication features to expose network and device details, the most notable being a local or real IP address, even when the visitor is behind a VPN or proxy. WebRTC is the browser technology for live audio and video, and while it sets up a connection it gathers candidate network addresses. A script can read those without ever starting a call, which is what makes it a fingerprinting and anonymity signal rather than a device-distinguishing detail one.

It is the odd member of the fingerprinting family. Where canvas, WebGL, audio, and fonts measure how a device renders things, WebRTC reads the network underneath. It is most useful not for telling two clean devices apart but for catching a connection that is hiding its origin. This guide explains how it works, what it reveals, and where it fits in fraud detection. It is one of the browser fingerprinting techniques a site reads together.

Key takeaways

WebRTC fingerprinting uses the browser's real-time connection setup to read network details, especially a local network IP and sometimes the real public one.
It can expose a real IP even when the visitor is behind a VPN or proxy, because the address gathering can happen directly from the local machine.
It is less a source of device distinguishing detail and more an anonymity signal, useful for noticing a connection that does not match what it claims.
For fraud detection, a real IP that contradicts a declared VPN or proxy location is a strong hint, read into a risk score rather than acted on alone.

How WebRTC fingerprinting works

WebRTC fingerprinting works by starting the groundwork of a real-time connection and reading what the browser gathers, without ever placing a call. It runs in the background through standard browser APIs.

Open a peer connection. A script uses the WebRTC API to begin setting up a connection, which triggers the browser to find ways it could be reached over the network.
Gather candidate addresses. To do that, the browser uses helper servers to discover the addresses it can offer, and in the process it surfaces the device's local network address and, in some configurations, its real public address.
Read the result. The script reads those candidate addresses straight from the connection object. Combined with the list of supported media devices and codecs, this forms a signal about the network and the machine.

The key point is that this address discovery can run directly from the visitor's machine, so it can reveal an address that the rest of the traffic, routed through a VPN, was meant to hide.

How WebRTC fingerprinting works: a script opens a peer connection, the browser gathers candidate network addresses, and a local or real IP is read from the connection

What WebRTC fingerprinting reveals

WebRTC fingerprinting exposes network and media details rather than rendering quirks:

A local network IP address, the private address the device holds on its own network, which is consistent and not normally visible to a site.
The real public IP address, in setups where the address gathering is not restricted, even when other traffic goes through a VPN.
Connected media devices, a list of microphones, cameras, and speakers the system reports.
Supported codecs and capabilities, the audio and video formats the browser advertises, which vary by configuration.

The address data is the part that matters most. It is not highly distinctive in the way a GPU fingerprint is, but it answers a sharper question: does the network this visitor is actually on match the one they appear to be on?

Property	WebRTC fingerprinting
What it reads	Candidate network addresses gathered during connection setup, plus the connected media devices and supported codecs
What it reveals	A local network IP, sometimes the real public IP even behind a VPN, the list of microphones, cameras, and speakers, and the audio and video formats the browser advertises
Does it need permission?	No permission is needed to read the candidate network addresses; reading the full media device list with labels does require it
How stable is it?	The local address and media list stay consistent for a session and often across sessions; the public address changes with the network, read as a point-in-time fact
Main limitation	Not highly distinctive on its own, so it is rarely used to identify a device in isolation; its strength is corroboration and contradiction

Why it matters for anonymity

WebRTC stands out because it can pierce the thing a VPN or proxy is supposed to provide. When a visitor routes traffic through a VPN, the site normally sees only the VPN's address. WebRTC's address gathering, though, can run from the local machine and surface the real one, which is why privacy guides have long warned about WebRTC leaks and why browsers have added controls for it. In 2016, a study that measured WebRTC across a day of live network traffic documented how broadly it exposes these addresses.

For detection, that is exactly the value. A real address that sits behind a declared VPN, or a local network address that does not fit the story the rest of the session tells, is a clear sign the connection is not what it claims. This ties WebRTC closely to VPN and proxy detection, where the goal is the same: tell an ordinary connection from one that is deliberately masking where it comes from.

What is a WebRTC leak?

A WebRTC leak is the privacy-side name for the mechanism this article describes: the browser exposing a real or local IP address through WebRTC that a VPN or proxy was meant to hide. The phrase shows up most in consumer privacy guides, where the worry is a user's own address slipping out, and where browser extensions and WebRTC leak tests exist to check for it and close it.

It is the same event seen from two sides. To a privacy-conscious user, a WebRTC leak is a problem to fix. To a fraud team, the same exposed address is a useful signal: a real IP that surfaces from behind a declared VPN says the connection is masked, which is exactly the contradiction detection looks for. Same mechanism, opposite goals.

How stable is a WebRTC signal?

A WebRTC signal is stable in a different sense than the rendering techniques. The local network address tends to stay the same while a device is on the same network, and the media device list changes rarely, so both are consistent for a session and often across sessions. The public address changes with the network, as any IP does, so it is read as a point-in-time fact rather than a permanent identifier.

Because it is not a highly distinctive fingerprint on its own, WebRTC is rarely used to identify a device in isolation. Its strength is corroboration and contradiction: it confirms a consistent network picture, or it exposes one that does not add up, and it is read alongside the other browser and network signals.

WebRTC fingerprinting in fraud detection

For fraud detection, the WebRTC signal earns its place by catching a hidden origin. A session can present a clean VPN address and an ordinary fingerprint, but if WebRTC surfaces a real address that disagrees with that VPN, the contradiction is hard to explain away. That is the kind of mismatch that separates a real visitor from one going to some effort to look like one.

It is one input, not a verdict. A real address by itself proves nothing improper, since plenty of legitimate visitors use VPNs, so a defender reads it together with the rest of the signals and lets the combination, not the single fact, move a risk score.

Can WebRTC fingerprinting be blocked?

WebRTC exposure can be reduced, and browsers now give users ways to do it. Firefox can disable the feature, Chrome offers an extension that limits the addresses WebRTC reveals, and privacy browsers restrict or block it by default. For a privacy-minded user, these close the leak.

For a fraud detection system, the act of closing it is informative too. WebRTC fully disabled, or returning no candidate addresses at all, is itself an unusual state that most ordinary visitors are not in. As with the rest of fingerprinting, the move that hides one signal tends to leave another, so a blocked WebRTC is read as one more data point rather than a dead end.

How ShieldLabs uses WebRTC signals

ShieldLabs uses the WebRTC signal as part of its network read, never on its own. It contributes to the anonymity signals that flag a VPN, proxy, or datacenter connection, and it is one of the ways a real origin can surface when it does not match the connection a visitor presents.

Each visit returns a risk score from 0 to 100 with the named signals behind it, alongside the stable device identifier built from the rendering techniques. Because the read happens in the background from data the browser already exposes, it adds no friction for a real visitor, and you act on the score through the API and webhooks while your own rules decide the outcome.

Frequently asked questions

What is WebRTC fingerprinting?: WebRTC fingerprinting is a technique that uses a browser's real-time communication features to read network and device details, most importantly a local or real IP address. A script begins setting up a connection, which makes the browser gather candidate addresses, then reads them without ever placing a call, using the result as a fingerprinting and anonymity signal.
Can WebRTC reveal a real IP behind a VPN?: Yes, in many configurations. WebRTC gathers network addresses directly from the device, so it can surface a local network address and sometimes the real public one even when other traffic is routed through a VPN. That is why it is described as a leak, and why browsers and privacy tools added controls to limit what WebRTC exposes.
Does WebRTC fingerprinting need permission?: No special permission is required to read the candidate network addresses, because the browser exposes them as part of setting up a connection, and no camera or microphone access is needed for that. Reading the full media device list with labels does require permission, but the network addresses do not.
Can WebRTC fingerprinting be blocked?: It can be reduced. Firefox can disable WebRTC, Chrome offers an extension that limits the addresses it reveals, and privacy browsers restrict it by default. For fraud detection, a fully disabled WebRTC or one returning no addresses is itself an unusual state, so the countermeasure becomes a signal rather than a clean block.
Is WebRTC leaking my IP address?: It might be. WebRTC can expose your local network address, and in some setups your real public address, even when you are on a VPN, so a site running the check could see an IP your VPN was meant to hide. You can confirm it with a WebRTC leak test, and you can limit it by disabling WebRTC in your browser or using an extension that restricts the addresses it reveals.
How common are WebRTC leaks?: Common enough that browsers and privacy tools added controls for it. Whether a given browser leaks depends on its version and settings: many modern browsers now obscure the local address by default, while others still expose it unless WebRTC is restricted. For a fraud team the takeaway is that a WebRTC-exposed address is a frequent enough signal to be worth reading, but not a guarantee, so it is weighed alongside the rest of the session.
How does ShieldLabs use WebRTC?: ShieldLabs uses WebRTC as part of its network read, never alone. It feeds the anonymity signals that flag a VPN, proxy, or datacenter connection, and helps surface a real origin that does not match what a visitor presents. It contributes to a risk score, your own rules decide the outcome, and the free tier covers your first 5,000 identifications.

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Browser fingerprinting Network signals

What is TLS fingerprinting? How JA3 and JA4 identify a client

TLS fingerprinting identifies the software behind a connection from its TLS handshake. How it works, what JA3 and JA4 are, and what it reveals.

Vasil MakarchukChief Technology OfficerJune 29, 2026

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device