Skip to main content

Origin Verification Token API

The Origin Verification Token API helps protect sensitive frontend-to-backend requests with an additional verification signal.

With this flow, AgentJS generates a short-lived token in the browser, and your backend validates that token with the IntelliFend Java SDK before processing the request.

Use this flow when:

  • your frontend calls a sensitive API directly
  • you want an additional phishing detection signal before processing the request
  • AgentJS is already loaded on the page
note

This is an additional protection signal. It should be used together with your existing authentication, CSRF protection, and other application security controls.

End-to-end flow

  1. Load AgentJS on the page.
  2. Generate a verification token immediately before calling the protected API.
  3. Send that token to your backend together with the request.
  4. Pass the raw Origin header and the token to the IntelliFend Java SDK.
  5. Reject or challenge the request when the SDK marks it as suspicious.

Frontend API

window._intellifend.secret.generate(): string | null

Generates a short-lived verification token for the current page context.

Important behavior:

  • returns a token string when AgentJS is ready
  • returns null when the token cannot be generated
  • should be called immediately before the protected request

Prerequisites

  • AgentJS must be loaded on the page
  • AgentJS must be initialized with the same app token that your backend uses for validation
  • call generate() only after window._intellifend.secret.generate is available

Example of loading AgentJS:

AgentJS script
!(function (a, b, c, d, e, f, g, h) {
        a.sikey = e;
        a.fpendpoint = f;
        a.siendpoint = g;
        a.csignaluri = h;
        var m = b.createElement(c), n = b.getElementsByTagName(c)[0];
        m.async = 1, m.src = d, n.parentNode.insertBefore(m, n);
})(window, document, 'script', 'https://static.intellifend.com/agentjs/latest/tags-fast.js', ['{client_token}', '', []], 'https://tls-fp.intellifend.com/', 'https://app.intellifend.com', '');

Example of sending the verification token to your backend:

Frontend example
async function callProtectedApi(payload) {
  const secretToken = window._intellifend?.secret?.generate();

  if (!secretToken) {
    throw new Error("IntelliFend verification token is not available.");
  }

  const response = await fetch("/api/transfer", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-Intellifend-Secret": secretToken
    },
    body: JSON.stringify(payload)
  });

  return response.json();
}
tip

IntelliFend does not require a specific transport format for the token. Sending it in a dedicated request header is one example.

Backend API (IntelliFend SDK)

Maven dependency

pom.xml
<repositories>
    <repository>
        <id>intellifend-maven</id>
        <url>https://registry.intellifend.com/api/v4/projects/285/packages/maven</url>
    </repository>
</repositories>

<dependencies>
    <dependency>
        <groupId>com.intellifend.sdk</groupId>
        <artifactId>intellifend-client</artifactId>
        <version>1.2.0</version>
    </dependency>
</dependencies>

boolean isPhishing(String originHeader, String appToken, String secretToken)

Validates the request using the raw Origin header and the verification token.

Parameters:

  • originHeader: the raw Origin header from the incoming request
  • appToken: the same IntelliFend app token used by AgentJS
  • secretToken: the verification token generated in the browser

Return value:

  • false: the request passes verification
  • true: the request should be treated as suspicious

The SDK normalizes the raw Origin value internally. You should pass the raw header directly instead of extracting or rewriting the hostname yourself.

Example backend validation:

Spring Boot example
import com.intellifend.sdk.client.IntellifendClient;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;

@RestController
@RequestMapping("/api")
public class PaymentController {

    private static final String APP_TOKEN = System.getenv("INTELLIFEND_APP_TOKEN");
    private final IntellifendClient intellifendClient = new IntellifendClient();

    @PostMapping("/transfer")
    public ResponseEntity<?> transfer(
            @RequestHeader("X-Intellifend-Secret") String secretToken,
            HttpServletRequest request) {

        String originHeader = request.getHeader("Origin");

        if (intellifendClient.isPhishing(originHeader, APP_TOKEN, secretToken)) {
            return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Verification failed.");
        }

        return ResponseEntity.ok("ok");
    }
}

SecretTokenClaims decodeSecretToken(String appToken, String secretToken)

Decodes a valid verification token into its claims for advanced validation flows.

Use this method when you need to read the original hostname stored in the token, for example in custom proxy or mirror-domain setups where your backend cannot directly compare against the browser-visible domain.

Available claims:

  • domain: the normalized hostname stored in the token
  • expiresAt: token expiry time in epoch milliseconds
  • salt: the random token salt

If the token is malformed, expired, or cannot be validated with the supplied app token, the method throws IllegalArgumentException.

Example of decoding a token:

Example
import com.intellifend.sdk.client.IntellifendClient;
import com.intellifend.sdk.client.SecretTokenClaims;

IntellifendClient client = new IntellifendClient();
SecretTokenClaims claims = client.decodeSecretToken(APP_TOKEN, secretToken);

String tokenDomain = claims.getDomain();
long expiresAt = claims.getExpiresAt();
String salt = claims.getSalt();

Integration notes

  • generate the token immediately before the protected API request
  • use the same IntelliFend app token on both the frontend and backend
  • forward the token from frontend to backend as part of the request
  • pass the raw Origin header to the Java SDK
  • if verification fails, reject or challenge the request based on your application flow
  • use HTTPS so the token is protected in transit

Summary

This API gives you an additional phishing detection signal for protected application requests:

  • AgentJS generates a short-lived verification token in the browser
  • your frontend forwards that token with the request
  • your backend validates the request with the IntelliFend Java SDK
  • your application can reject or challenge suspicious requests before continuing