Overview
In this quickstart, you’ll add Fingerprint to a Java server using the Spring Boot framework to prevent fraudulent account creation. The example use case in this quickstart is stopping new account fraud, where attackers create multiple fake accounts to abuse promotions, exploit systems, or evade bans. However, the steps you’ll follow apply to most use cases. You can flag and block suspicious users by identifying the device behind each sign-up attempt, login, or transaction. In this quickstart, you’ll learn how to:- Set up a Spring Boot server with a Fingerprint integration
- Retrieve visitor identification data using the Server API
- Block bots and suspicious devices
- Prevent multiple signups from the same device
Estimated time: < 10 minutes
Prerequisites
Before you begin, make sure you have the following:- A completed frontend or mobile Fingerprint implementation (See the quickstarts)
- Java (v11, v17, v21, or v25) installed
- Your favorite code editor or IDE
- Basic knowledge of Java and Spring Boot
1. Get your secret API key
If you’re ready:
- Sign in and go to the API keys page in the Fingerprint dashboard.
- Create a new secret API key.
- Copy it somewhere safe so you can use it to retrieve full visitor identification data from the Server API.
2. Set up your project
To get started, you need a basic Spring Boot server. If you already have a project, skip to the next step.- Go to start.spring.io
- Configure the project:
- Project: Maven (or Gradle if you prefer)
- Language: Java
- Spring Boot: 3.x latest version
- Dependencies:
- Spring Web
- Spring Data JPA
- Everything else can remain as default
- Click Generate to download the starter project and unzip it.
- Open the project in your IDE and add these dependencies to your build file:
pom.xml
build.gradle
- Maven:
Terminal
- Gradle:
Terminal
- Update the file at
src/main/resources/application.propertieswith the following content:
application.properties
spring.jpa.hibernate.ddl-auto=create-drop is for demo purposes to reset the database each time the app starts.
- Create a basic controller
src/main/java/com/example/demo/AccountController.java:
AccountController.java
- Create a data transfer object (DTO) class to represent the JSON payload your frontend will send when creating an account at
src/main/java/com/example/demo/CreateAccountRequest.java:
CreateAccountRequest.java
/api/create-account route should match what you have set up in your frontend implementation where you are sending the Fingerprint requestId to your server. Your server will receive the initial identification information from identifying a visitor on the frontend and use it to get the full visitor data on the backend.
3. Initialize Fingerprint and retrieve visitor data
Now you’ll configure the Fingerprint Java Server SDK using your secret API key and use it to fetch detailed visitor data for each signup attempt. When making the initial visitor identification request in the frontend, you received arequestId. This ID is unique to each identification event. Your server can then use the Fingerprint Events API to retrieve complete identification data, including the trusted visitor ID and other actionable insights like whether they are using a VPN or are a bot.
- Create a Fingerprint configuration class
src/main/java/com/example/demo/FingerprintConfig.java:
FingerprintConfig.java
- Update your
AccountControllerto use the Fingerprint API and retrieve the full visitor identification details withgetEvent():
requestId vs event_id: Depending on which quickstart you completed, your frontend may send
either
requestId (older SDKs) or event_id (v4 and newer). Both refer to the same
identification event and work with the Server API in the same way. Use whichever value your
frontend sends (requestId or event_id) as the requestId you pass to getEvent() below.AccountController.java
requestId the Fingerprint server client will retrieve the full data for the visitor identification request. The returned object will contain the visitor ID, IP address, device and browser details, and Smart Signals like bot detection, incognito mode detection, and detections for VPN or virtual machine use.
You can see a full example of the event structure, and test it with your own device, in the demo playground.
For additional checks to ensure the validity of the data coming from your frontend view how to protect from client-side tampering and replay attacks.
4. Block bots and suspicious devices
This optional step uses the Bot Detection Smart Signal which is available only on paid plans.
event object includes the Bot Detection Smart Signal that flags automated activity, making it easy to reject bot traffic.
- Continuing in your
/api/create-accountroute, check the bot signal returned in theeventobject:
AccountController.java
good for known bots like search engines, bad for automation tools, headless browsers, or other signs of automation, and notDetected when no bot activity is found. You can also layer in other Smart Signals to catch more suspicious devices. For example, you can use Fingerprint’s Suspect Score to determine when to add additional friction to create an account.
5. Prevent multiple signups from the same device
To catch repeated signups from the same device, you can use thevisitorId from the Fingerprint identification event. By saving this ID alongside each created account, you can detect and block duplicate signups from the same device. We’ll be using a simple database to demonstrate how this works with SQLite.
- Create an Account entity
src/main/java/com/example/demo/Account.java:
Account.java
- Create a repository interface
src/main/java/com/example/demo/AccountRepository.java:
AccountRepository.java
- Update your
AccountControllerto use the database and check for existing accounts:
AccountController.java
This is a minimal example to show how to use the Fingerprint Java Server SDK. In a real
application, make sure to implement proper security practices, especially around password handling
and storage.
6. Test your implementation
Now that everything is set up, you can test the full flow using your existing frontend.Before you test
If your frontend is running on a different port (like localhost:5173 or localhost:3001), you may run into CORS issues for testing. To quickly fix this for local development & testing:- Add the
@CrossOriginannotation to yourAccountController:
AccountController.java
Test the implementation
- Start your Spring Boot server:
- Maven:
Terminal
- Gradle:
Terminal
- In your frontend, trigger a sign-up request that sends the
requestId,username, andpasswordto your/api/create-accountendpoint. To see the reply messages make sure to parse and display or console log the response from your server. - Within your frontend, input a username and password to create a user. Then try to create another user and see that the second attempt will be rejected.
- Bonus: Try creating an account using a headless browser.