Browser Device Data
This guide explains how a merchant should collect browser fingerprint and device context on their own systems, then send that data to OpenPath during tokenization and charge requests. OpenPath does not run browser fingerprinting JavaScript on the merchant's behalf. The merchant is responsible for collecting the data in their own checkout or payment experience and placing it into the OpenPath request payload.
Supported OpenPath device fields
Send browser and device context in detail.device.
Example:
{
"detail": {
"device": {
"type": "MOBILE",
"name": "iPhone 15 Pro",
"os": "iOS 18",
"browser": "Mobile Safari",
"user_agent": "Mozilla/5.0 AppleWebKit/605.1.15 Version/18.0 Mobile/15E148 Safari/604.1",
"language": "en-US",
"screen": "1179x2556 3x",
"timezone": "America/Los_Angeles"
}
}
}Field guidance
| Field | Description | Recommended source |
|---|---|---|
type | General device category such as MOBILE, TABLET, or DESKTOP. | Derive from user agent or device detection logic. |
name | Human-readable device name. | Best effort from browser data. Exact hardware model is not always available in browsers. |
os | Operating system name and version. | Browser APIs or user-agent parsing. |
browser | Browser name and version family. | Browser APIs or user-agent parsing. |
user_agent | Raw browser user-agent string. | navigator.userAgent. |
language | Preferred browser language. | navigator.language or navigator.languages[0]. |
screen | Screen resolution plus pixel density, for example 1179x2556 3x. | screen.width, screen.height, and devicePixelRatio. |
timezone | IANA time zone identifier such as America/Los_Angeles. | Intl.DateTimeFormat().resolvedOptions().timeZone. |
Important notes
- Collect the device data in the browser before you submit the tokenization or charge request.
- Send only data that you collect directly from the client or from your approved fraud tooling.
- Not every browser exposes an exact device model. For example, iOS Safari often exposes
iPhonebut notiPhone 15 Pro. A best-effort value is acceptable. - If you have a stable device or visitor identifier from your own tooling or a third-party provider, place that value in
detail.device.sense_key. - Load any third-party JavaScript only over HTTPS, and review the vendor's CSP and domain allowlist requirements before enabling it in production.
Third-party JavaScript options
For the exact OpenPath fields above, standard browser APIs are usually enough. A third-party fingerprinting product is most useful when the merchant also wants a stable device identifier, visitor ID, request token, or higher-confidence fraud signals.
OpenPath does not certify or audit these vendors. The links below are examples of vendors that publish implementation and security or compliance information. The merchant should still complete their own legal, security, privacy, and architecture review before using any third-party script.
Fingerprint
- JavaScript agent docs: Install the JavaScript agent
- Privacy and compliance: Privacy and compliance
- Trust center: Fingerprint Trust Center
Suggested OpenPath mapping:
visitorIdor similar identifier ->detail.device.sense_key- Additional vendor outputs such as confidence, bot, VPN, or incognito signals -> root
metadata
MaxMind minFraud device tracking
- Browser integration docs: Track devices on the web
- Security and compliance overview: Commitment to security
Suggested OpenPath mapping:
- MaxMind
trackingTokenor device tracking token ->detail.device.sense_key - Additional MaxMind-only outputs -> root
metadata
Castle Browser SDK
- Browser SDK docs: Castle Browser SDK
- Security/compliance reference: Castle is now SOC 2 Type 2 compliant
Suggested OpenPath mapping:
- Castle request token or device fingerprint value ->
detail.device.sense_key - Additional Castle-only outputs -> root
metadata
OpenPath sample JavaScript
OpenPath provides a sample browser-side helper here:
- browser-device-data-sample.js this sample:
- Collects the supported OpenPath device fields using built-in browser APIs.
- Uses best-effort parsing for
type,name,os, andbrowser. - Can optionally create a per-session
sense_key. - Includes a helper that converts extra fingerprint data into OpenPath
metadataentries.
Example usage
<script src="./examples/browser-device-data-sample.js"></script>
<script>
const device = window.OpenPathDeviceData.collect({
includeSessionSenseKey: true
});
console.log(device);
</script>Example output:
{
"sense_key": "9f4d0e06-fc79-40bc-95f8-a2788c3baf1b",
"type": "MOBILE",
"name": "iPhone",
"os": "iOS 18.0",
"browser": "Mobile Safari",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
"language": "en-US",
"screen": "1179x2556 3x",
"timezone": "America/Los_Angeles"
}Sending device data to OpenPath
The same detail.device shape can be sent to either the tokenization endpoint or the charge endpoint.
Tokenization endpoint
Endpoint:
POST /Tokenization/get-payment-token
Authorization: Bearer <access-token>
Content-Type: application/jsonExample request:
{
"credit_card": {
"name_on_card": "Avery Johnson",
"number": "4111111111111111",
"cvv": "123",
"expiration_month": 12,
"expiration_year": 2030,
"billing_address": {
"address_line1": "475 Market Street",
"address_line2": "Suite 2200",
"city": "San Francisco",
"region": "CA",
"postal_code": "94105",
"country": "US"
}
},
"detail": {
"ip_address": "198.51.100.42",
"device": {
"sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
"type": "MOBILE",
"name": "iPhone",
"os": "iOS 18.0",
"browser": "Mobile Safari",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
"language": "en-US",
"screen": "1179x2556 3x",
"timezone": "America/Los_Angeles"
}
}
}Charge endpoint
Endpoint:
POST /Transaction/charge
Authorization: Bearer <access-token>
Content-Type: application/jsonExample request:
{
"capture": true,
"token": "payment_8QmX2K1vR4yN9cL6",
"customer": {
"first_name": "Avery",
"last_name": "Johnson",
"email_address": "[email protected]",
"phone_number": "+14155550199"
},
"detail": {
"amount": 99.31,
"order_id": "ORD-20260521-1001",
"currency": "USD",
"ip_address": "198.51.100.42",
"device": {
"sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
"type": "MOBILE",
"name": "iPhone",
"os": "iOS 18.0",
"browser": "Mobile Safari",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
"language": "en-US",
"screen": "1179x2556 3x",
"timezone": "America/Los_Angeles"
}
}
}Bonus: sending extra fingerprint data in metadata
If the merchant collects additional fingerprint data that is outside the documented OpenPath detail.device fields, send that extra information in the root metadata array.
This keeps the request inside the documented contract and avoids introducing custom fields under detail.device.
Metadata rules
attributeis the metadata key name.valueis the metadata value.value_typemust currently be one ofstring,number, ordecimal.- If the merchant has a boolean value such as
incognito: true, convert it to a string such as"true"and send it withvalue_type: "string".
Example:
{
"token": "payment_8QmX2K1vR4yN9cL6",
"detail": {
"amount": 99.31,
"currency": "USD",
"device": {
"sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
"type": "MOBILE",
"name": "iPhone",
"os": "iOS 18.0",
"browser": "Mobile Safari",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
"language": "en-US",
"screen": "1179x2556 3x",
"timezone": "America/Los_Angeles"
}
},
"metadata": [
{
"attribute": "fingerprint.visitor_id",
"value": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
"value_type": "string"
},
{
"attribute": "fingerprint.confidence_score",
"value": 0.99,
"value_type": "decimal"
},
{
"attribute": "fingerprint.incognito",
"value": "true",
"value_type": "string"
},
{
"attribute": "fingerprint.bot_score",
"value": 42,
"value_type": "number"
}
]
}Sample metadata helper usage
The sample file includes window.OpenPathDeviceData.metadataFromObject(...).
Example:
<script src="./examples/browser-device-data-sample.js"></script>
<script>
const extraFingerprintData = {
visitor_id: "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
confidence_score: 0.99,
incognito: true,
bot_score: 42
};
const metadata = window.OpenPathDeviceData.metadataFromObject(
extraFingerprintData,
"fingerprint"
);
console.log(metadata);
</script>Updated about 2 months ago