Browser Device Data

This guide explains how a merchant should collect browser fingerprint and device context on their own systems, then send that data to OpenPath during tokenization and charge requests. OpenPath does not run browser fingerprinting JavaScript on the merchant's behalf. The merchant is responsible for collecting the data in their own checkout or payment experience and placing it into the OpenPath request payload.


Supported OpenPath device fields

Send browser and device context in detail.device.

Example:

{
  "detail": {
    "device": {
      "type": "MOBILE",
      "name": "iPhone 15 Pro",
      "os": "iOS 18",
      "browser": "Mobile Safari",
      "user_agent": "Mozilla/5.0 AppleWebKit/605.1.15 Version/18.0 Mobile/15E148 Safari/604.1",
      "language": "en-US",
      "screen": "1179x2556 3x",
      "timezone": "America/Los_Angeles"
    }
  }
}

Field guidance

FieldDescriptionRecommended source
typeGeneral device category such as MOBILE, TABLET, or DESKTOP.Derive from user agent or device detection logic.
nameHuman-readable device name.Best effort from browser data. Exact hardware model is not always available in browsers.
osOperating system name and version.Browser APIs or user-agent parsing.
browserBrowser name and version family.Browser APIs or user-agent parsing.
user_agentRaw browser user-agent string.navigator.userAgent.
languagePreferred browser language.navigator.language or navigator.languages[0].
screenScreen resolution plus pixel density, for example 1179x2556 3x.screen.width, screen.height, and devicePixelRatio.
timezoneIANA time zone identifier such as America/Los_Angeles.Intl.DateTimeFormat().resolvedOptions().timeZone.

Important notes

  • Collect the device data in the browser before you submit the tokenization or charge request.
  • Send only data that you collect directly from the client or from your approved fraud tooling.
  • Not every browser exposes an exact device model. For example, iOS Safari often exposes iPhone but not iPhone 15 Pro. A best-effort value is acceptable.
  • If you have a stable device or visitor identifier from your own tooling or a third-party provider, place that value in detail.device.sense_key.
  • Load any third-party JavaScript only over HTTPS, and review the vendor's CSP and domain allowlist requirements before enabling it in production.

Third-party JavaScript options

For the exact OpenPath fields above, standard browser APIs are usually enough. A third-party fingerprinting product is most useful when the merchant also wants a stable device identifier, visitor ID, request token, or higher-confidence fraud signals.

OpenPath does not certify or audit these vendors. The links below are examples of vendors that publish implementation and security or compliance information. The merchant should still complete their own legal, security, privacy, and architecture review before using any third-party script.

Fingerprint

Suggested OpenPath mapping:

  • visitorId or similar identifier -> detail.device.sense_key
  • Additional vendor outputs such as confidence, bot, VPN, or incognito signals -> root metadata

MaxMind minFraud device tracking

Suggested OpenPath mapping:

  • MaxMind trackingToken or device tracking token -> detail.device.sense_key
  • Additional MaxMind-only outputs -> root metadata

Castle Browser SDK

Suggested OpenPath mapping:

  • Castle request token or device fingerprint value -> detail.device.sense_key
  • Additional Castle-only outputs -> root metadata

OpenPath sample JavaScript

OpenPath provides a sample browser-side helper here:

  • browser-device-data-sample.js this sample:
  • Collects the supported OpenPath device fields using built-in browser APIs.
  • Uses best-effort parsing for type, name, os, and browser.
  • Can optionally create a per-session sense_key.
  • Includes a helper that converts extra fingerprint data into OpenPath metadata entries.

Example usage

<script src="./examples/browser-device-data-sample.js"></script>
<script>
  const device = window.OpenPathDeviceData.collect({
    includeSessionSenseKey: true
  });

  console.log(device);
</script>

Example output:

{
  "sense_key": "9f4d0e06-fc79-40bc-95f8-a2788c3baf1b",
  "type": "MOBILE",
  "name": "iPhone",
  "os": "iOS 18.0",
  "browser": "Mobile Safari",
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
  "language": "en-US",
  "screen": "1179x2556 3x",
  "timezone": "America/Los_Angeles"
}

Sending device data to OpenPath

The same detail.device shape can be sent to either the tokenization endpoint or the charge endpoint.

Tokenization endpoint

Endpoint:

POST /Tokenization/get-payment-token
Authorization: Bearer <access-token>
Content-Type: application/json

Example request:

{
  "credit_card": {
    "name_on_card": "Avery Johnson",
    "number": "4111111111111111",
    "cvv": "123",
    "expiration_month": 12,
    "expiration_year": 2030,
    "billing_address": {
      "address_line1": "475 Market Street",
      "address_line2": "Suite 2200",
      "city": "San Francisco",
      "region": "CA",
      "postal_code": "94105",
      "country": "US"
    }
  },
  "detail": {
    "ip_address": "198.51.100.42",
    "device": {
      "sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
      "type": "MOBILE",
      "name": "iPhone",
      "os": "iOS 18.0",
      "browser": "Mobile Safari",
      "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
      "language": "en-US",
      "screen": "1179x2556 3x",
      "timezone": "America/Los_Angeles"
    }
  }
}

Charge endpoint

Endpoint:

POST /Transaction/charge
Authorization: Bearer <access-token>
Content-Type: application/json

Example request:

{
  "capture": true,
  "token": "payment_8QmX2K1vR4yN9cL6",
  "customer": {
    "first_name": "Avery",
    "last_name": "Johnson",
    "email_address": "[email protected]",
    "phone_number": "+14155550199"
  },
  "detail": {
    "amount": 99.31,
    "order_id": "ORD-20260521-1001",
    "currency": "USD",
    "ip_address": "198.51.100.42",
    "device": {
      "sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
      "type": "MOBILE",
      "name": "iPhone",
      "os": "iOS 18.0",
      "browser": "Mobile Safari",
      "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
      "language": "en-US",
      "screen": "1179x2556 3x",
      "timezone": "America/Los_Angeles"
    }
  }
}

Bonus: sending extra fingerprint data in metadata

If the merchant collects additional fingerprint data that is outside the documented OpenPath detail.device fields, send that extra information in the root metadata array.

This keeps the request inside the documented contract and avoids introducing custom fields under detail.device.

Metadata rules

  • attribute is the metadata key name.
  • value is the metadata value.
  • value_type must currently be one of string, number, or decimal.
  • If the merchant has a boolean value such as incognito: true, convert it to a string such as "true" and send it with value_type: "string".

Example:

{
  "token": "payment_8QmX2K1vR4yN9cL6",
  "detail": {
    "amount": 99.31,
    "currency": "USD",
    "device": {
      "sense_key": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
      "type": "MOBILE",
      "name": "iPhone",
      "os": "iOS 18.0",
      "browser": "Mobile Safari",
      "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1",
      "language": "en-US",
      "screen": "1179x2556 3x",
      "timezone": "America/Los_Angeles"
    }
  },
  "metadata": [
    {
      "attribute": "fingerprint.visitor_id",
      "value": "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
      "value_type": "string"
    },
    {
      "attribute": "fingerprint.confidence_score",
      "value": 0.99,
      "value_type": "decimal"
    },
    {
      "attribute": "fingerprint.incognito",
      "value": "true",
      "value_type": "string"
    },
    {
      "attribute": "fingerprint.bot_score",
      "value": 42,
      "value_type": "number"
    }
  ]
}

Sample metadata helper usage

The sample file includes window.OpenPathDeviceData.metadataFromObject(...).

Example:

<script src="./examples/browser-device-data-sample.js"></script>
<script>
  const extraFingerprintData = {
    visitor_id: "visitor_01JTPY1Q8K3V5S7R9M2N4A6BCD",
    confidence_score: 0.99,
    incognito: true,
    bot_score: 42
  };

  const metadata = window.OpenPathDeviceData.metadataFromObject(
    extraFingerprintData,
    "fingerprint"
  );

  console.log(metadata);
</script>

Did this page help you?