Advanced BotID Configuration
When you need fine-grained control over BotID's detection levels, you can specify to choose between basic and deep analysis modes on a per-route basis. This configuration takes precedence over the project-level BotID settings in your Vercel dashboard.
Important: The in both client and server configurations must be identical for each protected route. A mismatch between client and server configurations will cause BotID verification to fail, potentially blocking legitimate traffic or allowing bots through. This feature is available in and above
In your client-side protection setup, you can specify the check level for each protected path:
In your server-side endpoint that uses , ensure it matches the client-side configuration.
By default, BotID validates that requests come from the same host that serves the BotID challenge. However, if your application architecture separates your frontend and backend domains (e.g., your app is served from but your API is on or ), you'll need to configure .
The parameter in allows you to specify a list of frontend domains that are permitted to send requests to your backend:
Only add trusted domains to . Each domain in this list can send requests that will be validated by BotID, so ensure these are domains you control.
Use this configuration when:
- Your frontend is hosted on a different domain than your API (e.g., → )
- You have multiple frontend applications that need to access the same protected backend
- Your architecture uses a separate subdomain for API endpoints
You can combine with other advanced options:
When using Pages Router API handlers in development, pass request headers to :
Pages Router requires explicit headers in development. In production, headers are extracted automatically.
Was this helpful?