In many verticals, and especially in Web3, bots can be a problem. The potential for profit incentivizes bot operators to use automated tools to buy and sell your products or assets. This can lead to unfair competition, price manipulation, and reduced availability of goods for legitimate buyers.
In the context of your Co:Create application, these unauthentic users can increase your organization's operational costs. If you suspect your platform may be subject to bot attacks, it’s important to take measures to make it difficult for bots to operate within your application.
There are a number of ways in which you can go about doing this:
Prevents bots from flooding your application with requests. Rate limiting is done by putting a threshold on the number of requests a user can make in a specific time frame. Many platforms, like Supabase, support the configuration of rate limits out-of-the-box, as do API gateways like Amazon API Gateway.
They are user-facing guessing games designed to differentiate between human users and bots. Captchas require users to perform a task that is difficult for bots to complete, such as identifying specific images (e.g. traffic lights) or typing in a sequence of characters.
Authentication providers like Auth0 can provide Captcha out-of-the-box, and Google offers a solution that can be configured in various locations throughout your website. 
Disposable email domain blocking
Bots will often use disposable email domains to set up accounts in bulk. Preventing disposable email domains from signing up to your application will limit the number of spam accounts created in your application. A community-maintained list of domains like this one can be blacklisted by your application.
Blocking IP addresses that are associated with bot activity by maintaining a blacklist of IP addresses that have been identified as being associated with bots, or using a platform that does this for you.
You can require users to sign up with a social login provider like Twitter or Facebook before they can start using your platform. This will effectively help filter bots at the Twitter or Facebook level.
Our SDK supports Twitter Connect out of the box with a 5 min integration 
You can identify bots by monitoring the devices they operate from:
a combination of device ID, browser used, and operating system. Again, maintaining a blacklist of them.
Ultimately, you will likely want to choose a combination of these measures to help protect your application, which depends largely on your business needs, along with the time & resources you are willing to invest.
When integrating the Co:Create API, requests come from your server’s backend. In each request, your API key is passed in the headers to authenticate the request. Our platform assumes that every request your server makes with your API key is valid.
We have implemented rate limiting on our endpoints, but a significant part of bot mitigation has to take place on your application's end, which we have no control over. Also, because applications differ vastly in business logic and implementation choices, we cannot provide bespoke solutions to validate whether requests are from authentic users or not.
We understand that bot attacks can be costly & painful. If you are experiencing an attack, let us know as soon as possible. We will attempt to help stop the attack and help you remove spam accounts from your system.
Updated 4 months ago