Operate Your Project
Radar
Layered defense against bots, credential stuffing, and automated threats with configurable providers and detection rules.
Radar is Banata Auth's layered defense system against bots, credential stuffing, impossible travel attacks, and other automated threats. It combines configurable bot detection providers with built-in detection rules to protect your authentication endpoints from multiple angles.
You configure everything from the dashboard — choose a provider, enter your credentials, toggle detection rules — and your app picks up the changes automatically. No redeployments required.
Supported Providers
Radar supports four bot detection providers. You can switch between them at any time from the dashboard.
| Provider | Credentials Required | Hosting | Description |
|---|---|---|---|
| Vercel BotID | API Key | Vercel only | Invisible challenge with zero user friction |
| Cloudflare Turnstile | Site Key, Secret Key | Any | Privacy-focused CAPTCHA alternative |
| Google reCAPTCHA | Site Key, Secret Key | Any | Score-based bot detection (v3) |
| hCaptcha | Site Key, Secret Key | Any | Privacy-first CAPTCHA |
Enable and Configure Radar in the Dashboard
Turn on Radar
- Open your project in the dashboard
- Navigate to Radar in the sidebar
- Click Enable protection
- The status card turns green to confirm your project is protected
Configure Detection Rules
- Click the Configuration tab
- Toggle individual detection rules on or off (see the table below for what each rule does)
- Changes save automatically
Set Up a Bot Detection Provider
- In the Configuration tab, toggle Bot detection on
- Under Bot Detection Provider, select your provider from the dropdown
- Enter the required credentials for that provider
- Click Save credentials
- A success toast confirms the save
Review the Overview Tab
The Overview tab shows detection statistics — total detections, allowed requests, challenged requests, and blocked requests — along with a timeline chart. These populate once Radar is handling real traffic.
If a bot provider is configured, an info banner shows which one is active. If none is configured, a warning banner prompts you to set one up.
Detection Rules
Radar provides four detection rules that work alongside your chosen bot provider for defense in depth.
| Rule | Default | Description |
|---|---|---|
| Impossible travel detection | On | Flags sign-ins from geographically impossible locations within short time windows |
| Device fingerprinting | On | Tracks device characteristics to identify suspicious sign-in patterns |
| Rate limiting | Off | Limits authentication attempts from a single IP address or user account |
| Bot detection | Off | Uses behavioral analysis to detect automated sign-in attempts |
When you first enable Radar, impossible travel detection and device fingerprinting are turned on by default. Rate limiting and bot detection are off by default — enable them when you want stricter protection.
Add Bot Protection to Your App
Once you have configured a provider in the dashboard, wire up your Next.js route handler to verify requests at runtime.
Config-Aware Approach (Recommended)
This approach reads your provider credentials from the dashboard automatically. When you change the provider or credentials in the dashboard, the change takes effect within one minute.
// app/api/auth/[...all]/route.ts
import { createRouteHandler } from "@banata-auth/nextjs";
import { withBotProtection, createConfigAwareVerifier } from "@banata-auth/nextjs/bot-protection";
const handler = createRouteHandler({
apiKey: process.env.BANATA_API_KEY!,
authUrl: process.env.BANATA_AUTH_URL,
});
const verify = createConfigAwareVerifier({
configApiUrl: process.env.NEXT_PUBLIC_APP_URL + "/api/auth",
});
export const GET = handler.GET;
export const POST = withBotProtection(handler.POST, { verify });Direct Provider Approach (Vercel BotID)
If you are deployed on Vercel with BotID installed, you can wire it up directly without reading from the dashboard config.
import { withBotProtection, createBotIdVerifier } from "@banata-auth/nextjs/bot-protection";
import { checkBotId } from "botid/server";
const verify = createBotIdVerifier(checkBotId);
export const GET = handler.GET;
export const POST = withBotProtection(handler.POST, { verify });For the full API reference and all provider details, see the Bot Protection documentation.
Combining with Rate Limiting
Radar's rate limiting detection rule complements Banata Auth's built-in per-endpoint rate limiting. The built-in rate limiter caps requests to specific auth endpoints (for example, 30 sign-in attempts per minute), while Radar's rate limiting looks at broader patterns across multiple endpoints and time windows. For maximum protection, enable both.
Troubleshooting
"Bot detected. Access denied." (403) — The provider flagged the request as automated. Verify that the provider's client-side widget loaded correctly in your layout or form, and check for browser extensions that might interfere with the challenge.
"Radar enabled but no protection" — Confirm that a bot provider is selected and credentials are saved in the dashboard. Then check that your route handler uses withBotProtection() with either createConfigAwareVerifier() or a direct verifier. For Vercel BotID, make sure withBotId() is in next.config.ts and <BotIdClient> is in the layout.
"Credentials not taking effect" — The config-aware verifier caches the Radar config for one minute by default. Wait up to one minute after saving new credentials for them to take effect.
Next Steps
- Bot Protection — Full API reference for
@banata-auth/nextjs/bot-protection - Settings — Project-level configuration
- Audit Logs — Track security events and suspicious activity