A JA4 fingerprint is a compact identifier derived from a client’s TLS handshake — the cipher suites, extensions, and ALPN values it offers in its ClientHello. Because the handshake is produced by the client’s TLS library rather than declared by the client, it reveals the actual software making the connection, no matter what the User-Agent header claims.

JA4 is the successor to JA3, with a more structured, harder-to-collide format.

What it’s used for

  • Unmasking spoofed clients — a Python script claiming to be Chrome still handshakes like a Python script.
  • Correlating actors across IPs — the fingerprint stays constant while a bot rotates addresses, making it a natural correlation key for a persistent actor identity.
  • Safe rate-limiting — a fingerprint can be throttled or challenged where blocking it outright would cause collateral.

The limitation that matters

Many real users share one JA4 — every copy of the same browser build looks alike. So a fingerprint identifies a population, not a person. WebDecoy uses JA4 as a correlation key and as one input in composite enforcement signatures, never as a bare block rule.

  • Web Bot Auth — cryptographic identity for bots that cooperate
  • Session Clearance — enforcement that avoids shared-fingerprint collateral entirely

Deep dive: JA4 Fingerprinting for AI Scrapers: A Practical Guide

Frequently Asked Questions

Can a bot spoof its JA4 fingerprint? +

It's much harder than spoofing a user agent. The fingerprint is derived from how the client's TLS library actually negotiates the connection, so changing it means changing or carefully impersonating the underlying TLS stack — possible for sophisticated actors, but far costlier than editing a header string.

Is a JA4 fingerprint unique to one user? +

No. Everyone running the same browser build on the same platform shares a JA4. That's why it's excellent for correlation and rate-limiting but should never be used as a bare block rule — blocking a shared fingerprint blocks innocent users who happen to share it.

See these concepts in action

WebDecoy puts deterministic detection and rotation-proof enforcement behind a 5-minute setup.

Start Free Trial