Overview
Toffee classifies every visitor as human, bot, or agent. It does this through two complementary systems:- Client-side heuristics — 6 detector categories run in the browser
- Server-side ML model — a SAINT classifier that runs on accumulated behavioral data when the session ends
Detectors
The SDK runs 6 categories of client-side checks:
Each detector contributes evidence that is combined using Bayesian fusion — a probabilistic method that produces a calibrated probability (0.0–1.0) rather than an arbitrary weighted score.
Progressive scoring
Detection isn’t a one-shot check. The SDK scores progressively as more signals become available:
Early phases catch obvious bots (headless browsers, known automation). Later phases catch sophisticated agents that mimic human behavior.
ML classification
When a session ends, the server extracts 4 behavioral features from the session’s event stream and runs them through a SAINT classifier. The model returns a 3-class classification — human, bot, or agent — with confidence probabilities for each class. This distinguishes traditional bots (scrapers, crawlers) from AI agents (Claude, ChatGPT, browser automation driven by LLMs). The ML classification is the final word when available — it has access to the full session of behavioral data, not just what was visible at any single point in time.Risk tiers
Every detection result includes ariskTier based on the probability: