Know which bots are authentic — and which are pretending
The user-agent is self-asserted text, and up to ~16.7% of traffic claiming to be a major crawler is spoofed. Lume verifies which bots, crawlers, and agents are cryptographically authentic, and surfaces everything unverifiable, so your team decides what to trust.
Sound familiar?
- Fake Googlebot from datacenter IPs is slipping past our rules.
- Stealth scrapers rotate through residential IPs and fake real browsers. There’s nothing honest to block.
- We need to know what’s authentic before we allow, challenge, or charge an agent.
- “Untrusted until proven,” but proving it per operator is its own project.
What Lume does for you
Verified vs. spoofed, per request
Web Bot Auth signatures, forward-confirmed reverse DNS, and published IP ranges give a verdict on every request against 7 major operators, so a spoofed “Googlebot” from the wrong network is flagged.
Surface the unverifiable
Everything that can’t be proven authentic is labeled exactly that, so nothing hides as “probably fine.” You see what’s real, what’s spoofed, and what’s simply unverifiable.
The evidence layer under your stack
Lume tells you the truth about each request; your WAF, CDN, or app acts on it: allow, challenge, rate-limit, or charge. It’s the identity layer, not another gate.
Ready for the agentic web
As AI agents act on behalf of users, know which requests are a person, a bot, or a user-delegated agent: the foundation for any allow / charge / block decision.
Fits your stack
Verify at the edge, from your logs, or in your own code with the Identification API.
Security FAQ
Do you block bad bots?
No. Lume verifies and surfaces; your WAF or CDN acts on the verdict. It’s the identity and evidence layer beneath your mitigation, not a mitigation tool itself.
Can you catch stealth scrapers on residential IPs?
Lume proves which agents are authentic and flags everything unverifiable, but it isn’t a full anti-scraping or fingerprinting tool. Use it to know what’s real; use your WAF to mitigate the rest.
How do you verify without storing IPs?
The IP is used at ingest to run the check, then truncated to a network prefix (/24 or /48) before anything is persisted. No full client IP is ever stored.
Which operators can you verify?
The 7 with published keys or IP ranges: Google, Microsoft (Bing), OpenAI, Anthropic, Perplexity, Amazon, and Apple. Everything else is honestly labeled unverified, never marked authentic.
Know what’s real before you act.
Free plan, one ingest token. Verify the agents you trust; surface the ones you can’t.
Start for free →