Journal
DevelopersJanuary 18, 20264 min read

Developer’s Guide: Integrating AdPurity’s Real-Time Verification API into Custom Lead Forms

A technical deep dive into using AdPurity's REST API to validate traffic at the moment of lead submission, ensuring only human data enters your database.

For developers building custom lead capture systems in 2026, the challenge isn't just data ingestion—it is data integrity. With the rise of Agentic AI, client-side validation (like regex or basic honeypots) is no longer sufficient. You need server-side verification that analyzes the request's fingerprint before the lead is committed to your CRM.

This guide covers the implementation of AdPurity’s Real-Time Verification API to create a "Veto-First" lead flow.


The "Veto-First" Architecture

The goal of this architecture is to prevent "Algorithm Poisoning." By verifying the lead's humanity before sending a success signal to your ad platform (Meta CAPI or Google Data Manager API), you ensure your machine learning models only optimize for real humans.

The Request Flow

  1. User Action: The user submits your custom HTML/React form.
  2. Intercept: Your backend captures the POST request along with the user's IP and Browser Headers.
  3. Verification: Your server makes a synchronous POST request to AdPurity’s /v1/verify endpoint.
  4. Logic Branch:
    • Status 200 (Human): Lead is saved to CRM; Conversion signal is sent to Meta/Google.
    • Status 403 (Bot/Risk): Lead is discarded or sent to a "Spam" queue; No conversion signal is sent.

API Implementation Example (Node.js/Express)

To use the API, you will need your X-API-KEY from the AdPurity Developer Dashboard.

const axios = require('axios');

async function handleLeadSubmission(req, res) {
    const leadData = req.body;
    
    // 1. Gather environmental signals for deep verification
    const verificationPayload = {
        ip_address: req.ip,
        user_agent: req.headers['user-agent'],
        site_url: "https://yourbrand.com/landing-page",
        form_id: "high_ticket_inquiry_01",
        // Pass optional TLS fingerprint if available from your edge provider
        tls_fingerprint: req.headers['x-tls-fingerprint'] 
    };

    try {
        // 2. Query AdPurity for a 'Humanity Score'
        const adPurityResponse = await axios.post('https://api.adpurity.com/v1/verify', verificationPayload, {
            headers: { 'X-API-KEY': process.env.ADPURITY_SECRET }
        });

        const { score, is_human, threat_type } = adPurityResponse.data;

        if (is_human && score > 0.85) {
            // 3. Process the legitimate lead
            await saveToCRM(leadData);
            await triggerMetaCAPI(leadData);
            return res.status(200).json({ status: 'success' });
        } else {
            // 4. Silently discard or flag the bot
            console.warn(`Blocked ${threat_type} from ${req.ip}`);
            return res.status(200).json({ status: 'success', note: 'Shadow-blocked' });
        }

    } catch (error) {
        // Fallback: If API is down, default to human to prevent lead loss
        await saveToCRM(leadData);
        res.status(200).send('Success');
    }
}

Advanced Integration: TLS Fingerprinting & JA3

In 2026, bot developers use residential proxies to hide their IP addresses. To combat this, AdPurity supports JA3 Fingerprinting.

If you are using Cloudflare, Akamai, or Vercel, you can pass the TLS handshake fingerprint to our API. Since bots often use older libraries (like Python’s Requests or cURL) with distinct handshake patterns, AdPurity can identify the bot even if its IP address is a "clean" residential one.

Security Note: Always perform this check server-side. Never expose your AdPurity API Key in client-side (frontend) code, as a sophisticated bot could simply spoof a "Human" response from the client.


Best Practices for 2026 Developer Workflows

  • Asynchronous Conversion Signals: Use a message queue (like RabbitMQ or AWS SQS) to handle the Meta CAPI and Google Data Manager API calls. This ensures your user doesn't experience "form lag" while your server waits for third-party responses.
  • The "Shadow Block" Technique: When the API identifies a bot, do not return an error code (403) to the user. This tells the bot developer they’ve been caught. Instead, return a 200 "Success" status but drop the data on the backend.
  • Rate Limiting at the Edge: Combine AdPurity with edge-level rate limiting. If a single IP hits your verification endpoint 50 times in 60 seconds, block it at the firewall before it even reaches your application logic.

Error Handling and Redundancy

We maintain 99.99% uptime, but your code should always account for the "API unreachable" scenario. We recommend a Fail-Open policy: if AdPurity cannot be reached, allow the lead through. It is better to deal with a rare piece of spam than to lose a $50,000 real estate inquiry.


Ready to Secure Your Custom Stack?

Building your own forms gives you total control over the user experience. Adding AdPurity gives you total control over the data quality.

Visit the API Documentation to view our full Swagger/OpenAPI spec, or Generate your API Key in the dashboard to start protecting your custom lead forms today.

Protect the traffic you pay for.

Put the tactics from this article into practice with AdPurity's fraud detection workflow.