NoBot ID doesn't guess. It stacks independent, hard-to-fake signals — each one designed to stop a specific kind of bot, fake, or replay. Here's exactly what every check does, and what it can't do. No hand-waving.
The check a bot can't pre-record.
At check time we generate a fresh, random sentence and ask the person to read it aloud. The recording is then analysed across three independent dimensions: (1) Transcript match — speech-to-text confirms the audio actually says that exact, just-generated sentence; (2) Voice authenticity — acoustic analysis looks for the tell-tale artefacts of synthetic or cloned speech: unnaturally even pacing, missing breaths, metallic or over-smooth timbre, clipping at word boundaries; (3) Liveness — it checks for the signs of a real, in-the-room recording (ambient noise, breaths, micro-pauses, natural prosody) versus clean playback. Each dimension returns a confidence score, the scores combine into the decision, and the audio is processed in the moment and never stored.
Stops: Replayed clips, text-to-speech, and voice-cloned deepfakes — none of them know the random sentence in advance.
A real person stood behind this.
Once the live voice check passes, the account is marked as a verified human. This is the single strongest positive signal in the Trust Score — it means a real, present person completed the check, not an automated sign-up.
Stops: Mass bot sign-ups and throwaway accounts created by scripts.
The hardest signal to fake at scale.
A valid payment card ties the account to a real person with a real bank relationship. We never see or show the card number, the amount, or any details — only that a genuine card is on file. It works as an anti-bot signal precisely because card networks are hard for bot farms to abuse en masse.
Stops: Bot farms and disposable accounts, which can't attach thousands of real cards.
Bound to a real device, not a password.
A passkey (WebAuthn) ties the identity to a physical device using the platform's secure hardware. There's no shared password to phish or leak, and the key can't be copied off the device.
Stops: Credential stuffing, phishing, and shared-login abuse.
Prove your pages are really yours — no OAuth.
We issue a token; you publish it on the page you want to prove — in a meta tag or anywhere in the body/bio. We fetch the page and look for the token. No OAuth, no API keys, no platform permissions. Each verified link adds to your score.
Stops: Impersonators claiming sites and profiles they don't control.
Time is hard to fake.
Established accounts earn a small, gradual boost — up to a cap over roughly a year. A long-standing account is simply less likely to be a freshly-spun-up bot.
Stops: Burner accounts created minutes before an attack.
Trust that doesn't go stale.
Verification isn't forever. If an account isn't re-confirmed within about 35 days, its freshness decays — so a badge always means "real, and still here," not "verified once, long ago."
Stops: Stale or hijacked accounts coasting on an old verification.
How the connection behaves — never who you are.
We look at the connection, not the person: is the traffic coming from a datacenter, VPN, or proxy (where bots live), and does the browser language match the connection's country? A high-risk connection caps an otherwise-clean check down to review. We use only a coarse country and a one-way hash of the IP — never the raw IP, never demographics.
Stops: Bot farms hiding behind hosting providers and VPNs.
The signals roll up into one Trust Score — and a server-side floor that can never be fooled by a high score alone. The outcome is one of three:
Strong human signal across the board, and the live sentence was clearly read. Safe to let through.
Looks human but something's soft — weak liveness, a partial read, or a risky connection. Worth a second look.
A clear bot, synthetic voice, replay, or a transcript that didn't match. Stopped outright.
Honest limit: no signal is perfect on its own, and a determined attacker can chip at any one of them. That's the whole point of stacking — to beat the stack, you'd have to beat a live voice check, a real card, a real device, and a clean connection at the same time. That's expensive enough to send bots looking for an easier target.
$19.95/month. Every signal above, working for you on every NoBot ID site.