Behavior Tracker Pixel

The Behavior Tracker is a lightweight script that analyzes browsing patterns to distinguish human visitors from AI agents and bots. It requires zero configuration and starts working immediately upon installation.

Installation

Add a single script tag to your website:

HTML 
<script 
  src="https://cdn.isnotai.com/api.js" 
  data-key="your-account-id">
</script>

Place this script in the <head> section of your HTML for best results:

HTML 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>My Website</title>
    
    <!-- NotAI Behavior Tracker -->
    <script 
      src="https://cdn.isnotai.com/api.js" 
      data-key="your-account-id">
    </script>
</head>
<body>
    ...
</body>
</html>
That's it! The Behavior Tracker will automatically begin analyzing visitor behavior. View results in your NotAI Dashboard.

How It Works

The Behavior Tracker analyzes patterns that differ between humans and AI agents:

Human Behavior

  • Variable mouse movement speeds
  • Natural pause patterns while reading
  • Irregular scroll behavior
  • Mouse overshoots and corrections
  • Hesitation before clicks
  • Non-linear navigation paths

AI Agent Behavior

  • Unnaturally precise movements
  • Consistent timing between actions
  • Perfect scroll increments
  • Direct point-to-point navigation
  • Immediate, decisive clicks
  • Systematic page traversal

Configuration

While the pixel works with zero configuration, you can customize its behavior:

HTML 
<script 
  src="https://cdn.isnotai.com/api.js" 
  data-key="your-account-id"
  region="eu"
  data-sample="0.5"
  data-exclude="/admin/*,/internal/*"
  data-endpoint="https://telemetry.example.com">
</script>

Configuration Options

Attribute Default Description
data-key Required Your NotAI account ID
region us Data region: us or eu. Must match your account region (set at signup).
data-sample 1.0 Sampling rate (0.0 to 1.0)
data-exclude none URL patterns to exclude (comma-separated)
data-endpoint auto Custom telemetry endpoint URL (Pro & Enterprise). Defaults to your region's endpoint. See Custom Telemetry Endpoints.

What We Detect

The Behavior Tracker identifies various types of non-human activity:

AI Agents

  • LLM-powered browser automation
  • AI assistants navigating websites
  • Automated research tools
  • AI-driven form filling

Traditional Bots

  • Selenium/Playwright automation
  • Headless browsers
  • Scraping tools
  • Click fraud bots

Legitimate Automation

We distinguish between malicious bots and legitimate services:

  • Search engine crawlers (Googlebot, Bingbot)
  • Uptime monitoring services
  • Accessibility testing tools
  • Social media preview generators

Dashboard Integration

View detection results in your NotAI Dashboard:

Metrics Available

  • Total Sessions: All tracked visitor sessions
  • Human Verified: Sessions confirmed as human
  • AI Detected: Sessions flagged as AI agents
  • Bot Detected: Traditional automation detected
  • Suspicious: Unusual patterns requiring review

API Access

Query detection results programmatically:

cURL 
curl -X GET "https://<your-api-endpoint>/v1/pixel/sessions" \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json"
# Your API endpoint is shown in your dashboard under Settings → API

Canvas LMS Integration

Detect AI agents accessing your Canvas LMS instance.

Installation via Canvas Theme

Add to your Canvas JavaScript theme file:

JavaScript 
// NotAI Pixel for Canvas LMS
(function() {
  const script = document.createElement('script');
  script.src = 'https://cdn.isnotai.com/api.js';
  script.setAttribute('data-key', 'your-account-id');
  document.head.appendChild(script);
})();

Use Cases

  • Detect AI agents completing quizzes
  • Monitor discussion board activity
  • Identify automated assignment access
  • Track unusual course navigation patterns

Privacy Considerations

What We Collect

  • Mouse movement patterns (not precise coordinates)
  • Click timing (not click targets)
  • Scroll behavior patterns
  • Page navigation timing
  • Browser characteristics (user agent, viewport)

What We DON'T Collect

  • Personal information
  • Form field contents
  • Passwords or sensitive data
  • Precise cursor positions
  • Screenshots or screen recordings
  • Keystroke content

Compliance

  • GDPR: EU data region available, no cookies used
  • CCPA: Behavioral data collected as a service provider; no direct identifiers
  • Cookie-Free: Uses localStorage for session management only—no cookies, no cross-site tracking
Privacy Notice: We recommend including NotAI in your privacy notice for full transparency with your users.

Self-Hosting & Custom Endpoints

Self-Hosting the Pixel Script (Pro & Enterprise)

On Pro and Enterprise plans, you can download a pre-configured pixel script from your dashboard under Settings → Downloads. Your account ID, data region (US or EU), and custom telemetry endpoint (if configured) are already embedded in the file — no data-* attributes required.

This is useful for:

  • Zero-config deployment — just include the script tag, everything is baked in
  • Avoiding Content Security Policy (CSP) changes — serve from an origin you already trust
  • Bundling with your existing scripts so it loads alongside your other assets
  • Serving scripts from your own domain for consistent Content Security Policy compliance

Host the downloaded file on your own domain or CDN and include it with a single script tag:

HTML 
<script src="https://your-cdn.example.com/scripts/notai.js"></script>
Tip: When you update your custom telemetry endpoint or other settings in the dashboard, download a fresh copy of the script to pick up the changes.

Custom Telemetry Endpoints (Pro & Enterprise)

By default, behavioral data is sent to the NotAI telemetry endpoint shown in your dashboard. On Pro and Enterprise plans, you can CNAME your own subdomain to this endpoint. This keeps all network traffic under your domain, which:

  • Eliminates CSP issues for the telemetry endpoint
  • Ensures reliable script delivery by serving from a trusted first-party origin
  • Appears as first-party traffic in network inspection tools

Set up a DNS CNAME record pointing your subdomain to the NotAI endpoint provided in your dashboard:

DNS 
telemetry.example.com  CNAME  <your-cname-target>  # shown in your dashboard

If you're using the self-hosted script (above), your custom endpoint is already embedded in the downloaded file — no additional configuration is needed.

If you're using the CDN version, add the data-endpoint attribute:

HTML 
<script 
  src="https://cdn.isnotai.com/api.js" 
  data-key="your-account-id"
  data-endpoint="https://telemetry.example.com">
</script>
Note: Custom telemetry endpoints require a valid TLS certificate on your subdomain. You will need to provision and configure a certificate (e.g. via your CDN, reverse proxy, or a service like Let's Encrypt) before traffic will flow over HTTPS.

Troubleshooting

Pixel not loading

  • Verify your account ID is correct
  • Ensure your domain is registered in the Allowed Hostnames list in your dashboard — requests from unregistered hostnames are rejected
  • Check browser console for errors
  • Ensure HTTPS is used in production
  • Check if ad blockers are blocking the script

No data in dashboard

  • Confirm the page's hostname matches one of your Allowed Hostnames in the dashboard (e.g. example.com) — traffic from unrecognized domains is filtered automatically
  • Wait 5-10 minutes for data to appear
  • Verify the page URL isn't in the exclude list
  • Check that sampling rate isn't set too low

False positives

  • Users with accessibility tools may trigger detection
  • Remote desktop users may show bot-like patterns
  • Adjust sensitivity in dashboard settings

Performance concerns

  • Script is <5KB gzipped
  • Async loading doesn't block page render
  • Data sent in batches to minimize requests
  • Use sampling for high-traffic sites
Need more help? Contact our support team at [email protected]