Skip to main content

Testing

Integration Test Flow

Follow these steps to test your Shield implementation:

  1. Understand what Integration pattern you will be using.
  2. Be clear who will be executing the JS API call and who will be executing the Block API call.
  3. Create a service in the Shield dashboard.
    • Set the Block API IP whitelist
    • Note the service ID.
    • Generate a staging key
  4. Program your service's landing page server to retrieve the JS snippet and embed it into the HTML page.
  5. Program your server to call the Block API after the user clicks a CTA.
    • Be sure you call the Block API from a whitelisted IP address
  6. Once you have built the back end processes above, open the landing page on your device.
    • Note Shield's uniqid. This can be found in the JS API response and inside the page HTML
    • Pay special attention to the common pitfalls below
  7. Click the CTA and examine the response the server gets from the Block API in step 5.
  8. Visit https://shield.monitoringservice.co/transaction/view/{UNIQUEID} to see Shield's detailed analysis.

Common Testing Pitfalls

Be aware of these patterns that will trigger blocks:

  • Localhost testing — Blocked due to IP anomaly detection
  • Desktop traffic is blocked by default. Unless you've explicitly enabled it, any subscription attempts from desktop will be blocked—even if you modify your user agent to appear mobile. Shield is designed to detect this type of suspicious spoofing pattern.
  • Autoclicking — Automated click patterns are detected and blocked
  • AJAX calls for the JS API — Not permitted; use the standard implementation
  • Remote desktop tools (TeamViewer, AnyDesk, etc.) — Detected as:
    • Failed interaction patterns
    • Programmatic clicks
  • Premature Block API calls — Only call the Block API on actual user interaction; don't call it immediately after the JS API loads
  • Other fraud vendors - There can be conflicts when multiple fraud vendors are implemented on the same landing page, sometimes causing false positives for programmatic clicks.
  • Block API IP whitelist - Make sure you are calling this API from an allowed IP.

Staging Keys

Staging keys are designed for testing purposes only:

  • Validity: 24 hours
  • Renewal: Generate a new key after expiration
  • Relaxed restrictions: Remote control tools (TeamViewer, AnyDesk) are permitted when using a staging key
staging key

Implementation Checklist

Before going live, ensure you've defined:

  • Which partner calls the JS API
  • Which partner calls the Block API
  • Block API is triggered only on genuine user interaction
  • Proper handling of both Block and Clear responses
  • You are observing Best Practices