plugin-icon

RealNode Anti-Scalper

Hardware-backed bot protection for WooCommerce. Stops scalper bots at checkout using FIDO2/WebAuthn — zero friction for real customers.
Version
1.1.1
Last updated
Jul 15, 2026

Every high-demand sale carries the same risk: automated scripts claim your inventory in seconds, real customers miss out, and your support team spends days handling frustrated buyers. RealNode eliminates that scenario at the source.

Instead of analyzing traffic patterns and making probabilistic guesses, RealNode asks a simple, unanswerable question to every purchase attempt: prove you are a human being, with a real device, right now. Automated scripts cannot answer that question. Real customers answer it in a single tap.

The result is a checkout experience that feels identical to your customers — and completely closed to bots.

How it works

When a customer clicks “Place Order”, RealNode requests a cryptographic signature from the secure hardware chip already built into their device: TouchID or FaceID on an iPhone or Mac, Windows Hello on a PC, or a connected security key like a Yubikey. That signature is unique to the physical hardware and mathematically impossible to replicate in software.

The signed proof is validated in under 200ms. If it passes, the order goes through. If it does not, the order is stopped — silently, with no impact on your genuine customers.

Three protection tiers

RN Insight — Passive audit

RN Insight runs entirely in the background. It analyzes traffic, classifies device environments (including headless browser frameworks such as Puppeteer or Playwright), and surfaces behavioral intelligence in your operator dashboard. No user is ever challenged or interrupted.

This tier is built for stores that want to understand the volume and nature of their automated traffic before committing to active enforcement. It is also the right choice when your users are high-trust and any checkout friction would be commercially unacceptable.

RN Sentinel — Adaptive protection

RN Sentinel adds a trigger layer on top of the same passive analysis. The SDK evaluates client-side kinetic micro-interaction signals locally at the edge (8–12Hz jitter analysis), looking for behavioral patterns consistent with automated scripts. When the behavioral score flags a session as suspicious, a biometric verification step is requested before the order proceeds.

Genuine customers complete the challenge in a single gesture — the same one they use to unlock their phone — and continue normally. Automated scripts, which lack a real user and a real hardware chip, cannot complete it.

The key distinction: RN Sentinel only challenges sessions that have been flagged. Clean sessions flow through without interruption. This keeps overall friction low while applying meaningful enforcement where it matters.

RN Vault — Zero-tolerance enforcement

RN Vault is designed for flash sales, exclusive drops, and any event where a single successful bot transaction represents an unacceptable outcome. Hardware attestation is required on every protected purchase, regardless of the behavioral score. No session skips verification.

Each attestation is cryptographically bound to a specific device’s hardware chip and scoped to your defined event. The system enforces per-user purchase quotas that are physically unbypassable — switching browsers, clearing cookies, or routing through a different IP does not change the hardware identity. One device equals one verified buyer.

Your customers see their remaining quota in real time on the checkout page. When the limit is reached, the plugin surfaces a quota extension request button rather than silently blocking.

Device management in My Account

On Sentinel and Vault plans, the plugin adds a security management panel directly inside the WooCommerce “My Account” area. Customers can:

  • View all hardware-attested devices linked to their identity
  • Block a device that has been stolen or compromised (global revocation in under 500ms)
  • Free a device before reselling it (removes their identity from the hardware signature)
  • Transfer their attested identity to another user
  • Restore access using an emergency recovery code if their device is unavailable
  • Request a rescue link by email if the recovery code is also lost

Built to keep your sales running

RealNode is designed as an additive security layer. If our infrastructure becomes unreachable for any reason, the plugin steps aside automatically and your checkout continues without interruption. Your revenue path has no dependency on our uptime.

For Vault-tier operators running zero-tolerance events, this default behavior can be inverted from the dashboard: the system pauses the purchase flow rather than opening it if the backend is unreachable. This is a deliberate, opt-in setting for situations where closing the flow is the safer business decision.

Privacy and GDPR

No biometric data is ever transmitted to RealNode. The biometric gesture (fingerprint, face scan) unlocks the device’s secure hardware chip locally and never leaves the device. What RealNode receives is a cryptographic signature — a mathematical output of the private key operation.

Users are identified exclusively through anonymized Hardware Identifiers (IDH): cryptographic hashes derived from device characteristics, with no personal data involved. Each IDH is scoped per site and per event, making cross-site correlation impossible by architecture rather than by policy.

Requirements

  • An active RealNode account at app.realnode.emkaylabs.tech
  • WooCommerce 6.0 or later
  • Modern browsers with WebAuthn support (Chrome 67+, Firefox 60+, Safari 14+)

For customers on devices without built-in biometrics: WebAuthn and FIDO2 allow cross-device authentication. A customer on an older desktop can complete verification by scanning a QR code with their smartphone. RN Insight and non-flagged Sentinel sessions never require this step at all.

External services

This plugin communicates with two RealNode endpoints operated by EMKAY LABS:

  1. RealNode SDK (api.emkaylabs.tech): Loads the client-side JavaScript SDK asynchronously on checkout and cart pages. Initiates the WebAuthn/FIDO2 challenge and computes the hardware identifier (IDH) locally on the device. Only the cryptographic signature and the anonymous IDH are transmitted — no biometric data, no personal identifiers.

  2. RealNode Backend API (rn-v3-elite.onrender.com): Receives the cryptographic token generated during checkout and validates it server-side. On Vault plans, it also enforces atomic purchase quotas per event per IDH using a distributed in-memory cache (≤2ms response time), backed by a Supabase persistence layer with row-level security.

Service page and legal information: realnode.emkaylabs.tech

Freeon paid plans
Tested up to
WordPress 7.0.1
This plugin is available for download for your site.