Pixel Install

The NotAI pixel is a single-script install that analyzes how visitors browse your site. It observes pointer motion, scroll rhythm, navigation paths, and other behavioral signals to distinguish humans from AI agents and bots. Drop the script on any website. No tuning required.

Overview

The pixel is a universal, site-agnostic verification layer. It installs on any HTML page, loads asynchronously, and reports behavioral signals to your NotAI dashboard during the session. There is no framework requirement, no runtime SDK to integrate, and no user-facing interaction.

Two install paths exist for text capture, and you should pick one or the other for any given page:

Pixel install (this page). Covers behavior tracking on every page by default. Text monitoring is an opt-in feature that runs inside the same pixel script. Recommended for Canvas LMS and any site that wants a single install for everything NotAI offers.
Standalone Text Monitor package. Installs as @isnotai/text-monitor on sites that do not run the pixel. Use this when you only need typing capture, or when the pixel is not an option.

Pick one path per page. Never run the pixel with text monitoring enabled and the standalone Text Monitor package on the same page. The capture runtimes are intentionally separate and should not be layered.

Install

Add a single script tag to every page you want to cover. Place it in the <head> so capture starts before the first paint.

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-key="a7f3c2e1"
  async></script>

Replace a7f3c2e1 with the 8-character integration ID from your dashboard. That is all the pixel needs to begin reporting.

The integration ID is public by design: it identifies which account receives the session data. It does not authenticate the sender, and a leaked integration ID does not expose account data.

HTML

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>My Website</title>

    <!-- NotAI pixel -->
    <script
      src="https://cdn.isnotai.com/api.js"
      data-key="a7f3c2e1"
      async></script>
</head>
<body>
    ...
</body>
</html>

That is it. Open your NotAI Dashboard to see sessions appear as traffic hits the page.

How It Works

Once the script loads, it begins analyzing behavioral signals and reporting them to your dashboard. No cookies are set.

Human Signals

Variable pointer velocity and overshoot
Reading pauses inside text regions
Irregular scroll rhythm
Hesitation before consequential clicks
Non-linear path between elements

Agent Signals

Straight-line pointer trajectories
Uniform inter-event timing
Programmatic scroll increments
Immediate, confident clicks
Systematic, breadth-first traversal

Configuration

The pixel accepts two configuration surfaces: short data-* attributes for the common cases, and a data-config JSON payload for everything else. When both are present, individual attributes win on overlap and non-overlapping JSON keys merge in.

Attributes

Attribute	Default	Description
`data-key`	Required	Your 8-character integration ID.
`data-region`	`us`	Reporting region. Either `us` or `eu`. Must match the region configured for your account.
`data-text`	absent	Presence-only. When set, enables text monitoring in observe mode with the default editor allowlist. See Text Monitoring.

JSON Configuration

For anything beyond the attributes above, use data-config with a JSON payload:

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-config='{"integrationId":"a7f3c2e1","mode":"monitor","sampleRate":0.5}'
  async></script>

Key	Default	Description
`integrationId`	Required	Your 8-character integration ID. Same value as `data-key`.
`region`	`us`	Same meaning as `data-region`. Individual attribute wins if both are present.
`sampleRate`	`1.0`	Value between 0.0 and 1.0. Use sparingly. Sampling hides sessions from detection entirely; it does not sub-sample a session.
`textMonitor`	`false`	Object or boolean. `true` is equivalent to `data-text`. Pass an object to customize. See Text Monitoring.

Self-hosted Script

Some customers need the pixel to be served from their own origin so it survives aggressive adblocker lists that target well-known third-party domains. For those cases we issue a pre-packaged api.js with your integration ID, region, and reporting endpoints baked in, which you host on a subdomain of your own site.

The setup is self-service from your dashboard:

In your dashboard, open Settings → Self-hosted Script. You will see the CNAME targets your package needs.
Create the CNAME records on your own subdomain (for example, verify.example.com). The dashboard verifies propagation once the records are live.
Download your packaged api.js. It is built with your integration ID, region, and CNAMEd reporting hosts baked in.
Host the file on your own CDN. Your install tag becomes a single script with no data-* attributes:

HTML

<script src="//your-cdn.example.com/notai.js" async></script>

When you need to change configuration, return to the dashboard and download a fresh package. There is no runtime config for the self-hosted build; everything lives in the file you host.

Regions

NotAI runs two independent regions. Your account is bound to one at signup. Use the install snippet that matches yours.

United States

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-key="a7f3c2e1"
  async></script>

US is the default when data-region is omitted. Add data-region="us" if you want it explicit.

European Union

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-key="a7f3c2e1"
  data-region="eu"
  async></script>

The script host is the same in both regions. Only the reporting endpoint differs. See Content Security Policy for the exact hosts your CSP must permit.

Text Monitoring

The pixel can also capture typing behavior inside editors on your page. This is opt-in. Until you enable it, the pixel is behavior-only.

Enable via attribute

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-key="a7f3c2e1"
  data-text
  async></script>

The presence of data-text attaches the text monitor in observe mode and applies the default editor allowlist.

Enable via JSON

HTML

<script
  src="https://cdn.isnotai.com/api.js"
  data-config='{"integrationId":"a7f3c2e1","textMonitor":{"enabled":true,"extraSelectors":["#essay",".draft"]}}'
  async></script>

Use the JSON form when you need to pass extraSelectors for custom editor surfaces that are not on the default allowlist.

When to use the standalone package instead

The pixel-bundled text monitor is the right choice when the pixel is already installed. If your site does not run the pixel, use the standalone Text Monitor package instead. Do not combine the two on the same page.

Detection & Dashboard

Sessions show up in your dashboard within seconds of the first signal batch. Each session surfaces a verdict and the evidence behind it.

Verdicts you will see

Clean. Signals consistent with human browsing.
Bot. Automation, including LLM-driven browser agents, conventional headless browsers, and scrapers.
Suspicious. Mixed or ambiguous signals. Review in the dashboard.

Who we distinguish from bots

Search engine crawlers (Googlebot, Bingbot)
Uptime monitors
Accessibility testing tools
Social preview generators

Programmatic access

Session data is available in your dashboard and via the public retrieval API, documented at /developers.

Canvas LMS

Canvas LMS is one of the install surfaces the pixel supports. Canvas Theme Editor uploads are JavaScript files rather than HTML, so the pixel attaches via a small DOM-injection snippet instead of a <script> tag. Uploaded once in your Canvas theme, the snippet covers every page in your instance including assignments, discussions, quizzes, and SpeedGrader.

See the Canvas LMS guide for the full install and Canvas-specific troubleshooting.

Content Security Policy

If your site sets a Content Security Policy, the pixel needs the script host and the reporting endpoint for your region.

United States

Header

Content-Security-Policy:
  script-src 'self' https://cdn.isnotai.com;
  connect-src 'self' https://chl.isnot.ai wss://chl.isnot.ai;

European Union

Header

Content-Security-Policy:
  script-src 'self' https://cdn.isnotai.com;
  connect-src 'self' https://chl-eu.isnot.ai wss://chl-eu.isnot.ai;

Only the reporting host differs between regions. Both regions use the same script host.

Privacy

What the pixel collects

Pointer motion features (velocity, direction changes)
Click timing relative to page events
Scroll cadence
Navigation timing between pages
Coarse browser characteristics (user agent, viewport)

What the pixel does not collect

Form field contents
Passwords or credentials
Personally identifying information
Screenshots or screen recordings
Keystroke content outside of the opt-in text monitor

When text monitoring is enabled, the pixel captures typing events inside the allowed editors. See the privacy notice for the full disclosure.

Cookies

The pixel does not set cookies. Session identifiers are held in memory for the lifetime of the page. Disclose the pixel in your own privacy notice so visitors know it is running.

Troubleshooting

Pixel not loading

Confirm data-key matches the integration ID from your dashboard exactly.
Confirm the page's origin is on the authorized origins list for your integration. Requests from origins outside the list are rejected. Add origins from Settings → Authorized Origins in your dashboard.
Check the browser console for CSP violations.
Verify the page is served over HTTPS in production.

Pixel loads but no sessions appear

Confirm data-region matches the region configured for your account.
If you set a sample rate, confirm it is high enough that sessions are not being dropped on the client.
Confirm the dashboard is filtered to the correct integration.

False positives

Users with assistive technology can show patterns that overlap with automation.
Remote desktop sessions can surface bot-like pointer traces.
Review ambiguous sessions in the dashboard before taking action.

Performance

The script loads asynchronously and does not block the first paint.
Use sampling on high-volume pages only if necessary.