PHP integration

Quickstart — 20-line drop-in

Create zerobot.php next to your site entry point, then require it at the top of every page you want protected (or at the top of your front controller).

<?php
// zerobot.php — drop-in bot screening
const ZEROBOT_LICENSE = 'YOUR_LICENSE_KEY';
const ZEROBOT_DOMAIN  = 'yoursite.com';

$ip  = $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
$ua  = $_SERVER['HTTP_USER_AGENT'] ?? '';
$url = 'https://api.zerobot.info/v3/openapi?' . http_build_query([
    'license'   => ZEROBOT_LICENSE,
    'ip'        => $ip,
    'domain'    => ZEROBOT_DOMAIN,
    'useragent' => $ua,
]);

$ch  = curl_init($url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT        => 5,
]);
$res = curl_exec($ch);
curl_close($ch);

$data = json_decode($res, true);
if (is_array($data) && !empty($data['is_bot'])) {
    http_response_code(403);
    exit('Blocked: ' . ($data['reason'] ?? 'bot'));
}
// Fall through = visitor is human. Render your page normally.

Fail-open behavior: if the API times out or returns nothing, $data['is_bot'] is null and the request passes through. Your site never breaks because of a network blip.

Laravel middleware

Create app/Http/Middleware/ZeroBot.php:

<?php
namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;

class ZeroBot
{
    public function handle(Request $request, Closure $next)
    {
        $res = Http::timeout(5)->get('https://api.zerobot.info/v3/openapi', [
            'license'   => config('services.zerobot.key'),
            'ip'        => $request->ip(),
            'domain'    => $request->getHost(),
            'useragent' => $request->userAgent() ?? '',
        ]);

        if ($res->ok() && $res->json('is_bot')) {
            abort(403, $res->json('reason', 'bot'));
        }
        return $next($request);
    }
}

Register in app/Http/Kernel.php under $middleware for all routes, or $middlewareGroups['web'] for web only.

Response shape

Every /v3/openapi call returns the same JSON structure:

{
  "username":     "encrypted",
  "is_bot":       true,
  "reason":       "DATACENTER",
  "risk_score":   60,
  "country_code": "us",
  "country_name": "United States",
  "asn":          "AS15169",
  "isp":          "Google LLC",
  "hostname":     "dns.google",
  "tor":          false,
  "vpn":          false,
  "datacenter":   true,
  "left":         471,   // license days remaining
  "plan":         "ISP"
}

Best practices

• Cache per-IP. Store the verdict in APCu / Redis for 5-60 minutes to avoid hitting the API on every pageview by the same visitor.
• Skip admin paths. Don't screen wp-admin, /admin, /api/webhooks, etc. — check $_SERVER['REQUEST_URI'] before the API call.
• Honor Cloudflare IPs. If your site is behind CF, read HTTP_CF_CONNECTING_IP — REMOTE_ADDR is the CF edge, not the visitor.
• Fail open on timeout. Never let a ZeroBot outage take your site down. Wrap the API call in try/catch and default to is_bot=false.