Checkout protection that actually works.
Most bot blockers guard your storefront. Modern bots skip it entirely and hit checkout directly. Storefront Sentry enforces protection where it counts ; at the checkout layer ; using Shopify-native technology that can't be bypassed from the outside.
The Problem with Storefront-Level Blocking
Traditional bot blockers ; IP blocking, VPN detection, geo-fencing ; all operate at the same layer: your storefront. Block a suspicious IP and the bot can't browse your products. The problem is that modern bots don't need to browse your products.
A residential VPN costs $5–15/month and provides unlimited clean IP addresses that pass every IP-based check. Bypassing storefront protection has become trivial for anyone motivated to do it. The attack surface they actually care about ; checkout ; is left wide open.
Where the gap shows up
| Attack | Traditional blocker | Storefront Sentry |
|---|---|---|
| Bot with residential VPN hits checkout API directly | ✗ Bypassed Never touches the storefront; clean IP passes all checks |
✓ Blocked No valid storefront token; checkout attempt fails instantly |
| Scalper bots buy entire limited-edition drop in seconds | ✗ Bypassed Bots skip browsing entirely and POST directly to checkout API |
✓ Blocked Checkout requires a token from storefront interaction; bots have none |
| Card testing with rotating residential IPs | ✗ Bypassed Each test looks like a unique legitimate customer |
✓ Blocked Every checkout requires a unique, time-limited session token |
| Headless scripts creating fake checkout sessions | ✗ Bypassed Scripts mimic valid browser headers; nothing to block |
✓ Blocked Token requires actual storefront interaction with cryptographic proof |
How It Works
Storefront Sentry enforces a simple rule: no checkout without proof of storefront browsing. A real shopper who views your products earns a cryptographic token automatically and invisibly. When they reach checkout, that token is validated by a Shopify Function running server-side. No token ; no checkout.
Why Shopify Functions matter: Unlike storefront-layer defenses, Shopify Functions run on Shopify's servers ; not in a browser a bot can manipulate. There's nothing client-side to reverse-engineer or disable.
About the token
The session token is ECDSA-signed, expires after one hour, and is cryptographically bound to the specific cart and shop. It can't be forged, stolen and reused elsewhere, or transferred between sessions. A bot that somehow obtained a token from a real browser session still couldn't use it ; the binding would fail.
Features
Four independent protections you can enable in any combination. Each solves a distinct problem and can be toggled on or off instantly without touching your theme.
Start here. Enable this first ; it's the foundation everything else builds on. Especially effective for limited-release drops, sneaker releases, and high-demand product launches.
Leave this on. Disabling it can cause Google to stop indexing your products, break social sharing previews, and disrupt ad and email integrations. There's almost no reason to ever turn it off ; if you think you need to, contact support first.
Setup
Most stores are fully protected in under 10 minutes. No code to write, no developer required.
Theme compatibility
Storefront Sentry works with any Shopify theme that supports App Embeds ; all themes released after 2021 and most paid themes. Quick check: Online Store → Themes → Customize. If you see an "App embeds" tab in the left panel, you're compatible. If not, reach out and we'll sort it out.
Recommended rollout for high-volume stores
If you're processing hundreds of orders a day, enable Checkout Protection first and monitor for a day or two before layering in VPN blocking. Watch the dashboard between each step ; any unexpected blocks are visible immediately and can be reversed instantly.
Troubleshooting: If you turn on a protection and your own test checkout fails, check that the app embed is enabled in your live theme (not a draft). The embed must be active for tokens to be issued to real shoppers.
Why It Works Against Modern Attacks
Most bot protection relies on signals attackers have already learned to fake ; user agent strings, browser fingerprints, even JavaScript challenges. Here's what makes Storefront Sentry harder to defeat.
What the token enforces
- → ECDSA signature ; can't be forged without the private key
- → 1-hour TTL ; expired tokens are rejected; no stockpiling
- → Cart binding ; token is tied to the specific cart, not reusable
- → Shop binding ; tokens issued on one store can't work on another
What the Shopify Function enforces
- → Runs on Shopify's servers, not the browser
- → Intercepts all checkout attempts, including direct API calls
- → Blocks before any order record is ever created
- → VPN and geo checks happen at the edge ; sub-50ms
VPN-agnostic protection: A residential VPN gives attackers a clean-looking IP. It does not give them a valid session token. Storefront Sentry doesn't care what IP they're using ; only whether they have cryptographic proof of real storefront browsing.
Performance
Privacy
We collect only what's required to run the protections: IP location at country/region level, VPN/proxy classification flags, session signals for bot detection, and checkout attempt logs for your dashboard. No names, payment details, browsing history, or cross-site tracking. GDPR and CCPA compliant. Full details in our Privacy Policy.
Common Questions
No. The app embed is under 5KB and loads asynchronously ; it doesn't block page rendering. Verification only runs when a customer clicks checkout, not while they browse. Shopify's speed tests don't flag the embed as a performance issue. Most stores see no measurable difference before and after installation.
It's uncommon, but it can happen ; most often with VPN blocking for customers on corporate or personal VPNs. Best practice: enable protections one at a time and monitor your dashboard for the first few days. Any unexpected blocks are visible immediately and you can adjust or disable a protection instantly.
For VPN-related blocks, a short line in your FAQ ; "Having trouble checking out? Try disabling your VPN" ; resolves the vast majority of cases without any support back-and-forth.
Yes, for any modern Shopify theme with App Embed support ; that's all Shopify-built themes and most paid themes released after 2021. Quick check: Online Store → Themes → Customize. If you see an "App embeds" tab in the left panel, you're good. If not, contact support and we'll help you find the right path forward.
Nothing at all. No CAPTCHAs, no challenges, no friction. Storefront Sentry works silently in the background. The only exception: customers will need to disable their VPN to check out if you have VPN blocking enabled ; this is shown clearly in the block message they see.
Under 10 minutes for most stores: install the app (~2 min), enable the theme embed (~3 min), turn on Checkout Protection and test (~5 min). For high-volume stores doing a careful rollout, plan for a few days of gradual enablement ; one protection at a time with monitoring between each step.
Only what's needed to run the protections: session signals to distinguish humans from bots, IP location at country/region level, VPN/proxy classification flags, and checkout attempt logs for your dashboard. No names, emails, payment details, or browsing history. See our Privacy Policy for full details.
Settings → Apps and sales channels → Storefront Sentry → Remove. The app automatically cleans up its theme embed code on uninstall ; no manual work needed. To pause without uninstalling, just disable the app embed in your theme customizer. All protections stop immediately.
Email baystacks@proton.me ; typical response within 24 hours. In-app tooltips and guidance are built directly into the dashboard for common questions.
Not sure where to start?
Tell us about your store ; we'll recommend the right protections for your products, traffic, and audience.