nTrackr User Guide

Introduction & Overview

Learn what nTrackr is and its core capabilities

nTrackr What is it?

nTrackr is a comprehensive analysis and tracking platform for websites and mobile applications. It provides advanced tools to understand visitor behavior, increase conversion rates, and improve user experience.

Core Features

Real-time visitor tracking

Detailed analytics & reporting

Event-based tracking

Form analytics & heatmaps

Session replay

Rule-based automatic actions

Webhook integration

Blacklist management

Use Cases

nTrackr can be used across a wide range of platforms — from e-commerce sites to corporate websites, from blogs to mobile apps. It's ideal for anyone who wants to understand visitor behavior and take action accordingly.

Domain Management

Add and manage your domains

Adding & Managing Domains

You can add domains you want to track in nTrackr and manage your existing domain settings.

1 Click the "Add New Domain" button

2 Enter your domain information

3 Save your changes

Tracking Setup

Install the tracking code on your website

Step 1: Get Tracking Code

To integrate nTrackr with your website, first get the tracking code. You can find this code on the domain settings page.

<script src="https://cdn.ntrackr.com/js/ntrackr.js" defer></script>

Step 2: Add Tracking Code

Add the tracking code to all pages of your website. This is typically placed between the <head> tags.

Manual HTML editor

CMS plugins or modules

Server-side integrations

Step 3: Verification

After adding the tracking code, verify your setup from the nTrackr dashboard.

1 Log in to the nTrackr dashboard

2 Select the relevant domain

3 Check real-time visitor data

API Security

Origin validation, rate limiting & HMAC signing

nTrackr protects your tracking data with multiple security layers. Regular tracking (page views, events, clicks) works automatically without any configuration. The identify command requires an additional HMAC signature generated from your backend to prevent unauthorized user identity manipulation.

Origin Validation

Every API request is validated against the registered domain. The Origin or Referer header must match the domain configured in your nTrackr dashboard. Cross-origin abuse is automatically blocked.

Rate Limiting

API requests are rate-limited per IP address: 120 requests/minute for general tracking and 10 requests/minute for identify calls. This prevents abuse and ensures service stability.

HMAC Signature

The identify command requires a server-side HMAC-SHA256 signature. Your backend generates it using the user ID and your API Secret. This ensures only your server can authorize identity calls.

Setting Up HMAC for Identify

Follow these three steps to secure your identify calls with HMAC verification:

Step 1: Get your API Secret

Find your API Secret in the domain settings page of your nTrackr dashboard. Keep this secret safe — never expose it in client-side code.

Step 2: Generate HMAC on your backend

// PHP
$hmac = hash_hmac('sha256', $userId, $apiSecret);

// Node.js
const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', apiSecret)
                   .update(userId).digest('hex');

// Python
import hmac, hashlib
signature = hmac.new(
    api_secret.encode(), user_id.encode(),
    hashlib.sha256
).hexdigest()

Step 3: Pass the HMAC to the frontend

ntrack('identify', {
  userId: 'usr_12345',
  hmac: hmacFromBackend,  // Generated by your backend
  email: '[email protected]',
  name: 'John Doe'
});

How It Works

The SDK automatically sends the hmac value as an X-NTrack-Signature header. The server looks up your domain's API Secret, computes the expected HMAC using the userId, and validates the signature. If the signature doesn't match, the request is rejected with a 403 error.

Important

Never expose your API Secret in client-side JavaScript. The HMAC must always be generated on your backend server. If you suspect your secret has been compromised, rotate it immediately from the domain settings page.

Visitor Analytics

Understand your visitors and assess risks

Visitor List & Filtering

nTrackr deeply analyzes every visitor to your site, helping you understand not only who they are but also how trustworthy they are.

View Metrics: Track total, active, suspicious, and blocked visitor counts in real-time.

Advanced Filtering: Filter by date range, status (safe, suspicious, blocked), country, device type, IP address, or user ID.

Smart Sorting: Sort by latest activity, highest risk score, or most sessions to quickly reach important profiles.

Deep Risk Analysis

IP Security Analysis

Detects VPN, Proxy, Tor usage and hosting IPs. Analyzes geographic location, country, city, and ISP information. Anonymous connections indicate higher risk levels.

Anonymity Detection: Determines whether the visitor is using a VPN, Proxy, or Tor network — connections commonly used for identity concealment.

Hosting Detection: Identifies whether the IP belongs to a data center (hosting) or a regular home/business internet. Hosting IPs are often associated with bot activity.

Geographic Location: Displays the visitor's country, city, and Internet Service Provider (ISP) information.

Device & Browser Analysis

Browser fingerprinting with dozens of parameters, consistency scoring across sessions, and detection of advanced masking techniques like WebRTC leaks and Canvas fingerprinting.

Device Fingerprinting: Combines browser type, version, OS, screen resolution, installed fonts, and dozens of other parameters to create a unique "fingerprint" that helps identify the visitor even with different IPs.

Consistency Score: Measures how consistent the visitor's device information is across sessions. Frequently changing fingerprint data may indicate fraud attempts.

Technical Analyses: Checks whether advanced browser masking techniques like WebRTC leaks and Canvas fingerprinting are being used.

Behavioral Analysis

Analyzes mouse movements, clicks, scroll depth, and interaction patterns. Detects abnormally fast form filling, unusual navigation paths, and bot-like behavior.

Interaction Score: Analyzes mouse movements, clicks, and scroll depth to measure how "engaged" the visitor is.

Anomaly Score: Compares visitor behavior against typical user patterns. Very fast form filling, abnormal navigation paths increase the anomaly score and strengthen bot suspicion.

Session Metrics: Average session duration, bounce rate, pages per session — providing insight into the visitor's overall behavior profile.

Scenario: Evaluating a High-Risk E-Commerce Order

You received a high-value order but the system flagged it with a Risk Score of 85.

1 Open Risk Analysis: Go to the visitor's detail page and select the "Risk Analysis" tab.

2 Check IP Analysis: The visitor is using a VPN and their geographic location differs from the shipping address country. This is the first red flag.

3 Review Device Analysis: The browser language differs from both the IP location and shipping address. The Consistency Score is low, indicating different device info in past sessions.

4 Examine Behavioral Analysis: The visitor came directly, added the most expensive product to cart without any research, and filled payment info in an inhuman 15 seconds. High Anomaly Score.

5 Decision: Based on this data, the order is highly likely a fraud attempt with a stolen credit card. Cancel the order and block the visitor.

Bonus: Detecting Ad Fraud & Getting Refunds

If a visitor from Google or Facebook ads (identified by gclid or utm_source parameters) has a high risk score, bot-like behavior (instant bounce, zero interaction), and a data center IP — this is strong evidence of a fake click. Use the risk analysis reports and session recordings as evidence to claim refunds for invalid click costs from ad platforms. This is one of the most concrete examples of how nTrackr can directly increase your marketing ROI.

Session Replay & Heatmaps

Watch session replays and analyze heatmaps

Session Replay

Session replay allows you to watch your visitors' behavior in a video-like format. It records mouse movements, clicks, scrolling, and form interactions, giving you first-hand observation of user experience.

Scenario: Understanding Why a User Didn't Complete the Order

1 Access the Visitors list: Select the relevant domain from your dashboard and go to the "Visitors" tab.

2 Filter & Sort: Use filters to find high-risk visitors or those with multiple sessions — sort by "Risk Score" or "Most Sessions".

3 Examine Visitor Details: Click on a visitor to view their detail page with general info, risk score, and past sessions.

4 Session List: Go to the "Sessions" tab. See duration, pages visited, and interaction count for each session.

5 Start Replay: Click the play icon (View Session Replay) on the right side of the session you want to examine.

6 Analyze: Watch all movements in the modal — which pages they visited, which products they viewed, how they filled forms, and where they left. This may reveal a checkout error, confusing UI element, or technical issue.

Heatmaps

Click Maps

Shows where users click most. Red areas are most clicked, blue areas least clicked.

Move Maps

Shows where users hover their mouse. Helps understand attention areas that catch the eye but aren't clicked.

Scroll Maps

Shows how far users scroll down the page. Helps determine where to place your most important content.

Scenario: Homepage Optimization

You think your "Get Started" button isn't getting enough clicks.

1 Create a heatmap for your homepage from the "Heatmaps" section in your dashboard.

2 The click map may show users are actually clicking on another less prominent link or image instead of the "Get Started" button. Perhaps the button's color, position, or text isn't eye-catching enough.

3 The scroll map may reveal that most visitors don't scroll down to where the button is. You may need to move it higher.

4 After moving the button and changing its color, create a new heatmap to test how effective your changes were.

Form Analytics

Track and optimize form interactions

Forms are one of the most important ways to interact with users and collect data. nTrackr's Form Analytics lets you track in detail how visitors interact with your forms. This helps you optimize forms, increase conversion rates, and improve user experience.

Understanding Form Interaction Data

Timestamp: Shows exactly when each interaction occurred.

Interaction Type: Change (field value modified) or Submit (form submitted). These two interaction types let you understand every step of the user's form journey.

Form Identifier: Indicates which form the interaction occurred on (e.g., contact-form, newsletter-signup). This lets you distinguish between multiple forms on your site.

Element Details: Shows which form element (e.g., email, password) and its type (text, email, etc.).

Scenario: Why Users Abandon the Registration Form

You noticed users start filling out the registration form but don't complete it.

1 Filter Interactions: Examine the "Forms" tab of several visitors who abandoned the form.

2 Analyze Interaction Sequence: Track visitors' Change interactions. You may notice many users fill "Username" and "Email" but stop at "Phone Number" — no Submit interaction follows.

3 Develop Hypothesis: This observation suggests the mandatory phone number field is a barrier — users may not want to share this information.

4 Apply Solution: Make the phone number field optional or add help text explaining why it's needed. Then re-measure the impact on form completion rates with Form Analytics.

Form Analytics clearly reveals which steps users struggle with, which fields are confusing, and overall form performance with concrete data. This data is invaluable for improving UX and increasing conversions.

Rules & Actions

Automate actions based on visitor behavior

Rules & Actions let you create automated workflows triggered by visitor behavior. Configure conditions and actions to respond to events in real-time. Each rule can have multiple condition groups (OR logic between groups, AND logic within groups) and multiple ordered actions.

How to Create a Rule

1 Navigate to your domain and click "Rules & Actions" from the sidebar.

2 Click "Create Rule" and give it a name, description, and priority.

3 Add condition groups — conditions within a group are combined with AND, groups are combined with OR.

4 Add actions — they execute in order when conditions match. Each action has a type and value.

5 Activate the rule and save. It will be evaluated in real-time for every visitor.

Use these attributes in your rule conditions to target specific visitors:

Page & URL

landing_page Landing Page URL

current_url Current Page URL

referrer Referrer URL

Visitor Profile

country customer.attr_country

city customer.attr_city

browser_language Browser Language

Behavior & Analytics

visit_count Total Visit Count

session_count Total Session Count

page_view_count Page Views (Current Session)

time_on_page Time on Page (seconds)

risk_score Risk Score

trust_score Trust Score

Device & Network

device_type customer.attr_device_type

browser customer.attr_browser

os customer.attr_os

is_bot customer.attr_is_bot

connection_type Connection Type

Identification

is_identified Is Identified

identified_user_id Identified User ID

identified_email Identified Email

Scenario

Show a feedback form to visitors who stay on your cart page for too long, collect abandonment reasons, and tag them for retargeting.

Available Conditions

landing_page contains /cart AND time_on_page > 30

Available Actions

1 show_message — Display a feedback form asking why they haven't completed the purchase.

2 add_tag — Tag them as "cart_abandoner" for future campaigns.

Combine with a send_webhook action to push abandonment data into your CRM or email platform for automated follow-up.

Target repeat visitors browsing specific product categories with personalized on-site promotions and notify your CRM.

Available Conditions

landing_page contains /electronics AND visit_count >= 3

Available Actions

1 show_message — Display a personalized "10% off electronics" banner.

2 send_webhook — Notify your CRM/email system about this high-intent visitor.

3 add_tag — Tag as "electronics_interested" for future campaigns.

Change the landing_page condition to target any category. Use different tags per category to build granular visitor segments.

Automatically detect and block visitors with abnormal browsing patterns that indicate bot or scraping activity.

Available Conditions

page_view_count > 100 AND browser_language != tr

Available Actions

1 block — Immediately block the visitor.

2 add_tag — Tag as "suspicious_blocked" for reporting.

3 send_webhook — Send an alert to your admin notification endpoint.

Add risk_score > 60 as an additional condition for more accurate detection. Review blocked visitors periodically to avoid false positives.

Show a retention modal with a discount code to visitors who have been on the cart page long enough, encouraging them to complete their purchase.

Available Conditions

landing_page contains /cart AND time_on_page > 15 AND not_has_tag = exit_intent_shown

Available Actions

1 show_message — Display a modal: "Don't leave! Use code STAY10 for 10% off"

2 add_tag — Tag as "exit_intent_shown" so it's only displayed once.

The not_has_tag condition prevents the modal from showing repeatedly. Use different discount codes per campaign and track their effectiveness via webhooks.

Request phone numbers from engaged potential customers who have been tagged but haven't left their contact info yet.

Available Conditions

has_tag = potansiyel_musteri AND visit_count >= 5 AND not_has_tag = telefon_birakti

Available Actions

1 show_message — Display a phone number request modal with a special offer.

2 add_tag — Add "telefon_birakti" tag after interaction.

3 send_webhook — Send the lead data to your CRM endpoint.

First tag visitors as "potansiyel_musteri" using another rule (e.g., visit_count >= 3 on product pages). This creates a multi-step funnel.

Detect bot traffic from paid ad campaigns to protect your advertising budget and collect evidence for refund claims.

Available Conditions

landing_page contains utm_source AND risk_score > 70 AND connection_type = hosting

Available Actions

1 add_tag — Tag as "fake_ad_click" for evidence collection.

2 send_webhook — Send fraud alert to your monitoring system.

3 block — Optionally block the visitor.

Export tagged visitors as evidence when filing invalid click refund claims with Google Ads or Facebook Ads. The risk_score condition filters out sophisticated bots.

Offer personalized first-purchase discounts to loyal visitors who keep coming back but haven't converted yet.

Available Conditions

has_tag = sadik_ziyaretci AND session_count >= 3 AND landing_page contains /cart AND not_has_tag = indirim_teklifi_gordu

Available Actions

1 show_message — "Thanks for your interest! 15% off your first purchase: WELCOME15"

2 add_tag — Add "indirim_teklifi_gordu" so the offer is shown only once.

Create a tagging rule first: visitors with session_count >= 5 on product pages get tagged as "sadik_ziyaretci". This creates a loyalty pipeline.

Webhook Management

Integrate with third-party services

What are Webhooks?

Webhooks automatically send instant notifications (HTTP POST requests) to your specified URL when certain events occur in nTrackr. This lets you integrate nTrackr with your other applications and automate your workflows.

Viewing Webhooks

View all your created webhooks in a table on the Webhook Management page. The table shows each webhook's name, target URL, trigger events, and active/inactive status. You can edit or delete any webhook from this table.

Creating a New Webhook

Webhook Name: A friendly name to easily identify your webhook (e.g., "Slack Notifications").

Webhook URL: The target URL where nTrackr will send notifications.

Trigger Events: Select which events should activate the webhook. You can select multiple events.

Custom Headers (Optional): Add custom HTTP headers to the requests. Useful for making requests more secure or providing additional info.

Payload Template (Optional): Define your own JSON payload format. Leave empty to use nTrackr's default format with all data.

Blacklist Management

Block unwanted traffic proactively

Blacklist management is a powerful security feature that lets you proactively block unwanted or malicious traffic to your website. nTrackr supports flexible blacklist rules based on various criteria, allowing you to easily block bot traffic, spammers, unwanted visitors from specific countries, and more.

IP Address

Block all traffic from a specific IP address or IP range. Ideal for known attack or spam source IPs.

Country

Block all visitors from a specific country using ISO 3166-1 alpha-2 country codes (e.g., "US" for United States, "CN" for China).

User-Agent

Block browsers or bots containing specific User-Agent text. Useful for targeting malicious bots or legacy browsers.

Fingerprint

Block by browser fingerprint hash — the unique ID created from browser and device characteristics. Most effective way to block a specific user/bot even when IP changes.

Creating a New Blacklist Rule

Adding a new rule is simple. Click "Add New Rule" and fill in the form:

Rule Type: Select one of the four types (IP, Country, User-Agent, Fingerprint).

Value: Enter the corresponding value for your selected type (e.g., "192.168.1.1", "RU", "BadBot/1.0", "abcdef12345...").

Action: Select what happens when the rule matches. Usually "Block" is used.

Reason (Optional): Leave a note about why you added this rule — helpful for future management.

Expiry Date (Optional): Set when the rule expires. Leave empty for a permanent rule.

Managing Rules

All created rules are listed in the main table. You can view each rule's type, value, action, and expiry date, and easily remove rules you no longer need with the "Delete" button.

Risk Analysis & Security

Comprehensive risk assessment tools

nTrackr analyzes visitor behavior and technical characteristics to identify potential risks. This section details the "Risk Analysis" tab on the visitor detail page and the reports it contains.

Risk Score

Shows how risky the visitor is on a 0-100 scale. High score indicates a potential threat. Calculated based on IP reputation, device anomalies, and behavioral patterns.

Trust Score

Shows how trustworthy the visitor is on a 0-100 scale. High score indicates a legitimate user.

Multi-IP Analysis

Detects when a visitor uses multiple IPs, which may indicate identity concealment. Shows IP change timeline with all IPs used, time ranges, and geographic locations.

IP Security Analysis

Detailed analysis of the current IP including risk score, anonymity detection (VPN/Proxy/Tor), hosting provider check, and known threat type listings (spam, botnet, etc.).

Device & Browser Risk

Fingerprint uniqueness score, browser security level, device consistency across sessions, WebRTC leak detection, advanced device info (CPU cores, memory, screen resolution).

Behavioral Analysis & Pattern Detection

Session count, average duration, interaction and anomaly scores. Bounce rate, pages/session, scroll depth. Status info (blocked, whitelisted, rule-based). Form & event analysis (filled forms, triggered events, error rates).

Recommended Actions & Summary

Based on analysis results, nTrackr recommends specific security actions like "Immediate Block", "Close Monitoring", or "Request Additional Verification" based on risk score. Also suggests network-level measures like geo-blocking and rate limiting based on IP analysis. A summary table shows all main scores (Overall Risk, IP Risk, Fingerprint, Trust) at a glance.

Visitor Identify

Match your logged-in users with nTrackr visitors

The Visitor Identify feature allows you to associate your own application's user data (user ID, email, name, and unlimited custom metadata) with nTrackr visitor records. This creates a bridge between your application's users and nTrackr's analytics data.

What is Visitor Identify?

When a visitor logs in to your website, you can send their user information to nTrackr using the identify command. This data is stored as a JSON object on the visitor record and is visible in the dashboard, searchable, and usable in rule conditions.

Usage Examples

Minimal — just a user ID:

ntrack('identify', {
  userId: 'usr_12345',
  hmac: 'your_hmac_signature'
});

Full — with all fields and custom metadata:

ntrack('identify', {
  userId: 'usr_12345',
  hmac: 'your_hmac_signature',
  email: '[email protected]',
  name: 'John Doe',
  meta: {
    plan: 'premium',
    company: 'Acme Inc.',
    role: 'admin',
    signup_date: '2025-01-15'
  }
});

Update only metadata (merges with existing data):

ntrack('identify', {
  hmac: 'your_hmac_signature',
  meta: { last_order: '#1234', vip: true }
});

Supported Fields

userId — Your application's unique user identifier (string)

email — The user's email address

name — The user's display name

meta — Unlimited custom key-value pairs (any data you want: plan, role, company, signup date, lifetime value, etc.)

Deep Merge Behavior

Each identify call deep-merges with existing data. Previously sent fields are preserved, new fields are added, and updated fields are overwritten. Meta keys are also merged individually.

// First call
ntrack('identify', {
  userId: 'usr_12345',
  hmac: 'your_hmac_signature',
  meta: { plan: 'free' }
});

// Second call — adds email, updates plan
ntrack('identify', {
  hmac: 'your_hmac_signature',
  email: '[email protected]',
  meta: { plan: 'premium', company: 'Acme' }
});

// Result: all data merged
// { userId: 'usr_12345', email: '[email protected]',
//   meta: { plan: 'premium', company: 'Acme' } }

Removing Meta Keys

To remove a previously set meta key, send it with a null value:

ntrack('identify', {
  hmac: 'your_hmac_signature',
  meta: { old_key: null }  // This key will be removed
});

Dashboard Integration

Identified visitors show a verification badge in the visitor list. In the visitor detail page, a dedicated "Identified User" card displays all sent data including custom meta key-value pairs. You can also search visitors by user ID, email, or name.

Rule Conditions

You can use identification status in your automation rules. Available conditions: "is_identified" (boolean), "identified_user_id" (matches user ID), and "identified_email" (matches email). Combine these with other conditions to create powerful targeting rules.

Privacy Notice

You are responsible for ensuring that any personal data sent via the identify command complies with applicable privacy regulations (GDPR, CCPA, etc.). Only send data that you have consent to process. nTrackr stores this data securely alongside the visitor record.

Support & Help

Get help when you need it

If you encounter any issues or need assistance, you can easily reach our support team through the Support section in your customer panel.

Creating a Support Ticket

1 Go to the "Support" or "Help" menu in your panel

2 Click the "Create New Ticket" button

3 Enter the subject and detailed description of your issue

4 Attach screenshots or relevant files if needed

5 Submit your ticket. Our team will respond as soon as possible.

Email Support

[email protected]

Support Ticket

Create a support ticket

Live Chat

Available during business hours