I get that open-source in fraud prevention is really hard, I'm sympathetic to the challenges here.

FingerprintJS open-source (and the discussed FingerprinterJS) are both trivial to spoof since the entire codebase is easily examined, and the implementation is totally open as an oracle to someone who wants to bypass it or construct arbitrary fingerprints. It's a nice proof of concept (and I like the attention to unstable signals in FingerprinterJS here) but ultimately doesn't hold up against any dedicated attackers.

I work on a competing commercial product (Stytch Device Fingerprinting) and your usage would be within our free tier. Unfortunately we don't have an open-source version or self-serve onboarding because of the adversarial problems mentioned above. Happy to chat if that helps, bchen at stytch dot com.