JA4 Fingerprint t13d1516h2_8daaf6152771_d8a2da3f94cd
JA4 fingerprint t13d1516h2_8daaf6152771_d8a2da3f94cd decoded: t13d1516h2 is the TLS 1.3 prefix, 8daaf6152771 the cipher hash, d8a2da3f94cd the extension hash.
On this page
t13d1516h2_8daaf6152771_d8a2da3f94cd is a full JA4 TLS fingerprint made of three parts joined by underscores: t13d1516h2 (the human-readable prefix), 8daaf6152771 (the cipher-suite hash), and d8a2da3f94cd (the extension-plus-signature-algorithm hash). The t13d1516h2 prefix means the ClientHello used TLS 1.3, included SNI, had 15 cipher suites after JA4 deduplication/GREASE removal, had 16 extensions after JA4 deduplication/GREASE removal, and advertised HTTP/2 through ALPN.
Quick Reference
A JA4 fingerprint has three parts, a_b_c:
| Part | Value | Meaning |
|---|---|---|
a | t13d1516h2 | Human-readable shape of the TLS handshake (the prefix) |
b | 8daaf6152771 | Truncated hash of the sorted cipher suites |
c | d8a2da3f94cd | Truncated hash of the sorted extensions plus signature algorithms |
The t13d1516h2 prefix decodes further:
| Segment | Meaning |
|---|---|
t13 | TLS 1.3 ClientHello |
d | Domain/SNI is present |
15 | 15 cipher suites after JA4 deduplication and GREASE removal |
16 | 16 TLS extensions after JA4 deduplication and GREASE removal |
h2 | HTTP/2 advertised through ALPN |
What 8daaf6152771 and d8a2da3f94cd Mean
8daaf6152771 is the cipher-suite hash: a truncated SHA-256 of the cipher list after JA4 sorts it, so a client that merely re-orders the same ciphers still hashes to the same value. d8a2da3f94cd is the extension hash: a truncated SHA-256 of the sorted extensions (with SNI and ALPN removed) plus the signature algorithms in their original order. The extension hash typically changes only when Chrome updates its signature_algorithms list, which is why t13d1516h2_8daaf6152771_d8a2da3f94cd stays stable across several Chrome major versions. To break down any other JA4 string field by field, use the JA4 Fingerprint Decoder.
Why t13d1516h2 Shows Up in Logs
The t13d1516h2 prefix is part a: the human-readable shape of the TLS handshake. The later hash parts summarize sorted cipher suites and extensions so small order randomization does not create a different fingerprint every connection.
Modern Chromium-family browsers often share the same t13d1516h2 prefix because they use TLS 1.3, send SNI, advertise HTTP/2, and expose similar ClientHello counts. The prefix alone does not prove Chrome; the full t13d1516h2_8daaf6152771_d8a2da3f94cd string is needed for a stronger browser-family match.
Bot Detection Relevance
Bot detection systems use JA4 to compare a claimed browser identity with the actual network stack. A request that sends a Chrome User-Agent but produces a Python, Go, or default curl TLS fingerprint is inconsistent before any JavaScript challenge can run.
For implementation context, TLS Fingerprinting with curl_cffi explains why browser impersonation has to match both TLS and HTTP/2. For the broader request path before a CDN evaluates the connection, DNS Resolution: The Full Picture shows where DNS, TLS, and HTTP fit together.
The practical lesson: headers are not enough. TLS fingerprint, HTTP/2 settings, header order, IP reputation, and behavior all have to tell the same story.
Sources
- FoxIO JA4 repository — primary JA4 format reference and implementation notes.
- Cloudflare JA4 signals documentation — explains how Cloudflare exposes JA4 fingerprints for bot analysis.
- JA4 fingerprint database — lookup context for observed JA4 strings and browser-family matches.
- How Websites Detect Bots in 2026 — broader detection hierarchy across TCP, TLS, HTTP/2, headers, and behavior.