Markdown source

JA4 Fingerprint t13d1516h2_8daaf6152771_d8a2da3f94cd Markdown source

Readable source view for humans. The raw Markdown endpoint remains available for crawlers and agent readers.

---
title: "JA4 Fingerprint t13d1516h2_8daaf6152771_d8a2da3f94cd"
description: "JA4 fingerprint t13d1516h2_8daaf6152771_d8a2da3f94cd decoded: t13d1516h2 is the TLS 1.3 prefix, 8daaf6152771 the cipher hash, d8a2da3f94cd the extension hash."
kind: snippet
maturity: budding
confidence: high
origin: ai-drafted
author: "Agent"
directedBy: "krow"
tags: [security, networking, fingerprinting, ja4, tls]
published: 2026-05-17
modified: 2026-06-15
wordCount: 532
readingTime: 3
prerequisites: [bot-detection-2026]
related: [bot-detection-2026, ja4-decoder, tls-fingerprinting-curl-cffi, tls-impersonation-library-comparison]
url: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2/
---
## Agent Context

- Canonical: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2/
- Markdown: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2.md
- Full corpus: https://krowdev.com/llms-full.txt
- Kind: snippet
- Maturity: budding
- Confidence: high
- Origin: ai-drafted
- Author: Agent
- Directed by: krow
- Published: 2026-05-17
- Modified: 2026-06-15
- Words: 532 (3 min read)
- Tags: security, networking, fingerprinting, ja4, tls
- Prerequisites: bot-detection-2026
- Related: bot-detection-2026, ja4-decoder, tls-fingerprinting-curl-cffi, tls-impersonation-library-comparison
- Content map:
  - h2: Quick Reference
  - h2: What 8daaf6152771 and d8a2da3f94cd Mean
  - h2: Why t13d1516h2 Shows Up in Logs
  - h2: Bot Detection Relevance
  - h2: Sources
- Crawl policy: same canonical content is exposed through HTML, Markdown, and llms-full; no crawler-specific content gate.

`t13d1516h2_8daaf6152771_d8a2da3f94cd` is a full JA4 TLS fingerprint made of three parts joined by underscores: `t13d1516h2` (the human-readable prefix), `8daaf6152771` (the cipher-suite hash), and `d8a2da3f94cd` (the extension-plus-signature-algorithm hash). The `t13d1516h2` prefix means the ClientHello used TLS 1.3, included SNI, had 15 cipher suites after JA4 deduplication/GREASE removal, had 16 extensions after JA4 deduplication/GREASE removal, and advertised HTTP/2 through ALPN.

## Quick Reference

A JA4 fingerprint has three parts, `a_b_c`:

| Part | Value | Meaning |
|---|---|---|
| `a` | `t13d1516h2` | Human-readable shape of the TLS handshake (the prefix) |
| `b` | `8daaf6152771` | Truncated hash of the sorted cipher suites |
| `c` | `d8a2da3f94cd` | Truncated hash of the sorted extensions plus signature algorithms |

The `t13d1516h2` prefix decodes further:

| Segment | Meaning |
|---|---|
| `t13` | TLS 1.3 ClientHello |
| `d` | Domain/SNI is present |
| `15` | 15 cipher suites after JA4 deduplication and GREASE removal |
| `16` | 16 TLS extensions after JA4 deduplication and GREASE removal |
| `h2` | HTTP/2 advertised through ALPN |

## What 8daaf6152771 and d8a2da3f94cd Mean

`8daaf6152771` is the cipher-suite hash: a truncated SHA-256 of the cipher list after JA4 sorts it, so a client that merely re-orders the same ciphers still hashes to the same value. `d8a2da3f94cd` is the extension hash: a truncated SHA-256 of the sorted extensions (with SNI and ALPN removed) plus the signature algorithms in their original order. The extension hash typically changes only when Chrome updates its `signature_algorithms` list, which is why `t13d1516h2_8daaf6152771_d8a2da3f94cd` stays stable across several Chrome major versions. To break down any other JA4 string field by field, use the [JA4 Fingerprint Decoder](/snippet/ja4-decoder/).

## Why t13d1516h2 Shows Up in Logs

The `t13d1516h2` prefix is part `a`: the human-readable shape of the TLS handshake. The later hash parts summarize sorted cipher suites and extensions so small order randomization does not create a different fingerprint every connection.

Modern Chromium-family browsers often share the same `t13d1516h2` prefix because they use TLS 1.3, send SNI, advertise HTTP/2, and expose similar ClientHello counts. The prefix alone does not prove Chrome; the full `t13d1516h2_8daaf6152771_d8a2da3f94cd` string is needed for a stronger browser-family match.

## Bot Detection Relevance

Bot detection systems use JA4 to compare a claimed browser identity with the actual network stack. A request that sends a Chrome User-Agent but produces a Python, Go, or default curl TLS fingerprint is inconsistent before any JavaScript challenge can run.

For implementation context, [TLS Fingerprinting with curl_cffi](/note/tls-fingerprinting-curl-cffi/) explains why browser impersonation has to match both TLS and HTTP/2. For the broader request path before a CDN evaluates the connection, [DNS Resolution: The Full Picture](/guide/dns-resolution-full-picture/) shows where DNS, TLS, and HTTP fit together.

The practical lesson: headers are not enough. TLS fingerprint, HTTP/2 settings, header order, IP reputation, and behavior all have to tell the same story.

## Sources

- [FoxIO JA4 repository](https://github.com/FoxIO-LLC/ja4) — primary JA4 format reference and implementation notes.
- [Cloudflare JA4 signals documentation](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) — explains how Cloudflare exposes JA4 fingerprints for bot analysis.
- [JA4 fingerprint database](https://ja4db.com/) — lookup context for observed JA4 strings and browser-family matches.
- [How Websites Detect Bots in 2026](/article/bot-detection-2026/) — broader detection hierarchy across TCP, TLS, HTTP/2, headers, and behavior.