Documentation
Sign inGet started
Get started
Guides
API Reference
SDKs & CLI
Knowledge Base
Changelog

Abuse & compliance

Bird is shared infrastructure: every sender's traffic travels over the same platform, and the reputation of that platform with mailbox providers and carriers is what gets everyone's messages delivered. Abuse protection exists to keep that shared reputation healthy — it is what makes your own deliverability possible. This page explains the channel-agnostic model; the concrete signals and thresholds for each channel live in the per-channel pages, starting with email.
What you can and cannot send is governed by Bird's Acceptable Use Policy; the acceptable use summary is a plain-language walkthrough of it. This page covers how Bird detects and responds when sending goes wrong, whether through abuse or honest mistakes like a stale mailing list.

The trust & safety pipeline

Bird forwards trust-relevant control-plane actions — signup, login, MFA challenges, password resets, API-key creation and revocation, and billing events like top-ups and plan changes — to a trust & safety pipeline as an asynchronous event stream. Each event carries the action, its outcome, and request context such as IP address and user agent, and the pipeline assembles them into one risk profile per user.
Two properties of this design matter to you as a developer:
  • The stream is server-authoritative. Risk signals are derived from what the backend observed, not from anything the client reports about itself. Browser-side signals (device fingerprinting on the dashboard) are best-effort enrichment — nothing depends on the client cooperating, so nothing breaks when it doesn't.
  • Detection never blocks the happy path synchronously. Events are dispatched asynchronously after the action completes; a slow or unavailable pipeline degrades signal collection, never your signup, login, or API call. There is no detection-induced latency on the request path.
Today the pipeline collects signals. The next phase adds real-time scoring at sensitive decision points — authentication and billing — mapping risk to one of three outcomes: allow the action, step up with an additional challenge, or block it. The signal history being collected now is what makes those scores meaningful later.

Throttling and pausing

Sending behaviour feeds a per-workspace reputation on each channel. Healthy traffic — low bounce rates, low complaint rates, recipients who asked to hear from you — keeps reputation high and sending unrestricted. Bad behaviour degrades it, and Bird responds proportionally:
  • Throttling slows your sending rate while the problem signal persists, giving you time to correct course without a hard stop.
  • Pausing halts sending on the affected channel when the signal crosses the line from degraded to harmful — for example a bounce rate that indicates a purchased or badly stale list.
The signals that drive this, and the indicative thresholds, are channel-specific: see Abuse & compliance · Email for the email model. Throttling and pausing protect your sender reputation as much as Bird's — continuing to send traffic that mailbox providers are rejecting makes recovery harder, as explained in the deliverability guide.

Protections you encounter directly

Most abuse protection is invisible when your traffic is healthy. A few controls are visible by design, because they sit on public surfaces that attackers probe:
  • CAPTCHA on public auth endpoints. Signup, login, forgot-password, and SMS-based MFA flows require a CAPTCHA challenge before the backend does any work. This is what keeps credential stuffing and signup automation from consuming the platform.
  • SMS-OTP country allowlists. One-time passcodes over SMS are only sent to phone numbers in a supported set of countries; enrollment with a number outside the allowlist is rejected with 422 phone_country_not_allowed. This closes off SMS pumping — fraud schemes that trigger OTP sends to premium-rate numbers.
  • Per-phone and per-IP limits. OTP sends and authentication attempts are rate-limited per phone number and per source IP, with progressive delays on repeated failures.
These controls protect your account as well as the platform — an attacker who can burn your SMS budget or brute-force your login is your problem before it is Bird's.

Related pages