The Account Takeover Prevention API

Castle lets you verify anomalous login attempts and block automated attacks

Request a demo

By signing up for Castle, you agree to the Terms of Service. View our Privacy Policy
Thanks! Check your email to get started.
Oops! Try again

An end-to-end account takeover solution

Castle understands user behavior across web, mobile and APIs. Depending on the risk associated with an individual device, we automatically trigger security notifications, challenges and account reset workflows. This lets end users self-mitigate while also improving Castle's risk models.

Integrate in minutes

Get up and running by adding the SDK and track login events to Castle.

Self-learning risk models

Machine learning that evolves to keep false positives at a minimum.

Alert and mitigate

Alert your team or end-users to resolve any account takeovers.

Security logs per user and device

Get complete visibility into your users’ devices and access patterns. Drill down into individual devices to see who is using Tor or hopping between locations.

Built by and for developers

We've tailored Castle to make developers feel right at home.

Backend (Required)

SDKs for Ruby, Python, PHP and Java. Or use Curl.

verdict = castle.authenticate(
  event: '$login.succeeded',
  user_id: 'user1234'

puts verdict[:action] # => "allow", "challenge" or "deny"

Frontend (Recommended)

Include the JavaScript tag into all of your pages.

<script src=""></script>
  _castle('setAppId', '451236789012343');
  _castle('identify', 'user1234'); // when the user is logged in