Filter API

Better bot detection

Risk signals, policies, and a per-request API. More effective than CAPTCHA.

Client-side
1
2
3
4
5
6
7
8
_castle('createRequestToken').then(function(requestToken) {
  // Insert requestToken into the form data
  // ....
});
// or use onsubmit handler to automatically insert the castle_request_token hidden input
<form onsubmit="_castle('onFormSubmit', event)">
  // ....
</form>
Server-side
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
token = request.params['castle_request_token']
context = Castle::Context::Prepare.call(request)

res = castle.filter(
  event: '$registration',
  request_token: token,
  context: {
    ip: context[:ip],
    headers: context[:headers]
  }
)
API Response

Risk-based bot scoring

Use risk scores and signals to determine friend from foe.

The /filter endpoint assesses the risk that a user is a bot.

Response
{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}
{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}
{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}
Risk and signals

Assess bot risk on any page or form

Risk scores go up when signals trigger. Take action based on the score or individual signals.

  • 30+ external risk signals
  • 200+ internal risk assessments
Policies

Fine-tune what to allow, challenge, or deny

Take action based on configurable policies rather than hard-coded values.

  • Trigger on risk, device, location, traits
  • Decouple risk logic from your code
Use Cases

Reduce fraud and abuse

Block malicious bots in web and mobile applications.

Fake accounts

Mitigate new account registration fraud and fake spam accounts.

Credential stuffing

Protect your users from automated account takeovers and data breaches.

Content spam

Stop spam comments from polluting your site.

Platform abuse

Block abusive traffic and avoid resource exploits.

Card testing

Prevent brute-force testing of loyalty or credit cards.

Inventory hoarding

Prevent brand damage caused by bots purchasing and stockpiling inventory.

Comparison

How we are better

Designed to give developers the most flexibility.

Castle
Filter API
Cloudflare
Bot Manager
Google
reCAPTCHA v3
Self-service
API & SDK-based
Mobile SDKs Android only
User access logs
Detailed risk reasons
Policy management