Holistic device intelligence

_castle('createRequestToken').then(function(requestToken) { // Insert requestToken into the form data // .... }); // or use onsubmit handler to automatically insert the castle_request_token hidden input <form onsubmit="_castle('onFormSubmit', event)"> // .... </form>

const requestTokenHeaderName = await Castle.requestTokenHeaderName(); const requestToken = await Castle.createRequestToken(); let requestHeaders = new Headers(); requestHeaders.append(requestTokenHeaderName, requestToken);

const requestTokenHeaderName = await Castle.requestTokenHeaderName; const requestToken = await Castle.createRequestToken; Map<String, String> requestHeaders = {}; requestHeaders[requestTokenHeaderName] = requestToken;

token = request.params['castle_request_token'] context = Castle::Context::Prepare.call(request) res = castle.filter( event: '$registration', request_token: token, context: { ip: context[:ip], headers: context[:headers] } )

$token = $_POST['castle_request_token']; $res = Castle::filter([ 'event' => '$registration', 'request_token' => $token, 'context' => [ 'ip' => Castle_RequestContext::extractIp(), 'headers' => Castle_RequestContext::extractHeaders() ] ]);

token = request.form['castle_request_token'] # Using Flask client = Client() context = ContextPrepare.call(request) res = client.filter({ 'event': '$registration', 'request_token': token, 'context': { 'ip' : context['ip'], 'headers' : context['headers'] } })

String token = request.getParameter("castle_request_token"); Castle castle = Castle.initialize(); CastleContextBuilder context = castle.contextBuilder().fromHttpServletRequest(request) Verdict res = castle.filter( ImmutableMap.builder() .put("event", "$registration") .put("request_token", token) .put("context", ImmutableMap.builder() .put("ip", context.getIp()) .put("headers", context.getHeaders()) .build() .build() )

const token = request.body["castle_request_token"]; const context = ContextPrepareService.call(request, {}, castle.configuration); castle.filter({ event: '$registration', request_token: token, context: { ip: context.ip, headers: context.headers } });

var token = Request.Params["castle_request_token"]; var res = await castleClient.Fiter(new ActionRequest() { Event = "$registration", RequestToken = token, Context = new Dictionary<string, string>() { ["ip"] = Request.HttpContext.Connection.RemoteIpAddress.ToString(), ["headers"] = Request.Headers.ToDictionary(x => x.Key, y => y.Value.FirstOrDefault()) } });

API Response

Risk-based bot scoring

Use risk scores and signals to determine friend from foe.

The /filter endpoint assesses the risk that a user is a bot.

Response

{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}

{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}

{
  "risk": 0.95,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "spoofed_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block bots",
    "id": "e14c5a8d-c682-4a22-bbca-04fa6b98ad0c",
    "revision_id": "b5cf794e-88c0-426e-8276-037ba1e7ceca"
  }
}

Risk and signals

Assess bot risk on any page or form

Risk scores go up when signals trigger. Take action based on the score or individual signals.

30+ external risk signals
200+ internal risk assessments

Policies

Fine-tune what to allow, challenge, or deny

Take action based on configurable policies rather than hard-coded values.

Trigger on risk, device, location, traits
Decouple risk logic from your code

Use Cases

Reduce fraud and abuse

Block malicious bots in web and mobile applications.

Fake accounts

Mitigate new account registration fraud and fake spam accounts.

Credential stuffing

Protect your users from automated account takeovers and data breaches.

Content spam

Stop spam comments from polluting your site.

Platform abuse

Block abusive traffic and avoid resource exploits.

Card testing

Prevent brute-force testing of loyalty or credit cards.

Inventory hoarding

Prevent brand damage caused by bots purchasing and stockpiling inventory.

Comparison

How we are better

Designed to give developers the most flexibility.

	Castle Filter API	Cloudflare Bot Manager	Google reCAPTCHA v3
Self-service
API & SDK-based
Mobile SDKs			Android only
User access logs
Detailed risk reasons
Policy management

Professional

$33/mo

per 10,000 good events

No minimum commitment

Start for free

Bot Detection
Account Takeover Prevention
Policy Management
Device Management

User Behavior Analytics
REST API & Webhooks
Email & chat support
Credit card payments

Enterprise

$2,800/mo*

per 1,000,000 good events

Get in touch

Includes all Pro features
Enterprise SLAs
Enterprise support
* Volume discounts available

Customizable billing
Invoice payments