KaizoCoreKaizoCore docs

Quickstart

Script tag to your first real decision, start to finish.

1. Get your keys

Sign up and, once your account is approved, you'll have a key pair:

  • pk_live_... — public, safe to embed in your frontend's HTML. This is what the collector script uses.
  • sk_live_... — secret, backend-only. This signs your /v1/decide calls. Never ship this to a browser.

2. Add the collector script

Add this to every page you want protected — ideally in <head>, as early as possible, so FORGE has the most time to complete before a user reaches checkout:

<script src="https://cdn.kaizocore.com/l.js?k=pk_live_your_public_key"></script>

That's the entire frontend integration. The script handles FORGE, PULSE, and generating the session token your backend needs — there's nothing else to wire up client-side.

3. Get the session token

The script exposes the current session token on the page (via a cookie the SDK manages). Your backend reads it the same way it reads any other first-party cookie/header from the incoming request — pass it through as session_token in your /v1/decide call.

4. Call /v1/decide before the action that matters

// Node.js example, backend-side
const crypto = require("crypto")

function signRequest(method, path, body, secretKey) {
  const ts = Math.floor(Date.now() / 1000).toString()
  const rid = crypto.randomUUID()
  const bodyHash = crypto.createHash("sha256").update(body).digest("hex")
  const signingString = [method, path, ts, bodyHash, rid].join("\n")
  const sig = crypto.createHmac("sha256", secretKey).update(signingString).digest("hex")
  return { ts, rid, sig }
}

async function checkDecision(sessionToken, req) {
  const body = JSON.stringify({
    ip: req.ip,
    user_agent: req.headers["user-agent"],
    session_token: sessionToken,
    entity_keys: { user_id: req.user.id },
    event_type: "checkout",
  })
  const { ts, rid, sig } = signRequest("POST", "/v1/decide", body, process.env.KAIZOCORE_SECRET_KEY)

  const res = await fetch("https://api.kaizocore.com/v1/decide", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-KZ-Key": process.env.KAIZOCORE_PUBLIC_KEY,
      "X-KZ-Ts": ts,
      "X-KZ-Rid": rid,
      "X-KZ-Sig": sig,
    },
    body,
  })
  return res.json()
}

See The /v1/decide API for the full request/response schema and the signing scheme in detail.

5. Handle the decision

const result = await checkDecision(sessionToken, req)

switch (result.decision) {
  case "ALLOW":
  case "ALLOW_WATCH":
    return proceedToCheckout()
  case "SOFT_CHALLENGE":
    return showCaptcha()
  case "REVIEW":
    return proceedButFlagForReview(result.request_id)
  case "BLOCK":
    return denyAction()
}

6. (Optional) Gate the actual submission with an ack token

For the highest-stakes actions — the literal moment of checkout submission — request an ack token right before your /v1/decide call and verify it server-side as part of the same transaction. This adds a second, independent layer specifically at the moment of submission, on top of the decision call itself.

What's next

  • SDK integration — configuration options, PULSE mode, event hooks.
  • Event types — the event_type values KaizoCore understands and how they interact with per-action thresholds.
  • Dashboard overview — where to configure policy overrides, lists, and webhooks once you're integrated.

On this page