Quickstart
Script tag to your first real decision, start to finish.
1. Get your keys
Sign up and, once your account is approved, you'll have a key pair:
pk_live_...— public, safe to embed in your frontend's HTML. This is what the collector script uses.sk_live_...— secret, backend-only. This signs your/v1/decidecalls. Never ship this to a browser.
2. Add the collector script
Add this to every page you want protected — ideally in <head>, as early as
possible, so FORGE
has the most time to complete before a user reaches checkout:
<script src="https://cdn.kaizocore.com/l.js?k=pk_live_your_public_key"></script>That's the entire frontend integration. The script handles FORGE, PULSE, and generating the session token your backend needs — there's nothing else to wire up client-side.
3. Get the session token
The script exposes the current session token on the page (via a cookie the
SDK manages). Your backend reads it the same way it reads any other
first-party cookie/header from the incoming request — pass it through as
session_token in your /v1/decide call.
4. Call /v1/decide before the action that matters
// Node.js example, backend-side
const crypto = require("crypto")
function signRequest(method, path, body, secretKey) {
const ts = Math.floor(Date.now() / 1000).toString()
const rid = crypto.randomUUID()
const bodyHash = crypto.createHash("sha256").update(body).digest("hex")
const signingString = [method, path, ts, bodyHash, rid].join("\n")
const sig = crypto.createHmac("sha256", secretKey).update(signingString).digest("hex")
return { ts, rid, sig }
}
async function checkDecision(sessionToken, req) {
const body = JSON.stringify({
ip: req.ip,
user_agent: req.headers["user-agent"],
session_token: sessionToken,
entity_keys: { user_id: req.user.id },
event_type: "checkout",
})
const { ts, rid, sig } = signRequest("POST", "/v1/decide", body, process.env.KAIZOCORE_SECRET_KEY)
const res = await fetch("https://api.kaizocore.com/v1/decide", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-KZ-Key": process.env.KAIZOCORE_PUBLIC_KEY,
"X-KZ-Ts": ts,
"X-KZ-Rid": rid,
"X-KZ-Sig": sig,
},
body,
})
return res.json()
}See The /v1/decide API for the full request/response
schema and the signing scheme in detail.
5. Handle the decision
const result = await checkDecision(sessionToken, req)
switch (result.decision) {
case "ALLOW":
case "ALLOW_WATCH":
return proceedToCheckout()
case "SOFT_CHALLENGE":
return showCaptcha()
case "REVIEW":
return proceedButFlagForReview(result.request_id)
case "BLOCK":
return denyAction()
}6. (Optional) Gate the actual submission with an ack token
For the highest-stakes actions — the literal moment of checkout submission —
request an ack token right before your /v1/decide call
and verify it server-side as part of the same transaction. This adds a
second, independent layer specifically at the moment of submission, on top
of the decision call itself.
What's next
- SDK integration — configuration options, PULSE mode, event hooks.
- Event types — the
event_typevalues KaizoCore understands and how they interact with per-action thresholds. - Dashboard overview — where to configure policy overrides, lists, and webhooks once you're integrated.