SDK integration
What the collector script does, its two operating modes, and what to check if it's not behaving as expected.
What the script does automatically
Once loaded, the collector script handles the entire client-side lifecycle without further configuration:
- Runs FORGE — the proof-of-work challenge, ECDH key exchange, and encrypted initial collection payload.
- Establishes the signed session cookie, bound to the originating IP and User-Agent.
- Begins PULSE heartbeats every 4 seconds for as long as the page is open.
- Exposes the current session token for your backend to read and pass into
/v1/decide.
Two protection modes
| Mode | What it adds | Best for |
|---|---|---|
| FORGE (always on) | Hardware challenge + PoW + ECDH-encrypted payload, signed session cookie. ~600ms overhead. | Every page — this is the baseline. |
| PULSE (optional, toggle in dashboard settings) | Continuous 4-second heartbeat re-verification for the life of the session. | Long-lived sessions — queues, waiting rooms, ticket-sale drops, auction rooms — where a bot could pass the initial check and then run unattended for minutes. |
FORGE alone is enough for most short-lived flows (a login form, a quick checkout). PULSE is the right addition anywhere a session might stay open and unattended for a while before the action that matters happens.
Where the session token lives
The SDK manages the session token as a signed, HttpOnly-equivalent cookie your backend can read directly off the incoming request the same way you'd read any first-party cookie. There's no separate JS API call needed to "fetch" the token — if your backend can see the request, it can see the token.
Content Security Policy
If your site enforces a CSP, allow:
script-src https://cdn.kaizocore.com;
connect-src https://api.kaizocore.com;Troubleshooting
/v1/decide keeps returning SOFT_CHALLENGE with reason
missing_session_token. The script either isn't loading (check your
network tab for a request to cdn.kaizocore.com/l.js), or your backend
isn't reading the session cookie correctly before calling /v1/decide.
Every session scores unusually high. Check whether your CSP or a
corporate proxy is stripping the FORGE payload — a session with no
completed collect() call loses several completeness-gated signals at
once (see the completeness gate),
which caps how confidently KaizoCore can score it either way.
Ack tokens keep returning insufficient_pulse_history. This is
expected for any action gated by an ack token within the first ~8 seconds
of a session with PULSE enabled — see Ack tokens for
why that minimum exists.