KaizoCoreKaizoCore docs

SDK integration

What the collector script does, its two operating modes, and what to check if it's not behaving as expected.

What the script does automatically

Once loaded, the collector script handles the entire client-side lifecycle without further configuration:

  1. Runs FORGE — the proof-of-work challenge, ECDH key exchange, and encrypted initial collection payload.
  2. Establishes the signed session cookie, bound to the originating IP and User-Agent.
  3. Begins PULSE heartbeats every 4 seconds for as long as the page is open.
  4. Exposes the current session token for your backend to read and pass into /v1/decide.

Two protection modes

ModeWhat it addsBest for
FORGE (always on)Hardware challenge + PoW + ECDH-encrypted payload, signed session cookie. ~600ms overhead.Every page — this is the baseline.
PULSE (optional, toggle in dashboard settings)Continuous 4-second heartbeat re-verification for the life of the session.Long-lived sessions — queues, waiting rooms, ticket-sale drops, auction rooms — where a bot could pass the initial check and then run unattended for minutes.

FORGE alone is enough for most short-lived flows (a login form, a quick checkout). PULSE is the right addition anywhere a session might stay open and unattended for a while before the action that matters happens.

Where the session token lives

The SDK manages the session token as a signed, HttpOnly-equivalent cookie your backend can read directly off the incoming request the same way you'd read any first-party cookie. There's no separate JS API call needed to "fetch" the token — if your backend can see the request, it can see the token.

Content Security Policy

If your site enforces a CSP, allow:

script-src https://cdn.kaizocore.com;
connect-src https://api.kaizocore.com;

Troubleshooting

/v1/decide keeps returning SOFT_CHALLENGE with reason missing_session_token. The script either isn't loading (check your network tab for a request to cdn.kaizocore.com/l.js), or your backend isn't reading the session cookie correctly before calling /v1/decide.

Every session scores unusually high. Check whether your CSP or a corporate proxy is stripping the FORGE payload — a session with no completed collect() call loses several completeness-gated signals at once (see the completeness gate), which caps how confidently KaizoCore can score it either way.

Ack tokens keep returning insufficient_pulse_history. This is expected for any action gated by an ack token within the first ~8 seconds of a session with PULSE enabled — see Ack tokens for why that minimum exists.

On this page