WHAT HAPPENS IF THE DECISION API IS UNREACHABLE?

The SDK is designed to fail open by default. If the Decision API is unreachable or times out (configurable, default 1500ms), every request is automatically allowed through. Your application is never impacted. You can disable fail-open on Enterprise plans for maximum security.

WHICH FRAMEWORKS AND LANGUAGES ARE SUPPORTED?

GoGuard ships native SDKs for Node.js (Express, Fastify, Next.js middleware), Python (Flask, FastAPI via WSGI middleware), and Go (net/http via handler wrapping). All SDKs share the same behavioral fingerprinting and decision logic, with local LRU verdict caching built in.

CAN I BUILD CUSTOM DETECTION RULES?

Yes. The Rules Engine lets you write conditions against any signal field — fingerprint request velocity, login failure rates, OTP request counts, unique IPs per fingerprint, unique endpoints per fingerprint, failed payments, and more. Rules can target specific endpoints, set priority order, and trigger block, challenge, or allow actions.

Behavioral Security Platform — Now Active

API
Abuse.
Stopped.

GoGuard is a full security platform — behavioral fingerprinting, real-time threat decisions, a visual dashboard, a rules engine, and a security scanner. Connect with 3 lines of code. Everything else runs automatically.

Start Protecting View SDK Docs

Platform

DashboardRules EngineAnalyticsSecurity ScannerAlerts

SDK

Node.jsPythonGoExpressFastifyNext.js

LIVE // THREAT FEED // DECISION ENGINE ONLINE

BLOCKEDCredential Stuffing193.32.x.x97%

BLOCKEDBot Network45.141.x.x99%

CHALLENGEDPromo Abuse77.88.x.x82%

BLOCKEDScraper103.21.x.x95%

DECISION LATENCY: <50MS
FAIL-OPEN: ENABLED

// CREDENTIAL STUFFING BLOCKED// IP-INDEPENDENT FINGERPRINTING// <50MS DECISIONS// REAL-TIME DASHBOARD// RULES ENGINE// SECURITY SCANNER// NODE · PYTHON · GO

// For Vibe Coders

You ship fast. We keep it standing.

In vibe coding
you ship fast.
But forgot
to secure.

AI assistants write features, routes, and database queries in seconds. They don't add rate limiting, bot detection, or behavioral analysis by default. Every endpoint you ship is an open door until you close it.

// What AI doesn't add by default

✕Rate limiting on auth endpoints

✕Bot & crawler detection

✕Behavioral fingerprinting

✕Credential stuffing protection

✕OTP bombing prevention

✓GoGuard adds all of this in 3 lines

POST /api/login

You built a login endpoint.

No rate limit. No fingerprinting.

→ Bots hit it 10,000×/hr with leaked passwords.

✓

Blocked at fingerprint layer before your DB is touched.

POST /api/auth/otp

You shipped an OTP flow.

No per-device rate limiting.

→ Attackers send 500 OTP reqs/sec to scraped numbers.

✓

Rate-limited per behavioral fingerprint, not per IP.

POST /api/signup

You launched a signup page.

No behavioral analysis.

→ Bot farms create 10k fake accounts to drain your free tier.

✓

Device fingerprint reuse detected across email accounts.

GET /api/products

You exposed a data API.

No scraping detection.

→ A competitor scrapes your full catalog overnight.

✓

Sequential path traversal + timing patterns detected.

Add security to any AI-generated API in under 5 minutes. No infra changes. No security degree required.

Secure My API

[ DECISION LATENCY ]

< 50ms

Edge decision API with local LRU cache. 1500ms configurable timeout.

[ ATTACK TYPES DETECTED ]

Bots · Credential Stuffing · Scraping · OTP Bombing · Promo Abuse · ATO · Fake Signups · SQLi · XSS · SSRF · IDOR · and more

[ APP DOWNTIME RISK ]

ZERO

Fail-open design — Shield unreachable means every request is allowed, not dropped.

// How It Works

Request In. Verdict Out.

Every API call passes through 31 security checks — from input validation to behavioral analysis — before your handler sees it.

Step 01

Intercept

SDK intercepts every request and extracts signals — headers, body, IP, timing — then runs 31 security checks including SQLi, XSS, SSRF, bot detection, and more.

Step 02

Analyze

Decision engine scores the request using ML models, behavioral fingerprinting, IP reputation, rate limits, and your custom rules — all in parallel, under 50ms.

Step 03

Enforce

Threats are blocked or challenged before your code runs. Clean requests pass through. Everything streams to your dashboard, analytics, and alerts.

31 checks on every request include

SQL InjectionXSSSSRFIDORNoSQL InjectionBot DetectionCredential StuffingRate LimitingEmail FraudPhone FraudFingerprintingMass AssignmentResponse LeakOTP BombingPromo AbuseFake Signups+15 more

BLOCK403 before handler

CHALLENGEX-Shield header set

ALLOWPass to your code

// 31 SECURITY CHECKS

31 Security Checks.
One Platform.

[01]

Bot Networks

IP-independent fingerprint survives IP rotation across proxy pools and botnets.

[02]

Credential Stuffing

Same account targeted from many IPs; login failure rate per fingerprint exceeds threshold.

[03]

Scrapers

Regular request timing, sequential path traversal, high GET ratio, thin User-Agent diversity.

[04]

OTP Bombing

High OTP/SMS request rate per fingerprint in a rolling 1-hour window.

[05]

Promo Abuse

Same device fingerprint applying multiple promo codes or referral IDs.

[06]

Account Takeover

Password spraying pattern — many accounts, low attempts per account, spread across IPs.

[07]

Fake Signups

Same fingerprint creating multiple accounts with different emails in a short window.

[+]

Custom Rules

Define your own detection logic using any signal field via the Rules Engine in the dashboard.

// SDK — Platform Entry Point

3 Lines to Connect.
A Full Platform Behind It.

The SDK is your entry point into the GoGuard platform. Install it once — signals flow automatically into the decision engine, dashboard, analytics, and rules engine. No further instrumentation needed.

// 1. Install

$ npm install @goguard/node

// 2. Import and attach middleware

import express from 'express';

import { goguard } from '@goguard/node';

const app = express();

app.use(goguard({ apiKey: process.env.GOGUARD_API_KEY, mode: 'block' }));

// 3. Your routes are now protected

app.get('/api/login', (req, res) => { ... });

app.post('/api/signup', (req, res) => { ... });// bots auto-blocked

root@goguard:~#

// Verdict & fingerprint available in every route handler: req.goguardVerdict.action · req.goguardFingerprint · req.goguardRequestId

Fintech &
Authentication APIs.

Your login, signup, OTP, and payment endpoints are the primary targets. GoGuard sits in front of every request and terminates attacks before they ever count as a failed login attempt or trigger a fraud alert.

Credential Stuffing → blocked at fingerprint layer
OTP Bombing → rate-limited per device, not per IP
Promo / Referral Abuse → same fingerprint, many accounts

SaaS &
Data APIs.

Protect your data and pricing APIs from automated extraction. Shield detects scraping patterns — regular timing, sequential endpoint traversal, low header diversity — and terminates the session before data leaves your system.

Scrapers → behavioral timing & path sequence detection
Fake Signups → fingerprint reuse across email accounts
Bot Networks → IP-rotation-resistant fingerprinting

// SIMPLE PRICING

One plan. Full protection.

Monthly

$29$20/mo

Early Launch

Billed monthly

Get Started

What's included

31 security checks on every request
Node.js · Python · Go SDKs
ML threat scoring + custom rules
Real-time dashboard + analytics
Email support

YearlyBest Value

$240$199/yr

Save $41

vs monthly

$16.58/mo effective · billed annually

Get Started — Save 17%

Everything in Monthly, plus

31 security checks on every request
Node.js · Python · Go SDKs
ML threat scoring + custom rules
Security Scanner (code analysis)
Real-time dashboard + analytics
Slack / Webhook alerts
Priority email support

Enterprise

Custom

Dedicated infrastructure, SLA guarantees, and custom integrations.

Contact Sales

Everything in Yearly, plus

Unlimited decisions
Dedicated VPC deployment
Fail-closed mode available
SLA + 24/7 priority support
Custom integrations
Dedicated account manager

// OPERATOR LOG : 892.11.A

"We were losing thousands of dollars a month to credential stuffing on our login endpoint. After adding the Shield middleware, the attacks stopped in hours. The fingerprinting holds even when attackers cycle through residential proxies."

Sarah Jenkins

CTO, Nexus Financial

// OPERATOR LOG : 441.92.B

"Our promo system was being drained by bot farms using fresh email addresses. Shield's fingerprinting caught the device reuse across accounts within minutes. The custom rules engine let us tune the threshold without touching our codebase."

Dr. Marcus Chen

VP Engineering, HealthSync

System
Parameters.

Technical specifications and frequently asked questions about the GoGuard detection engine, SDK, and infrastructure.

GoGuard generates an IP-independent device fingerprint from header order, User-Agent, Accept headers, TLS signals, and request timing — all hashed into a single SHA-256 token. Because it is independent of IP address, it continues working even when attackers rotate IPs through proxies or botnets.

Stop Abuse.
Ship Faster.

Add GoGuard to your stack in under 30 minutes. No infrastructure changes. No security expertise required. Start blocking real attacks today.

Start Free Talk to Sales

APIAbuse.Stopped.

In vibe codingyou ship fast.But forgotto secure.