Cosantoir Docs
Developer DashboardStart integrating
Browse Documentation

Foundation

Getting Started

IntroductionQuickstartArchitectureTroubleshootingDeployment Models

Platform

Frameworks (SDK)

Next.jsExpressHonoBunDenoNestJSSvelteKitAstroFastifyNode.jsNuxtGoRustPython + FastAPIPython + FlaskReact Router & RemixSolid StartKoaAdonisJSElysia

Capabilities

Blueprints

Signup Abuse ProtectionGlobal Rate LimitingBot Fingerprinting

Product

Core Platform

Web AppDashboardSync CenterAccount Security

Developers

Developer Tools

CLISDKsMCP

API Reference

OverviewAuthenticationErrorsRate LimitsIntegrations API

Guides

Slack AutomationPagerDuty EscalationWebhook AutomationPolicy Profiles

Operations

Operations

Deployment ChecklistMonitoringIncident ResponseBackup and Restore

Business

Billing and Plans

Pricing OverviewInvoices and RefundsEnterprise Contracts
On This Page
Integration pathsRuntime modulesProduct surfacesRequired inputsWhat next
FoundationGetting Started

Start here, pick one path, and get to a working request faster.

Cosantoir protects live requests. If you are integrating traffic, start with the framework quickstart. If you are bootstrapping environments, use the CLI. If you need raw transport control, use the SDK. If you are exposing runtime context to agents, use MCP.

Open quickstartView all starting paths

Recommended start

Framework quickstart

Best for most users. Start with the framework guide that matches your app, set three values, and confirm a real decision receipt.

Next.jsExpressHonoPython + FastAPIGoRust

Transport control

Direct core SDK

Call the runtime layer yourself when middleware order and request timing belong to your code.

Operator bootstrap

CLI workflows

Issue credentials, select a site, and prepare environments from the terminal instead of the dashboard.

Agent access

MCP surfaces

Expose policy context and runtime metadata to agents without handing them the full system boundary.

Runtime signal map

Live contract
Framework, SDK, CLI, and MCP lanes all converge on the same contract line.
The visual center is the receipt loop: gateway, site, policy, and proof stay coupled.

Start in three moves

Keep it simple
01

Pick your path.

Most users should start with Quickstart. Use CLI, SDK, or MCP only when that is the real job.

02

Set the same three values everywhere.

The gateway URL, API key, and site id must match across your framework, CLI, SDK, and MCP surfaces.

03

Check a real receipt.

Confirm allow, deny, or budget behavior before you wire more pages or hand the system to operators.

Shared contract

COSANTOIR_GATEWAY_URL=http://localhost:4000
COSANTOIR_API_KEY=dp_live_example
COSANTOIR_SITE_ID=site_prod_web

If these do not match, the framework choice does not matter yet.

Start surfaces

Pick the path that matches the job in front of you.

Do not choose by aesthetics. Choose the surface that actually owns the request, the environment bootstrap, or the agent boundary.

Common starts

Start with a framework guide if you are wiring live traffic.

All framework guides

App Router / proxy

Next.js route handlers

Use the Next adapter when the runtime policy layer needs to live beside your route handlers, middleware, and edge-aware request flow.

Node server

Express middleware

Drop enforcement into an existing API server when routing, observability, and middleware order already belong to Express.

Fetch-native runtime

Hono middleware

Keep the request surface minimal when you want a Fetch-first adapter for edge and small-server deployments.

Next.jsExpressHonoPython + FastAPIGoRust

What exists

The runtime layer is six decision families, not one generic protection toggle.

Each module solves a distinct request-control job. The intro should name those jobs clearly so integration, billing, and incident response all use the same vocabulary.

Module

Request budgets

Define route-aware budgets, burst capacity, and retry windows for the traffic that costs money when it scales badly.

429 + Retry-After when the budget closes

Module

Shield WAF

Apply managed detections and custom expressions before bad traffic can reach the handlers that matter.

403 / challenge decisions at the request edge

Module

IP intelligence

Add geography, ASN, proxy, VPN, Tor, and network context to the decision model instead of treating every IP as equal.

Country, ASN, proxy, VPN, Tor signals

Module

Email validation

Score syntax, MX, domain posture, and disposable risk before the signup path turns into a cleanup project.

Syntax, MX, disposable, domain checks

Module

Signup protection

Combine abuse signals into a single decision for the highest-friction user path in the product.

Composite decision surface for onboarding

Module

Bot protection

Separate verified bots, automation fingerprints, and suspicious clients so the runtime policy does not guess blindly.

Fingerprint, verified bot, score-based control

Where it runs

The product splits into operator surface, control plane, runtime evaluator, and gateway edge.

That separation matters because it tells you where a policy lives, where the decision is made, where analytics are written, and which service owns the failure mode.

01

Surface

Docs and dashboard surface

Use the docs shell and dashboard surface as the operator-facing contract for setup, policy review, and runtime proof.

`apps/developer` and the public docs experience

02

Surface

Control-plane policy service

Handle tenancy, policy CRUD, analytics context, and usage state in the service that backs the developer-facing product.

`services/dev-protection`

03

Surface

Runtime evaluator

Make the live allow, deny, challenge, and budget decisions in the service that sits directly on the request path.

`services/dev-eval`

04

Surface

Gateway and routing edge

Preserve the public contract while steering auth and developer traffic to the correct upstream systems.

`services/api-gateway` when routing or auth boundaries shift

What it needs

Three values have to match before anything else matters.

Set these first. If they are wrong, the rest of the integration will be noisy and misleading.

Shared contract

COSANTOIR_GATEWAY_URL=http://localhost:4000
COSANTOIR_API_KEY=dp_live_example
COSANTOIR_SITE_ID=site_prod_web

Gateway base URL

Point the SDK at the gateway or deployed API origin that fronts the runtime evaluation endpoints.

`COSANTOIR_GATEWAY_URL=http://localhost:4000`

Runtime API key

Use a key scoped to the modules you actually call so the integration path stays explicit and auditable.

`COSANTOIR_API_KEY=dp_live_example`

Site id

Map traffic into the correct policy set so the control plane, analytics, and runtime evaluator stay in agreement.

`COSANTOIR_SITE_ID=site_prod_web`

Continue

After the intro, go straight to the page that matches the task.

The introduction should orient you. The next page should help you finish the job.

Wire it

Quickstart

Install the SDK, wire credentials, and protect a real request path with the adapter that matches your runtime.

/docs/getting-started/quickstart

Map it

Architecture

Read the control-plane, runtime-plane, and SDK-layer split before you start moving traffic or debugging receipts.

/docs/getting-started/architecture

Call it

API overview

Use the public API surface when you need exact contract language, auth behavior, and response semantics.

/docs/api-reference/overview

Operate it

Monitoring

Go straight to the operational pages once the system is live and you need to explain what the runtime actually did.

/docs/operations/monitoring

Last updated Mar 24, 2026