Cosantoir | API
API DashboardStart integrating

Runtime credentials required

Ship the rule. Read the verdict. Keep the route.

Cosantoir keeps runtime policy, request scoring, and operator review in one surface. The public pages read like the product itself because the route, the contract, and the follow-up stay aligned.

Open developer dashboardRead quickstart

6

runtime modules online

api.cosantoir.com

active gateway target

one

decision path across code, runtime, and review

01

Route-level policy authoring

No shell drift. The route you ship is the route the product talks about.

02

Production-first vocabulary

Request, verdict, policy, trace. The copy stays blunt because the product is operational.

03

Operators stay inside the same evidence

Support and security do not need screenshots from a second system to understand the event.

AdonisJSAstroBunDenoElysiaExpressFastifyGoGoogle Cloud RunHonoKoaNestJSNext.jsNode.jsNuxtPythonReact RouterRemixRustSolidStartSvelteKitAdonisJSAstroBunDenoElysiaExpressFastifyGoGoogle Cloud RunHonoKoaNestJSNext.jsNode.jsNuxtPythonReact RouterRemixRustSolidStartSvelteKit

Runtime authorization for AI features

security as code

Tech stack

Defense

Runtime IDE
Node.js/Custom filters
Official package
server.ts/app/runtime/server.ts
Read the docs
1// Create rules with custom expressions running against inbound request data, such as IP address, user agent, session, request payload, or geo context.
2import http from "node:http";
3import { createCosantoir } from "@cosantoir/node";
4 
5const cosantoir = createCosantoir({
6 apiKey: process.env.COSANTOIR_API_KEY!,
7});
8 
9const server = http.createServer(async (req, res) => {
10 const ip = String(req.headers["x-forwarded-for"] ?? "127.0.0.1").split(",")[0].trim();
11 const rateLimit = await cosantoir.rateLimit.consume({
12 ip,
13 method: req.method ?? "GET",
14 path: req.url ?? "/",
15 userId: String(req.headers["x-user-id"] ?? "anonymous"),
16 });
17 
18 if (rateLimit.result.exceeded) {
19 res.writeHead(429, { "retry-after": String(rateLimit.result.retryAfterSeconds ?? 1) });
20 res.end("rate limited");
21 return;
22 }
23 
24 res.end("ok");
25});
26 
27server.listen(3000);
Live modePolicy loaded

Operating model

One contract across code, runtime, and review.

The product is shaped around live request handling, abuse pressure, and follow-through after the verdict. That is why the page rhythm is directional instead of decorative.

01

Author at the route.

Set budgets, signup rules, bot posture, and IP policy where engineering already ships logic.

02

Resolve one runtime decision.

Rate limits, WAF, email risk, and abuse scoring collapse into the same contract instead of separate products.

03

Read the exact trace later.

Support, platform, and security inspect the same request path, policy version, and verdict after the event.

04

Tune without guesswork.

Operators adjust policy against the evidence that actually triggered in production.

Module surfaces

Runtime modules, not marketing boxes.

Each module fits the same product language: protect the route, stamp the verdict, surface the reason.

/v1/dev/rate-limit/consume

Rate limiting

Request budgets per path, IP, or IP plus user.

Backend live

runtime surface 1

/v1/dev/waf/evaluate

Shield WAF

Managed attack signatures plus custom rules.

Backend live

runtime surface 2

/v1/dev/ip/lookup

IP intelligence

Reputation, VPN or proxy or Tor signals, and geo or ASN context.

Backend live

runtime surface 3

/v1/dev/email/validate

Email validation

Syntax, domain, disposable, and MX-aware mailbox screening.

Backend live

runtime surface 4

/v1/dev/signup/evaluate

Signup protection

One decision path combining rate limits, IP, email, and request heuristics.

Backend live

runtime surface 5

/v1/dev/bot/evaluate

Bot protection

Fingerprint reuse, verified bots, and challenge-or-block decisions.

Backend live

runtime surface 6