Foundation / Getting Started
Developer protection product boundary, modules, and integration path.
Browse Documentation
Foundation
Product
Core Platform
Developers
Developer Tooling
Operations
Business
Billing and Plans
On This Page
No section anchors
# Introduction
Cosantoir Developer Protection gives application teams one runtime layer for request budgets, WAF decisions, IP intelligence, email validation, signup risk, bot protection, and billable SaaS usage attribution.
## Runtime Modules
- Rate limiting for request budgets, bursts, and route-aware keys.
- Shield WAF for managed detections and custom expressions.
- IP intelligence for geography, ASN, proxy, VPN, and Tor signals.
- Email validation for syntax, domain, disposable, and MX checks.
- Signup protection for combined abuse decisions.
- Bot protection for fingerprinting, verified bots, and scoring.
## Product Surfaces
1. apps/developer for docs, the runtime control room, and the official console surface.
2. services/dev-protection for control-plane policy CRUD, tenancy, decision logs, usage, and analytics.
3. services/dev-eval for runtime evaluation of the protection modules.
4. services/api-gateway when auth or routing changes are required for developer API traffic.
## Integration Model
- Use the framework package directly when one matches your JavaScript stack: @cosantoir/next, @cosantoir/express, @cosantoir/hono, @cosantoir/fastify, @cosantoir/bun, @cosantoir/deno, @cosantoir/nestjs, or @cosantoir/sveltekit.
- Use github.com/cosantoir/cosantoir-go for Go services.
- Use the cosantoir Python package for FastAPI, Flask, workers, and Python services.
- Use the cosantoir Rust crate for Axum, Actix, workers, and Rust services.
- Use @cosantoir/node for direct runtime calls or custom adapters.
- Any other service can call the runtime backend contract directly when you are not using an SDK package.
- Google Cloud Run works cleanly with the backend contract because the runtime only needs a runtime API key and the request context your app already has.
## Required Inputs
- A runtime API key scoped to the modules you intend to call. This identifies the billable workspace, project, site, environment, and policy set behind the request.
- Optional advanced overrides only when you are testing a local API origin or using bearer auth in an internal multi-site tool.
- A stable application userId per request when you want SaaS-user attribution, quota buckets, and audit trails to point back to your own customer or tenant.
> For the actual install and framework examples, continue with Quickstart.