Generic API integration

Evaluate protected transactions directly over HTTP when you cannot use the Node SDK.

When to use direct HTTP

Use direct API calls from a trusted server, worker, or edge runtime when the SDK is not available for your stack. The same key rules apply: secret keys stay server-side.

Use /api/evaluate when you want TxnShield to apply protected operations, policies, risk scoring, step-up, redaction, throttle, or deny. Use /api/events/ingest only when your app has already calculated a decision and only needs to record evidence.

No TxnShield SDK package is required for this path. Use your runtime's fetch API or your existing HTTP client.

Evaluate a test transaction

bash

curl -X POST "$TXNSHIELD_API_BASE_URL/api/evaluate" \
  -H "authorization: Bearer $TXNSHIELD_SECRET_KEY" \
  -H "content-type: application/json" \
  --data '{
    "operationKey": "customer.read_pii",
    "actor": { "id": "user_123", "authenticated": true, "roles": ["support"] },
    "resource": { "type": "customer", "id": "cus_456" },
    "requestData": { "fields": ["email", "taxId"] }
  }'

Payload guidance

Send stable identifiers rather than entire records.
Use requestData and metadata for security-relevant shape, counts, and fields.
The hosted API returns the decision, score, reasons, redaction, challenge, and telemetry id.
Decision events are stored automatically when /api/evaluate succeeds.

Next steps

Keep going

Events and decisions Troubleshooting

Loading TxnShield...

Docs/Integration guides

Integration guides