Stop fake accounts. Protect real ones.

Castle's lightweight API lets you block large-scale bot attacks, fake signups, and account takeovers — all without the hassle of CAPTCHAs.

Invisibly shield your accounts from threats

Go beyond CAPTCHAs with a lightweight API that blocks large-scale human and bot-driven attacks using user identity, reputation, and behavior analysis.

  • Lightweight integration

    Integrate Castle as easily as adding a CAPTCHA, without routing all web traffic through a CDN.

  • Complete protection

    Prevent large-scale attacks, detecting both human and bot-driven account takeovers and fake signups.

  • No CAPTCHAs needed

    Leveraging user identity, reputation, and behavior, Castle blocks attackers without CAPTCHAs that can tip them off.

Sign up
Email
Password
Enter PIN code
Verification failed
73
Castle Risk Score
  • Robotic input
  • 3 accounts per device
  • Residential proxy
  • No internet history
  • Newly registered domain
Threat Intelligence

Stop any abuse with a single, unified API

Get comprehensive threat insights in real-time, eliminating the need for multiple, disconnected tools.

Response
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
{
  "id": "2V48MDnuMar9pvOOwulwK4BXui2",
  "type": "$login",
  "status": "$succeeded",
  "name": "Login Succeeded",
  "authenticated": true,
  "endpoint": "/v1/risk",
  "created_at": "2023-09-02T4:39:05.147Z",
  "properties": {
    "my_custom_property": 234
  },
  "device": {
    "fingerprint": "zhQ3YFvQTVOIP4EZWcMaNg",
    "user_agent": "CryptoKid iOS/2023.9.1 (2023.9.1) (iPhone15,3; iOS 16.6.1; Castle 3.0.7)",
    "name": "Adam's iPhone",
    "emulator": false,
    "rooted": false,
    "software": {
      "languages": ["en-us", "en", "ru-ru"],
      "type": "mobile_application",
      "name": "CryptoKid iOS",
      "version": { "major": "2023", "full": "2023.9.1" }
    },
    "timezone": {
      "offset": -420,
      "name": "America/New_York"
    },
    "os": {
      "name": "iOS",
      "version": { "major": "16", "full": "16.6.1" }
    },
    "hardware": {
      "type": "phone",
      "name": "iPhone",
      "brand": "Apple",
      "model": {
        "name": "iPhone 14 Pro Max",
        "code": "iPhone15,3"
      },
      "display": { "width": 430, "height": 932 }
    },
    "cellular": {
      "carrier": {
        "name": "Verizon Wireless",
        "country_code": "US"
      },
      "available": true
    },
    "wifi": { "available": true },
    "battery": {
      "charging_state": "unplugged",
      "level": 34
    },
    "location": {
      "accuracy": 20,
      "city": "Falls Church",
      "country_code": "US",
      "latitude": 38.8524,
      "longitude": -77.148
    },
    "screen": {
      "density": 3,
      "orientation": "portrait"
    },
    "memory": {
      "available": 345,
      "total": 5500
    },
    "storage": {
      "available": 2011,
      "total": 121943
    },
    "usage": {
      "screen_time": 10265,
      "uptime": 695312
    }
  },
  "scores": {
    "bot": { "score": 0.033 },
    "account_abuse": { "score": 0.27 },
    "account_takeover": { "score": 0.196 }
  },
  "ip": {
    "address": "108.18.100.121",
    "type": "ipv4",
    "asn": 701,
    "isp": {
      "name": "Verizon Fios",
      "organization": "Verizon Fios"
    },
    "location": {
      "city": "Falls Church",
      "country_code": "US",
      "region_code": "VA",
      "continent_code": "NA",
      "postal_code": "22042",
      "latitude": 38.8597,
      "longitude": -77.198
    },
    "privacy": {
      "anonymous": false,
      "datacenter": false,
      "proxy": false,
      "tor": false
    }
  },
  "email": {
    "normalized": "adam@castle.com",
    "domain": "castle.com",
    "disposable": false,
    "unreachable": false
  },
  "metrics": {
    "1": {
      "name": "Users per device fingerprint in 30d",
      "value": 5
    },
    "2": {
      "name": "Failed logins per IP in 1h",
      "value": 238
    },
    "3": {
      "name": "Average transaction amount per user",
      "value": 83.13
    }
  },
  "signals": {
    "impossible_travel": {},
    "credential_stuffing": {},
    "multiple_accounts_per_device": {},
    "new_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block multi-accounting",
    "id": "3666300b-adc9-4a9a-9773-f6e692ed348d",
    "revision_id": "1d1e6f75-08ea-47ea-bb92-61d598c448e2"
  },
  "lists": [
    "blocked_ips",
    "trusted_devices"
  ],
  "list_items": [
    "8842e866-86e7-4f18-a023-edbf8cb91107",
    "42bc2f4d-64d1-4291-a77f-61c64bd410a0"
  ],
  "user": {
    "id": "7312",
    "registered_at": "2023-08-13T14:00:58.000Z",
    "name": "Adam Winter",
    "email": "adam@castle.com",
    "phone": "+11123456789",
    "traits": {
      "nationality": "PL",
      "organization_id": "789435"
    }
  },
  "sdks": {
    "client": {
      "name": "castle-web",
      "version": "2.1.8"
    }
  }
}
egesgesges

Built for scale

Our APIs process billions of monthly requests with resilience against severe bot attacks.

100ms response time

Fingerprinting, risk scores, and rules computed instantly in real-time.

Pay-as-you-go pricing

Transparent and predictable plans based on requests or MAU.

Analytics & Investigation

Uncover hidden abuse patterns proactively

Monitor, analyze, and alert on up to 18 months of historical data enriched with user and device intelligence to stop evolving abuse trends.

Pattern exploration

Uncover patterns in on login attacks, signup spam campaigns, and repetitive in-app transactions.

Network analysis

Spot interconnected users via shared devices, emails, IPs, payment methods, or addresses.

Session monitoring

Get a complete history of each user and company, down to individual page views and any custom actions.

Rule simulation

Test complex risk logic on historical data first, ensuring zero disruption to legitimate users.

Rules Engine

Turn analysis into action with a click

End inefficient workflows with seamless analysis-to-rules conversion. Block any abuse with custom rules built on rich data and real-time aggregations.

Fake Accounts

Weed out bad actors before or after signup

Segment out new accounts based on similarity to other accounts, bot behavior, and blocklists.

More about Fake Accounts
99
jake.smith2023+3@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
  • Users per Device (12)
  • Repetitive Email Pattern
  • Abuse-repored IP
74
jake.smith2023+2@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
43
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Country
Account Takeovers

Identify both bots and human attacks

Use a combination of scores and heuristics to highlight suspicious or hijacked accounts.

More about Account Takeovers
99
stephc@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Credential Stuffing
  • New Device
  • Datacenter IP
  • Abuse-repored IP
74
steve.smith@yahoo.uk.co
Active 2 minutes ago
Mexico
Mexico City
  • New Device
  • New Country
  • Impossible Travel
64
johanb@hotmail.com
Active 2 minutes ago
Denmark
Copenhagen
  • Proxy IP
  • Users per Device (2)
Multi-Accounting

Only allow signing up once

Aggregate the number of accounts created per device, IP, or credit card and block when it exceeds a threshold.

More about Multi-Accounting
99
preben+11@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (13)
  • Users per Credit Card (7)
  • Users per IP (32)
63
preben+12@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (12)
  • Users per Credit Card (6)
  • Users per IP (31)
63
lee.sommers@hotmail.com
Active 2 minutes ago
Sweden
Stockholm
  • Users per Email (3)
Content Abuse

Block repetitive spam content

Customize logic based on the the number of content posts or messages per device and minute, and tune it with regex filters.

More about Content Abuse
99
johan@briss.net
Active 2 minutes ago
Sweden
Gothemburg
  • Bot Behavior
  • Content per IP (122)
  • Datacenter IP
94
monica.wu@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Content per User 1h (33)
  • Proxy IP
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Regex
SMS Pumping

Eliminate SMS verification abuse

Use a mix of bot detection and velocity signals to lock down spammy SMS fees with high precision

More about SMS Pumping
99
tina.spears@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Bot Behavior
  • Verifications per IP (48)
  • Users per Device (12)
96
bert.be12@fastmail.co
Active 2 minutes ago
Mexico
Mexico City
  • Bot Behavior
  • Verifications per IP (48)
23
johbr@hotmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Blocked Phone Numbers
Account Sharing

Define account sharing your way

Uncovering account sharing requires granular controls to define the exact behavior that breaches your terms of services.

More about Account Sharing
97
info@ituniv.edu
Active 2 minutes ago
Nigeria
Abuja
42 Devices
  • Excessive Content Sharing
  • Impossible Travel
88
devops@datahog.io
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
23 Devices
  • Frequent Device Toggling
  • Bot Behavior
  • Proxy IP
73
mike@sweepcard.ai
Active 2 minutes ago
United States
Chicago
12 Devices
  • Frequent IP Toggling
  • Impossible Travel
Transaction Abuse

Stop card testing before the transaction

Implement velocity checks to prevent a transaction attempt from reaching your payment processor in the first place.

More about Transaction Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Transactions per 1h (13)
  • Transactions per Card (21)
  • Users per Device (3)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Transactions per 10m (5)
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Credit Card
API Abuse

Headless API protection

Castle supports protection of endpoints where client-side code can't be injected, such as desktop apps or REST APIs

More about API Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Request per IP (138)
  • Abuse-reported IP
  • Time Since Registration (39s)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Request per User (18)
45
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked IP
Workflows & Automation

Scale abuse response with custom flows

Model custom security flows, blocklists, and trusted device management. Manage states across signup, login, transactions, and more – manually for investigations or automate actions with our rules engine. Empower users to report abuse and streamline your team's review processes.

State management

Maintain custom security lists (blocklists, allowlists, trusted devices, reviews, etc.) and update states in real-time based on rules and manual actions.

Inline blocking

Initiate real-time blocks or step-up verifications anywhere in your app without disrupting the user experience.

Alerts & notifications

Ensure your team stay informed with triggered Slack notifications, or automate end-user notifications or internal processes using granular webhooks.