Changelog

June 2026 — Public reason categories

Public reason codes are now middle-tier categories (e.g. ip_anonymizer, ip_reputation, velocity_ip) instead of detector-specific names like ip_tor_exit_node or velocity_ip_signups.
signals unchanged — use signals.ip.tor, signals.ip.vpn, etc. for advanced custom policies.
Dashboard assessments still show internal reason codes with weight and detail.

POST /v1/assess: ip is now optional. Send the end user's public IP for full network and velocity checks.
Loopback, private, and localhost values are accepted but not used for scoring. The response includes ip_provided and ip_status.
When no usable IP is available, signals.ip is omitted from the response.

The first public ShieldSignup release.

POST /v1/assess — risk-score a signup by email and IP. Returns verdict, score, reasons[], and a nested signals object covering email, IP, and velocity sources.
GET /v1/assess/:request_id — fetch a previously stored assessment. Does not deduct quota.
POST /v1/feedback — report a false_positive or false_negative for an assessment. One record per assessment (upsert).
GET /v1/usage — current monthly quota usage for the authenticated API key.

Email: email_disposable, email_no_mx, email_role_account, email_plus_alias, email_free_provider.
IP: ip_tor_exit_node, ip_datacenter, ip_high_abuse_score, ip_stopforumspam.
Velocity: velocity_ip_signups, velocity_domain_signups.

sk_test_… keys short-circuit to a deterministic fixture matched on the email local-part (allow@*, challenge@*, block@*, plus *@mailinator.com). Sandbox calls never deduct quota.

Free 1 rps / 1,000 monthly assessments.
Starter 10 rps / 10,000.
Pro 50 rps / 100,000.
Business 200 rps / 1,000,000 (sales-assisted).
3× burst budget on the per-second limit, 5-second sliding window.
Rate-limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-Quota-Used, X-Quota-Limit) on every successful response.