Docs

The Acrossed API exposes a single hot endpoint: POST /check. Every request is HMAC-SHA-256 signed.

1. Install the SDK

npm install acrossed

2. Check a request

import { createClient } from "acrossed";

const ack = createClient({
  apiKey:        process.env.ACROSSED_KEY!,
  signingSecret: process.env.ACROSSED_SECRET!,
});

const result = await ack.checkRequest({
  ip: "1.2.3.4",
  method: "POST",
  path: "/login",
  headers: { "x-auth-token": "abc" },
});

if (result.decision === "deny") return res.status(403).end();

3. Rule shape

{
  "id": "login-throttle",
  "priority": 10,
  "match": { "path": "/login" },
  "ip_block": ["1.2.3.4"],
  "country_allow": ["US","DE"],
  "require_header": "x-auth-token",
  "limit": { "requests": 5, "window": "1m", "by": "ip" }
}

4. Wire format

If you sign requests yourself, the canonical signing string is `${timestamp}.${rawBody}` and the signature is hex(HMAC-SHA-256). Timestamps older than 10 seconds are rejected.