Protect other in-app endpoints

Using Castle to protect additional in-application user events


You will need a Castle account and an instance of the Castle SDK configured with your Castle API Secret for the applicable environment.

You can sign up for a free Castle account at


The following steps serve as a rough guide to using Castle for additional in-app endpoints. Refer to our other guides linked above for a detailed explanation of the topics below.

  1. Install Castle Fingerprinting
  2. Send Events to Castle
  • events to /authenticate (synchronous) for risk scoring
  • events to /track (async) for informative purposes (such as traffic analysis and user feedback)
  1. Configure Policies
  2. Use Webhooks

Supported events

Events to evaluate with Castle (/authenticate)

  • $profile_update.succeeded
  • $password_reset_request.succeeded
  • $transaction.attempted
  • $challenge.requested

Feedback-only events (/track)

  • $challenge.succeeded
  • $password_reset.succeeded


Castle can protect additional in-app endpoints beyond logins and registrations. Here is the list of events that we officially support. The most common events used beyond logins and registrations are listed above.