Enforce
Active AI agent enforcement via Gateway (DNS) or Middleware (code)
What is Enforce?
Checkpoint Enforce provides active AI agent enforcement for your web applications. Unlike Detect which passively identifies agents, Enforce detects agents and applies policies — blocking, redirecting, challenging, or logging traffic based on configurable rules.
Enforce includes detection by default. When you enable Enforce, you get everything Detect offers plus policy-based actions.
Two Deployment Options
Checkpoint offers two enforcement approaches. Choose one or use both depending on your infrastructure.
Gateway (DNS-Based)
Route traffic through Checkpoint's edge network by updating a DNS record. Zero code changes required.
User Request → DNS (CNAME) → Checkpoint Gateway → Detect + Enforce → Your Origin
↓
Dashboard Analytics- Runs at the Cloudflare edge with WASM-based detection
- ~1–5ms detection latency
- Supports custom domains and SSL
- No application code changes
- Set up Gateway →
Middleware (Code-Based)
Add detection and enforcement directly in your application code using npm packages.
User Request → Your Server → Middleware → Detect + Enforce → Route Handler
↓
Dashboard Analytics- Server-side detection in Next.js or Express
- ~5–10ms detection latency
- Full control over enforcement behavior
- Customizable responses
- Set up Middleware →
Comparison
| Feature | Gateway | Middleware | Detect-only |
|---|---|---|---|
| Detection | Yes | Yes | Yes |
| Policy enforcement | Yes | Yes | No |
| Code changes | None (DNS only) | npm package | npm package / script tag |
| Latency | ~1–5ms (edge) | ~5–10ms (server) | Varies |
| Custom domains | Yes | N/A | N/A |
| Response customization | Via policies | Full control | N/A |
| ChatGPT signature verification | Yes | Yes | No |
| WASM detection | Yes (edge) | No | No |
Key Features
Policy Enforcement
Define rules that determine how to handle detected agents:
- Allow — Let the request through (log only)
- Block — Return a 403 response
- Redirect — Send the agent to a different URL
- Challenge — Present a verification challenge
- Log — Record the detection without taking action
ChatGPT Signature Verification
Checkpoint verifies Ed25519 HTTP Message Signatures (RFC 9421) from ChatGPT and other agents that cryptographically identify themselves. When a valid signature is present, detection confidence is 100%.
Detection Classes
Every request is classified as one of:
| Class | Description |
|---|---|
human | Regular browser traffic |
ai_agent | AI assistants (ChatGPT, Claude, Perplexity) |
bot | Web crawlers and scrapers (Googlebot, Bingbot) |
incomplete_data | Insufficient signals for classification |
Confidence Scores
Detection returns a confidence score from 0–100. Policies can use confidence thresholds to fine-tune enforcement — for example, only blocking requests with confidence above 80.
Quick Start
For the fastest setup with no code changes, use the Gateway. For full control within your application, use Middleware.
Gateway Quick Start
- Go to Project Settings → Enforce in the dashboard
- Click Add Gateway
- Add the DNS record shown (CNAME to
detect.checkpoint-gateway.ai) - Wait for verification to complete
- Configure your policies
Middleware Quick Start
npm install @kya-os/agentshield-nextjs// middleware.ts (Next.js)
import { withAgentShield } from '@kya-os/agentshield-nextjs/api-middleware';
export default withAgentShield({
apiKey: process.env.AGENTSHIELD_API_KEY,
});
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};Health & Monitoring
The Gateway exposes health endpoints for monitoring:
GET /__gateway/health → Health status
GET /__gateway/ready → Readiness probe
GET /__gateway/version → Version and region infoNext Steps
- Gateway Enforcement — DNS-based setup with zero code changes
- Middleware Enforcement — Next.js and Express integration
- Policies — Configure enforcement rules
- Detection in Enforce Mode — How detection works at the edge
- Monitoring — Health checks and performance metrics