Introduction

Checkpoint provides comprehensive protection against AI agents and automated bots accessing your web applications. Whether you're protecting valuable content, preventing scraping, or managing how AI agents interact with your services, Checkpoint provides detection, enforcement, and governance tools.

How It Works

Checkpoint uses multiple detection methods to identify automated traffic:

User Agent Analysis — Identifies known agent signatures and patterns
TLS Fingerprinting — Analyzes TLS handshake characteristics unique to automated clients
Header Analysis — Inspects HTTP headers for automation signals
Behavioral Signals — Detects interaction patterns that differ from human users
Browser Fingerprinting — Identifies characteristics unique to automated browsers (client-side)

Choose Your Approach

Checkpoint operates in three modes that you can use independently or combine:

Detect

Passive identification of AI agents and bots. No traffic is blocked — detections are logged to your dashboard for analysis.

Best for: Understanding your traffic before enforcing, analytics teams, content monitoring.

Marketing Pixel — No-code script tag for any website
JavaScript Beacon — Full SDK with WebWorker support
Middleware (detect mode) — Server-side detection without enforcement

Enforce

Active detection plus enforcement. Detected agents are handled according to your policies — blocked, redirected, rate-limited, or challenged.

Best for: Protecting content, APIs, and application routes from unwanted automation.

Gateway — DNS-based enforcement at the edge (no code changes)
Middleware (enforce mode) — Code-level enforcement in Next.js or Express
Policies — Configure enforcement rules and thresholds

Govern (MCP-I)

Identity-based access control for AI agents using MCP-I (Model Context Protocol with Identity). Instead of blocking agents, grant them scoped, authenticated access.

Best for: API providers, SaaS platforms, and services that want to offer structured AI agent access.

Govern Overview — Architecture and quick start
Delegations — Scoped access grants
Tool Permissions — Per-tool authorization

Core Concepts

Detection Classes

Checkpoint classifies every request into one of four classes:

Class	Description
`human`	Regular browser traffic from a human user
`ai_agent`	AI assistants like ChatGPT, Claude, Perplexity, Gemini
`bot`	Traditional bots like Googlebot, Bingbot, scrapers
`incomplete_data`	Insufficient signals for confident classification

Confidence Scores

Each detection includes a confidence score from 0–100:

0–30 — Low confidence, likely noise
30–70 — Medium confidence, review manually
70–100 — High confidence, safe to enforce

Start by logging all detections, then use the Analyze tab to review confidence distributions before setting enforcement thresholds.

Privacy & Compliance

Checkpoint is designed with privacy in mind:

GDPR compliant
Respects Do Not Track headers
Configurable data retention
No PII collection by default
IP anonymization options
30-minute client-side session rotation

Quick Decision Guide

Not sure which integration to choose?

If you have...	Use this...	Mode
Next.js app	`@kya-os/agentshield-nextjs`	Detect or Enforce
Express/Node.js app	`@kya-os/agentshield-express`	Detect or Enforce
Any website (no code)	Gateway	Enforce
Static site or SPA	`@kya-os/agentshield-beacon`	Detect
WordPress/CMS	Marketing Pixel via GTM	Detect
AI agent API access	`@kya-os/bouncer-middleware`	Govern