Checkpoint Docs

Choose Your Integration

Pick the right Checkpoint integration for your stack — Detect traffic, Enforce policies, or Govern AI agent access

Checkpoint offers three approaches to managing AI agent traffic: Detect (observe), Enforce (block), and Govern (authorize). You can start with one and layer on more as your needs evolve — most integrations take under 10 lines of code.

All Methods at a Glance

MethodPillarIntegrationLatencyBest For
Marketing PixelDetectScript tag / GTMAsyncNo-code, marketing teams
Beacon SDKDetectnpm< 5 msSPAs, static sites
GatewayDetect + EnforceDNS CNAME~1–5 msAny origin, zero code changes
MiddlewareDetect + Enforcenpm (Next.js / Express)~5–10 msServer-side, auth routes
MCP-IGovernDashboard or self-hostIn-processAPI providers, SaaS platforms

Detect — Understand Your Traffic

Start here. Detect mode logs AI agent visits without blocking anything — zero risk, instant visibility.

MethodHow It WorksCoverageSetup
Marketing PixelGTM tag fires on page load~85%No code — GTM only
Beacon SDKnpm package with WebWorker offloading~95%npm install + 3 lines
Middleware (detect mode)Server-side analysis, logging only~98%npm install + middleware config
Gateway (detect mode)DNS-level inspection, logging only~98%DNS CNAME change

Enforce — Protect Your Application

Enforcement lets you block, challenge, or rate-limit AI agents based on policies you define in the dashboard.

Gateway

DNS CNAME — zero application code

  • Works with any origin (Node, Python, Go, static)
  • Edge enforcement at ~1–5 ms
  • No deploy required to update policies

Gateway setup guide →

Middleware

npm package — full server-side control

  • Next.js and Express SDKs
  • Access to auth, session, and request context
  • Custom response logic per route

Middleware setup guide →

Both methods share the same policy configuration — switch from detect to enforce by changing a single setting.

Govern — Authorize Verified AI Agents

Govern is for API providers and SaaS platforms that want to give verified AI agents controlled access instead of blocking them outright. Powered by the MCP-I protocol, it lets you define what agents can do, how they authenticate, and what data they can reach.

Auth MethodUse Case
Consent OnlyLow-risk public data — agent agrees to terms
OAuthDelegated access with scoped permissions
CustomYour existing auth system (API keys, JWTs)
CredentialsService-to-service with shared secrets

Deploy via one-click in the Dashboard or self-host for full control. See the migration guide if you already have an MCP server.

Choose by Scenario

Goal: See which AI agents are visiting your site.

Recommended: Marketing Pixel or Gateway (detect mode)

The Pixel deploys through GTM with no code changes. If you want coverage for non-JS agents too, point your DNS at the Gateway instead. Both feed into the same dashboard.

Pixel setup → · Gateway setup →

Goal: Detect and block AI agents on server-rendered routes.

Recommended: Middleware (enforce mode) + Beacon for client-side coverage

Middleware protects server routes and API endpoints. Add Beacon on the client for browser-fingerprint signals. Together they cover ~99% of agent traffic.

Middleware setup → · Beacon setup →

Goal: Protect API endpoints from unauthorized AI scraping.

Recommended: Gateway or Express Middleware

Gateway works with any backend language via DNS — no SDK needed. If you run Express/Node, the middleware gives you per-route control with access to request context.

Gateway setup → · Middleware setup →

Goal: Let verified AI agents access your platform on your terms.

Recommended: Govern (MCP-I) + Middleware or Gateway for enforcement

Govern handles agent identity, consent, and scoped permissions. Pair it with enforcement so unverified agents are blocked while approved agents get structured access.

Govern overview → · Deployment guide →

Goal: Maximum coverage with multi-layer defense.

Recommended: Gateway + Middleware + Govern

Gateway catches traffic at the edge. Middleware adds server-side analysis with auth context. Govern provides identity verification for approved agents. All three report to the same dashboard with automatic deduplication.

Gateway setup → · Middleware setup → · Govern overview →

Progressive Adoption

Most teams start with Detect to understand their AI agent traffic — the Pixel or Beacon takes minutes to deploy and carries no risk. Once you see what's hitting your site, switch to Enforce to block unwanted agents. The upgrade is a config change, not a new integration: flip your middleware or gateway from detect to enforce mode and define your policies in the dashboard.

When you're ready to go further, Govern lets you move from "block everything" to "authorize the right agents." Verified agents authenticate, agree to terms, and access only what you permit — turning adversarial traffic into a controlled channel.

Quick Reference

If you want to...Use thisLink
See AI traffic with no code changesMarketing PixelSetup →
Detect agents in a SPA or static siteBeacon SDKSetup →
Block agents at the edge (any backend)GatewaySetup →
Block agents in Next.js or ExpressMiddlewareSetup →
Define block/allow rulesPoliciesConfigure →
Let verified agents access your APIGovern (MCP-I)Overview →
Deploy an MCP-I serverGovern DeploymentGuide →
Migrate an existing MCP serverGovern MigrationGuide →

Methods are composable. You can run Pixel, Middleware, and Govern simultaneously — they share the same dashboard and detections are automatically deduplicated.

Next Steps

  • Quick Start — Deploy your first integration in 5 minutes
  • Detect — Deep dive into detection methods
  • Enforce — Set up active enforcement
  • Govern — Authorize AI agents with MCP-I
  • Dashboard — Monitor and analyze agent traffic

Quick Start

Get Checkpoint running in 5 minutes

Detect

AI agent detection methods — Pixel, Beacon, Middleware, and Gateway

On this page

All Methods at a GlanceDetect — Understand Your TrafficEnforce — Protect Your ApplicationGovern — Authorize Verified AI AgentsChoose by ScenarioProgressive AdoptionQuick ReferenceNext Steps