Your front door
needs a bouncer.
Score every login attempt in real time and return the right decision instantly.
Real-time risk analysis
Every login attempt gets a 0–100 risk score. Drag the handle to explore the actual default thresholds implemented by the engine.
The current defaults split scores into four action bands. Duplicate request_id values skip scoring and return REJECT immediately.
Traffic is risky enough to slow down. Bouncer recommends throttling the request while preserving visibility into the event stream.
How it works
One request in, local enrichment, one Redis round-trip, then a deterministic response. Postgres stays off the hot path and is only used asynchronously when configured.
Caller
Your auth service sends a login event to POST /evaluate
HTTP Handler
Validates fields, rejects unknown JSON, stamps receive time
Engine
Enriches locally, reads hot state, scores, and maps thresholds
Response
Returns score, action, reasons, and optionally queues persistence
{
"client_ip": "203.0.113.42",
"account_id": "usr_8294",
"request_id": "req_abc123",
"auth_flow": "password",
"result": "FAILURE",
"failure_reason": "BAD_PASSWORD",
"user_agent_raw": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
"integrity_attestation": "PASS"
}{
"risk_score": 75,
"action": "RATE_LIMIT",
"reasons": ["credential_stuffing", "ip_velocity"],
"request_id": "req_abc123"
}Security Alerts
alertd is a separate process that reads persisted engine decisions and detects attack patterns in real time. It never touches the scoring hot path and delivers HMAC-signed webhook alerts to your security team.
Correlates high-risk requests from the same IP prefix across multiple accounts inside a sliding window.
Tracks repeated failures and escalation actions against the same account with immediate admin-targeted alerting.
Fires on suspicious successful logins after recent failures when combined with new-device, impossible-travel, or bad-IP signals.
What ships in the
current engine
The website now reflects the code in this repository: a Go service with a Redis-backed hot path and optional Postgres persistence.
Strict HTTP Evaluation API
Expose POST /evaluate and GET /healthz with strict JSON decoding, loopback-first defaults, request-size limits, and server-stamped receive time.
Signed Device Identity
Accept first-party device IDs only when they are HMAC-signed. Normalize trusted device tokens before scoring and persistence.
Local Enrichment
Derive IP prefix, country, ASN type, and user-agent facts locally. No outbound calls happen during scoring, and GeoIP remains optional.
Hot State Tracking
Use one in-memory round-trip to dedupe requests, update counters, track last-seen state, and feed the scoring model on the hot path.
Action Bands That Match Production
Return ALLOW, STEP_UP, RATE_LIMIT, or BLOCK from a 0–100 score, and return REJECT for duplicate request_id values inside the dedupe window.
Optional Durable Pipeline
Bouncer can write audit rows, login events, device registry state, and account baselines asynchronously after scoring — only when configured.
Multi-Bouncer
Correlation
The next step is a fast shared intelligence layer: multiple Bouncer instances and websites feeding one network-wide view of attacking IPs, while keeping account history isolated per site.
Velocity spikes and credential stuffing become visible across the whole network.
Account counters and device trust stay scoped per site — one product never pollutes another's history.
One shared store keeps the hot path at a single round-trip, with no cross-site graph lookups hurting latency.
