Validation

Authorization

apiKey

x-api-key<token>

Your secret API key. Server-only — never call /validate from a browser.

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

url*string

Full URL the user requested.

Formaturi

method*string

HTTP method (GET, POST, etc).

ip*string

Real client IP. If you are behind a CDN, use X-Forwarded-For (not the proxy IP).

headers*

All request headers. More headers improve detection accuracy.

referrer?string

Value of the Referer request header.

cookie?string

The _centinel cookie value set by the browser script. Needed for session tracking across interstitial challenges.

Response Body

`application/json`

curl -X POST "https://example.com/validate" \  -H "Content-Type: application/json" \  -d '{    "url": "https://example.com/article",    "method": "GET",    "ip": "1.2.3.4",    "referrer": "https://example.com",    "cookie": "<_centinel-cookie-value>",    "headers": {      "Host": "example.com",      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",      "Accept-Language": "en-US,en;q=0.9",      "Sec-Fetch-Dest": "document",      "Sec-Fetch-Mode": "navigate",      "Sec-Fetch-Site": "none"    }  }'

{
  "success": true,
  "decision": "allow"
}

{
  "success": false,
  "error": {
    "type": "invalid_request",
    "message": "missing required field: headers"
  }
}

{
  "success": false,
  "error": {
    "type": "invalid_api_key",
    "message": "invalid api key"
  }
}

Authorization

Request Body

Response Body

200application/json

400application/json

401application/json

Allow

Allow with crawler metadata

Block

Redirect (interstitial challenge)

Not matched

`application/json`

`application/json`

`application/json`