Quickstart

Three required steps to get from zero to a gated endpoint. Each step is not optional — skipping any of them leaves your endpoint silently ungated, and the dashboard activity feed and your runtime behaviour will disagree.

1. Register an endpoint

Visit /dashboard/endpoints and register your inbound surface. You'll get an ASTRAE-id and a one-time-visible webhook secret. Save the secret in your secrets manager — AstraSync stores only a hash.

For a deeper walkthrough see the Merchants — start here guide.

2. Configure per-route policy

Required

On the endpoint detail page, add at least one route policy (pattern + method + minAccessLevel + optional minTrustScore). The SDK fetches this on init and applies it at runtime. Without it, the middleware falls through.

A typical e-commerce gate might have:

POST /api/checkout/*  → minAccessLevel: 'standard', minTrustScore: 40
GET  /api/catalog/*   → minAccessLevel: 'restricted'
*    /api/admin/*     → minAccessLevel: 'full', minTrustScore: 70

3. Set the unverified-agent policy

Decide what happens when an unregistered agent hits your endpoint:

• deny (default) — block at AstraSync, return guidance pointing to /register.
• audit (v2.3.8+) — allow the request, set X-Astra-Unverified-Warning on the response. Soft-launch mode: behaviourally equivalent to allow, but surfaces the unverified state to your code and the activity feed.
• allow_partial — reduced (guidance) access only.
• allow_full — full access. Use only when the endpoint is genuinely public.

This is the endpoint-side inbound policy. It is notthe same as the PDLSS scope's outbound unverifiedCounterpartyPolicy. See Inbound vs outbound unverified-policy fields if you're configuring both.

Next

• Merchants — start here — the full five-minute walkthrough with the worked example.
• Test your integration — four canonical request shapes and their literal responses.
• SDK reference: verification-gateway — config options including setPassThroughHeader and dashboardUrl.