npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

api-turnstile

v0.2.0

Published

CAPTCHA-free API bot protection and abuse prevention middleware for Node.js, Express, Next.js, and serverless APIs.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

femonlafemonla

Keywords

api securityapi bot protectionanti botcaptcha freecloudflare turnstile alternativeapi abuse preventioncredential stuffinganti bot middlewarenodejs securitywaf alternativebot detectionsignup protectionscraping prevention

Readme

API Turnstile (Sentinel) — Turnstile for APIs

Sentinel is a high-velocity deterministic trust layer for modern APIs. It stops automated abuse, credential stuffing, and fake signups by analyzing Infrastructure DNA and enforcing Behavioral Work Tokens without ever showing a CAPTCHA to a human.

🚫 Problems We Stop

  • Signup Flooding: Thousands of fake accounts hitting your database.
  • Credential Stuffing: Automated login attempts using leaked passwords.
  • API Scraping: Competitors or AI agents draining your proprietary data.
  • Ghost Traffic Tax: Unnecessary AWS/Cloud compute costs from non-human traffic.

⚡ Global Edge Enforcement

Sentinel is built for the internet's edge. Deploy as a standard Node.js middleware or a Global Edge Guard on Cloudflare Workers / Vercel Edge.

  • Fast-Path Matrix: Instant identification of hosting/proxy infrastructure.
  • Edge Cache Support: Sub-2ms rejection using Cloudflare KV or Vercel Edge Config.
  • Agentic Governance: Specific profiles to identify and throttle AI Agents vs Humans.

Example: Cloudflare Worker Edge Enforcement

import { sentinelEdge } from 'api-turnstile';

export default {
  async fetch(request, env, ctx) {
    const shield = sentinelEdge({
      apiKey: env.SENTINEL_KEY,
      cache: env.SENTINEL_KV, // Cloudflare KV Namespace
      protect: ['/v1/*'],
      profile: 'agentic' // Identify & throttle AI Agents
    });

    const blockResponse = await shield(request, ctx);
    if (blockResponse) return blockResponse;

    return await fetch(request);
  }
};

Key Features

  • Extreme Performance: Sub-50ms decision latency globally.
  • Zero Friction: No CAPTCHAs, no puzzles, no interrupted user flows.
  • Adaptive Defenses: Automatically scales security based on the risk-score of an incoming request.
  • Framework Agnostic: Native middleware for Express, Fastify, Next.js, Hono, and Bun.
  • CLI Forensics: Stream live traffic decisions and audit IPs directly from your terminal.
  • Outcome-Focused: Designed for Registration Fraud, Account Takeover (ATO), and Scraping Prevention.

Installation

npm install api-turnstile

Basic Integration

Express.js

import { sentinel } from 'api-turnstile';
import express from 'express';

const app = express();

app.use(sentinel({
  apiKey: 'YOUR_SENTINEL_KEY',
  protect: ['/api/auth/*', '/v1/payments'],
  profile: 'api' // Default profile
}));

Next.js (Edge Middleware)

// middleware.ts
import { sentinelEdge } from 'api-turnstile';

export default sentinelEdge({
  apiKey: process.env.SENTINEL_KEY,
  protect: {
    '/api/auth/*': 'strict',
    '/api/public/*': 'monitor'
  }
});

export const config = {
  matcher: '/api/:path*',
};

Advanced Configuration

The sentinel middleware accepts a SentinelConfig object for granular control.

| Option | Type | Default | Description | | :--- | :--- | :--- | :--- | | apiKey | string | Required | Your Sentinel API key. | | protect | string[] \| Object | [] | List of paths to protect or a map of path patterns to ProtectionMode. | | profile | string | 'api' | Sensitivity profile: api, signup, payments, crypto. | | fail | 'open' \| 'closed' | 'closed' | Fail strategy if API is unreachable. closed blocks access. | | onBlock | Function | 403 JSON | Custom block handler: (req, res, decision) => void. | | bwt.enabled | boolean | true | Enable Behavioral Work Tokens (Adaptive PoW). | | webhooks.onBlock| string | undefined | URL to POST to when an attack is blocked. |

Path Protection Modes

Control how strictly each path is enforced:

  • monitor: Passive logging. Never blocks.
  • balanced: Defensive mode. Blocks high-confidence automated threats.
  • strict: Zero-tolerance. Blocks any suspicious signal including VPNs and Datacenters.
protect: {
  '/api/public': 'monitor',
  '/api/user/*': 'balanced',
  '/api/sensitive': 'strict'
}

Security Profiles

Sentinel profiles tune the engine's heuristics based on the endpoint's value:

| Profile | Focus | Use Case | | :--- | :--- | :--- | | api | Velocity | Standard API endpoints, data feeds. | | signup | Identity | Registration, Login, Forget Password. | | payments | Integrity | Checkout, Subscription, Payment Method Update. | | crypto | Pure Trust | Wallets, Faucets, On-Chain interactions. | | agentic | AI Governance | LLM Agents, Scrapers, Automated Crawlers. |

Using the Agentic Profile

The agentic profile is designed to differentiate between human users and AI Agents (like GPT-5, Perplexity, etc.). When enabled, Sentinel provides granular signals that allow you to serve "Lite" or "Cached" content to bots while saving expensive compute for humans.

app.use(sentinel({
  apiKey: '...',
  protect: ['/data/*'],
  profile: 'agentic'
}));

Response Formats

Successful Decision (Allowed)

Requests that pass Sentinel checks proceed seamlessly to your next middleware.

Blocked Decision (Default 403)

If a request is blocked, Sentinel returns a detailed forensic response:

{
  "error": "Access denied",
  "reason": "Headless browser signature detected (Puppeteer/Chrome)",
  "remediation": {
    "widget_required": false,
    "trust_token_eligible": true
  }
}

Sentinel CLI

The package includes a powerful command-line interface for real-time traffic analysis.

# Install CLI globally
npm install -g api-turnstile

# Stream live traffic forensic decisions
sentinel tail --key YOUR_API_KEY

# Perform an immediate audit on an IP address
sentinel check 1.2.3.4

# View security ROI and outcome metrics
sentinel stats

Behavioral Work Tokens (BWT)

BWT is our proprietary adaptive PoW system. When Sentinel identifies an "Unstable" IP, it scales a cryptographic challenge that must be solved by the client.

  1. Legitimate Users: The api-turnstile client (or frontend widget) solves the challenge in ~10-40ms in the background.
  2. Bot Scripts: Python, Go, and simple NodeJS scripts fail the challenge as they lack the cryptographic engine required to generate a valid BWT-Nonce.

Deployment & Compatibility

  • Node.js: 18.x and above.
  • Bun: 1.0.0 and above.
  • Cloud Runtime: Vercel Edge, Cloudflare Workers, AWS Lambda.
  • Database: Zero external DB dependencies (Decision Engine is managed).

Related

License

MIT © Sentinel Security