AbuseGraph + Auth0
Score Auth0 signups from a Post-Login Action with the hosted check API.
Install the browser SDK
npm install @palisade/sdk
Init early on app load. Call check({ email }) at signup or login — not on every page view.
Keys
| Key | Env / Action secret | Use |
|---|---|---|
| Secret | ABUSEGRAPH_SECRET_KEY (sk_…) | Server /api/v1/check |
| Site | ABUSEGRAPH_SITE | Licensed domain |
| Publishable | NEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY (pk_…) | Optional browser SDK |
Action secrets
bash
ABUSEGRAPH_SITE=acme.com
ABUSEGRAPH_CHECK_URL=https://abusegraph.com/api/v1/check
ABUSEGRAPH_SECRET_KEY=sk_live_…Post-Login Action
javascript
exports.onExecutePostLogin = async (event, api) => {
const email = event.user.email
if (!email) return
const isSignup =
event.stats?.logins_count === 1 ||
event.request?.query?.screen_hint === "signup"
const res = await fetch(
event.secrets.ABUSEGRAPH_CHECK_URL ||
"https://abusegraph.com/api/v1/check",
{
method: "POST",
headers: {
"content-type": "application/json",
"x-api-key": event.secrets.ABUSEGRAPH_SECRET_KEY,
"x-abusegraph-site": event.secrets.ABUSEGRAPH_SITE,
},
body: JSON.stringify({
email,
userId: event.user.user_id,
event: isSignup ? "signup" : "login",
ip: event.request?.ip,
site: event.secrets.ABUSEGRAPH_SITE,
}),
},
)
if (res.status === 402) {
// credits exhausted — fail open or deny per your policy
return
}
const result = await res.json()
if (result.verdict === "block") {
api.access.deny("Account blocked by abuse checks")
}
if (result.verdict === "challenge") {
api.multifactor.enable("any")
}
}Browser SDK (optional)
Collect on your Universal Login custom page or app, then forward toCheckBody fields into a custom Action / API that calls /api/v1/check with sk_.
typescript
import { init } from "@palisade/sdk"
const sdk = init({
publicKey: process.env.NEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY!,
})
const collected = await sdk.collect()
const edge = await sdk.evaluate(collected, { email })
// POST sdk.toCheckBody(collected, { email, event: "signup",
// verdictToken: edge.verdictToken.token }) from your backend