← Back to guides

AbuseGraph + Auth0

Score Auth0 signups from a Post-Login Action with the hosted check API.

Install the browser SDK

npm install @palisade/sdk

Init early on app load. Call check({ email }) at signup or login — not on every page view.

Keys

KeyEnv / Action secretUse
SecretABUSEGRAPH_SECRET_KEY (sk_…)Server /api/v1/check
SiteABUSEGRAPH_SITELicensed domain
PublishableNEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY (pk_…)Optional browser SDK

Action secrets

bash

ABUSEGRAPH_SITE=acme.com
ABUSEGRAPH_CHECK_URL=https://abusegraph.com/api/v1/check
ABUSEGRAPH_SECRET_KEY=sk_live_…

Post-Login Action

javascript

exports.onExecutePostLogin = async (event, api) => {
  const email = event.user.email
  if (!email) return

  const isSignup =
    event.stats?.logins_count === 1 ||
    event.request?.query?.screen_hint === "signup"

  const res = await fetch(
    event.secrets.ABUSEGRAPH_CHECK_URL ||
      "https://abusegraph.com/api/v1/check",
    {
      method: "POST",
      headers: {
        "content-type": "application/json",
        "x-api-key": event.secrets.ABUSEGRAPH_SECRET_KEY,
        "x-abusegraph-site": event.secrets.ABUSEGRAPH_SITE,
      },
      body: JSON.stringify({
        email,
        userId: event.user.user_id,
        event: isSignup ? "signup" : "login",
        ip: event.request?.ip,
        site: event.secrets.ABUSEGRAPH_SITE,
      }),
    },
  )

  if (res.status === 402) {
    // credits exhausted — fail open or deny per your policy
    return
  }

  const result = await res.json()
  if (result.verdict === "block") {
    api.access.deny("Account blocked by abuse checks")
  }
  if (result.verdict === "challenge") {
    api.multifactor.enable("any")
  }
}

Browser SDK (optional)

Collect on your Universal Login custom page or app, then forward toCheckBody fields into a custom Action / API that calls /api/v1/check with sk_.

typescript

import { init } from "@palisade/sdk"

const sdk = init({
  publicKey: process.env.NEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY!,
})

const collected = await sdk.collect()
const edge = await sdk.evaluate(collected, { email })
// POST sdk.toCheckBody(collected, { email, event: "signup",
//   verdictToken: edge.verdictToken.token }) from your backend