Getting Started With AccessGate

AccessGate adds device, session, and checkpoint risk intelligence to customer-facing flows such as login, onboarding, payment, account recovery, and beneficiary changes.

For standard Loci tenants, AccessGate requests go through the same Loci API base URL and organization credentials used for transaction monitoring.

Platform Base URL: https://api.runloci.com
AccessGate Risk Check: POST /accessgate/v1/check

## Quick Start

1. Add The SDK To Your Frontend

html
<script src="https://sdk.runloci.com/accessgate-sdk.min.js"></script>

<script>
  const sdk = new AccessGateSDK({
    enableBehavioralBiometrics: true
  });
</script>

The SDK collects device and behavior signals in the browser. Keep API credentials on your server.

2. Collect Data At A Checkpoint

javascript
form.addEventListener('submit', async (event) => {
  event.preventDefault();

  const accessgateData = await sdk.collect({
    includeBehavioral: true
  });

  await fetch('/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      email: form.email.value,
      password: form.password.value,
      accessgate_data: accessgateData
    })
  });
});

3. Verify Through The Loci API

javascript
app.post('/api/login', async (req, res) => {
  const { email, password, accessgate_data } = req.body;

  const user = await verifyPassword(email, password);
  if (!user) return res.status(401).json({ error: 'Invalid credentials' });

  const response = await fetch('https://api.runloci.com/accessgate/v1/check', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'x-org-id': process.env.LOCI_ORG_ID,
      'x-api-key': process.env.LOCI_API_KEY
    },
    body: JSON.stringify({
      email,
      ip: req.ip,
      device: accessgate_data.device,
      behavior: accessgate_data.behavior,
      behavioral: accessgate_data.behavioral,
      context: {
        action: 'login',
        user_id: user.id,
        session_id: req.sessionID
      }
    })
  });

  const result = await response.json();

  switch (result.decision?.outcome) {
    case 'allow':
      return res.json({ success: true, token: createSession(user) });
    case 'review':
      return res.json({ requires_step_up: true });
    case 'block':
      return res.status(403).json({ error: 'Access denied' });
    default:
      return res.status(502).json({ error: 'Risk check unavailable' });
  }
});

Decision Outcomes

Outcome Description Typical Action
allow Signals are consistent with expected behavior Proceed normally
review Some signals need additional assurance Step up, review, or queue
block Strong risk indicators are present Deny or hold according to policy

Evaluation Mode

Use the evaluation endpoint in development and testing when you need diagnostic signal details:

bash
curl -X POST "https://api.runloci.com/accessgate/v1/eval/check" \
  -H "x-org-id: your_loci_org_id" \
  -H "x-api-key: your_loci_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "ip": "102.88.34.45",
    "context": { "action": "login", "user_id": "user_123" }
  }'

Use /accessgate/v1/check for production decisions.

Next Steps