Skip to main content
The Guard API lets you embed Starfort guardrails in your own application — call it on the way in to your model (to mask or block prompts) and on the way out (to check responses).

1. Get an API key

API keys belong to a Guardian in an API project. In the Console, open your Guardian → API KeysAdd API Key, then copy the key (it is shown only once and starts with sf_). See Manage API keys. Your endpoint and a ready-made example are on the Guardian’s How to use tab.

2. Send a request

curl -X POST "https://bastion-guardian-api.starfort.io/v1/guard/api" \
  -H "Content-Type: application/json" \
  -H "X-Starfort-Guard-Api-Key: sf_your_key_here" \
  -d '{
    "messages": [
      { "role": "user", "content": "What time does the library open on weekends?" }
    ],
    "processType": "input"
  }'
processType is a label the Guardian declares (commonly input for requests on the way in and output for model responses on the way out). It must be one the Guardian supports — see Request format.

3. Read the action

A benign request passes through: 
{ "action": "PASS", "input_results": [] }
Send something with PII and the Guardian masks it (when a PII policy is assigned): 
{
  "action": "MASK",
  "input_results": [{
    "index": 0, "type": "text", "action": "MASK",
    "processed_content": "My number is [PHONE_NUMBER_1].",
    "results": [ /* … */ ]
  }]
}
Your application should act on the top-level action: forward processed_content on MASK, and refuse the request on BLOCK. A Topic policy can also return CHECK (a controversial topic flagged for review) — API callers receive CHECK directly. See Actions. A request the Guardian can’t analyze returns an HTTP error, never a PASS with empty detections — so an error is never mistaken for “nothing detected”. See Errors & states.
1

Create a key

In the Console, under your Guardian → API Keys.
2

Call the endpoint

POST /v1/guard/api with the X-Starfort-Guard-Api-Key header.
3

Handle the action

PASS → continue · MASK → use processed_content · BLOCK → stop.

Next

Authentication

Request format

Response format

Errors & states