> ## Documentation Index
> Fetch the complete documentation index at: https://docs.starfort.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Guard API quickstart

> Guard your first request in five minutes: create an API key, call the endpoint, and read the action.

The Guard API lets you embed Starfort guardrails in your own application — call it on the way **in** to your model (to mask or block prompts) and on the way **out** (to check responses).

## 1. Get an API key

API keys belong to a **Guardian** in an **API project**. In the Console, open your Guardian → **API Keys** → **Add API Key**, then copy the key (it is shown only once and starts with `sf_`). See [Manage API keys](/en/v1.2/admin/api-keys).

Your endpoint and a ready-made example are on the Guardian's **How to use** tab.

## 2. Send a request

```bash theme={null}
curl -X POST "https://bastion-guardian-api.starfort.io/v1/guard/api" \
  -H "Content-Type: application/json" \
  -H "X-Starfort-Guard-Api-Key: sf_your_key_here" \
  -d '{
    "messages": [
      { "role": "user", "content": "What time does the library open on weekends?" }
    ],
    "processType": "input"
  }'
```

`processType` is a label the **Guardian declares** (commonly `input` for requests on the way in and `output` for model responses on the way out). It must be one the Guardian supports — see [Request format](/en/v1.2/api/request-format).

## 3. Read the action

A benign request passes through:

```json theme={null}
{ "action": "PASS", "input_results": [] }
```

Send something with PII and the Guardian masks it (when a PII policy is assigned):

```json theme={null}
{
  "action": "MASK",
  "input_results": [{
    "index": 0, "type": "text", "action": "MASK",
    "processed_content": "My number is [PHONE_NUMBER_1].",
    "results": [ /* … */ ]
  }]
}
```

Your application should act on the top-level **`action`**: forward `processed_content` on `MASK`, and refuse the request on `BLOCK`. A Topic policy can also return **`CHECK`** (a controversial topic flagged for review) — API callers receive `CHECK` directly. See [Actions](/en/v1.2/concepts/actions-pass-mask-block).

A request the Guardian **can't analyze** returns an HTTP error, never a `PASS` with empty detections — so an error is never mistaken for "nothing detected". See [Errors & states](/en/v1.2/api/errors).

<Steps>
  <Step title="Create a key">In the Console, under your Guardian → API Keys.</Step>
  <Step title="Call the endpoint">`POST /v1/guard/api` with the `X-Starfort-Guard-Api-Key` header.</Step>
  <Step title="Handle the action">PASS → continue · MASK → use `processed_content` · BLOCK → stop.</Step>
</Steps>

## Next

<CardGroup cols={2}>
  <Card title="Authentication" icon="key" href="/en/v1.2/api/authentication" />

  <Card title="Request format" icon="arrow-right-to-bracket" href="/en/v1.2/api/request-format" />

  <Card title="Response format" icon="arrow-right-from-bracket" href="/en/v1.2/api/response-format" />

  <Card title="Errors & states" icon="triangle-exclamation" href="/en/v1.2/api/errors" />
</CardGroup>