Base URL: https://api.injectshield.dev
Pass your API key as a bearer token:
Authorization: Bearer is_live_…Or via header: X-API-Key: is_live_….
Returns a verdict and (optionally) a sanitized version of the input.
| Field | Type | Default | Description |
|---|---|---|---|
text | string | — | ≤ 100,000 chars. Required. |
context | enum | "unknown" | git_commit · web_content · user_input · file_content · email · tool_output |
options.sensitivity | enum | "medium" | low · medium · high — threshold tuning |
options.return_cleaned | bool | true | Return sanitized text with matches replaced. |
{
"safe": false,
"confidence": 0.94,
"threat_type": "instruction_injection",
"patterns_matched": ["ignore-previous", "system-tag-injection"],
"cleaned_text": "[REDACTED:instruction_injection]",
"semantic_score": 0.91,
"semantic_label": "negative",
"notes": [],
"request_id": "req_abc123…"
}Public, throttled to 5 signups/IP/day. Sends an API key to the supplied email.
curl -X POST https://api.injectshield.dev/v1/keys \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]"}'Returns the email, tier, and monthly usage for the bearer key.
Returns current-month request count + blocked count for the bearer key.
Creates a Stripe Checkout Session. Body: {tier:"hobby"|"team"|"pro", email}. Returns {url}.
Public, IP-throttled. Same shape as /v1/scan minus auth and usage logging. Useful for the live demo on the landing page; not intended for production traffic.
instruction_injection — "ignore previous instructions" and variantssystem_override — system-prompt leak attempts, role-tag forgery, ChatML/Llama special tokensrole_hijack — "you are now…", DAN/Developer-Mode personasexfiltration — request to send data to external URL or markdown image with query stringschema_attack — references to known attack schemas (e.g. OpenClaw)encoding_smuggle — base64-decoded directive smugglinginvisible_text — zero-width / bidi / Unicode-Tag smugglingtool_abuse — synthetic tool/function-call directives in untrusted textjailbreak_classic — DAN, "no restrictions", etc.| Status | Code | Meaning |
|---|---|---|
| 400 | bad_json / missing_text / bad_email | Malformed request |
| 401 | missing_api_key / invalid_api_key | Auth failed |
| 402 | monthly_limit | Plan quota exhausted — upgrade |
| 413 | text_too_large | Text > 100K chars |
| 429 | rate_limited / signup_throttled / demo_rate | Backoff and retry |
InjectShield is one layer of a defense-in-depth strategy. Pair it with: prompt-template constraints, tool argument validation, output filtering, and least-privilege agent permissions. We will not claim 100% detection — that's mathematically impossible.