Skip to main content
5-Min Setup • 3 Lines of Code • Docker Ready

Ship Fast
Stay Secure

API Security Built for Developers

Drop in G8KEPR and get SQL injection protection, rate limiting, JWT validation, and 85,000+ threat patterns across 24 categories blocked automatically. No security expertise required.

OWASP Top 10 Protected
Zero Config Security
Free Forever Tier
Start Free TrialView Quickstart
85,000+
threat patterns (24 categories)
5-tier
detection: regex → embeddings → NLI → LLM → behavioral
SHA-256
tamper-evident hash-chain audit
7-step
security pipeline per tools/call
6 SDKs
Python · Node · Go · Ruby · Java · Rust
Target: Sub-5ms
gateway proxy overhead (cached)
OpenAPI
schema-driven policy generation
10K/mo
free tier (no credit card)

What is API Security for Developers?

Security that gets out of your way so you can focus on building

You Build Features, Not Firewalls

Every API you ship is a potential attack surface. But you shouldn't need a security degree to protect it. G8KEPR gives you enterprise-grade security that works out of the box.

Your API Endpoint
POST /api/users
G8KEPR Protection
SQL injection blocked
Auth Validation
JWT verified automatically
Rate Limiting
1000 req/min default

Threats You Don't Have Time For

Your API is live. Users are signing up. And attackers are probing every endpoint. Here's what they're trying:

SQL Injection
SELECT * FROM users WHERE id=1; DROP TABLE users;--
XSS Attacks
<script>document.cookie</script> in form fields
Broken Auth
JWT manipulation, token replay, session hijacking
Rate Abuse
Bots hammering your API, racking up cloud bills

From Zero to Secure in 5 Minutes

Three deployment options — choose what works for your stack

Docker (Recommended)
Self-hosted, unlimited requests, free forever
# Pull and run G8KEPR
$ docker run -d -p 8000:8000 \
g8kepr/gateway
✓ Running on localhost:8000
Self-hostedUnlimitedFree
SDK Integration
Cloud-hosted, managed, auto-scaling
# Install SDK
$ npm install g8kepr
# 3 lines of code
from g8kepr import G8KEPR
app = G8KEPR(your_app)
CloudManagedAuto-scale
Kubernetes Helm
Production-ready, HA, auto-scaling
# Add Helm repo
$ helm repo add g8kepr \
https://charts.g8kepr.com
$ helm install g8kepr \
g8kepr/gateway
EnterpriseHAK8s
View Full Quickstart Guide

What G8KEPR Blocks Automatically

85,000+ threat patterns across 24 categories blocked out of the box — zero configuration

SQL Injection Attack
Attack:
Attacker submits: id=1; DROP TABLE users;--
Malicious Request:
GET /api/users?id=1; DROP TABLE users;--
✓ G8KEPR Response:
SQL pattern detected • Request blocked • Alert logged
Cross-Site Scripting (XSS)
Attack:
Attacker injects: <script>steal(cookies)</script>
Malicious Request:
POST /api/comments body: {text: "<script>..."}
✓ G8KEPR Response:
XSS pattern matched • Payload sanitized • User warned
Broken Authentication
Attack:
Attacker modifies JWT payload to escalate privileges
Malicious Request:
GET /api/admin -H "Authorization: Bearer [tampered]"
✓ G8KEPR Response:
JWT signature invalid • Request rejected • Incident logged
Rate Limit Abuse
Attack:
Bot sends 10,000 requests in 1 minute
Malicious Request:
POST /api/login (10,000 attempts, brute force)
✓ G8KEPR Response:
Rate limit exceeded • IP throttled • Pattern analyzed

Built for Developer Workflows

Security that integrates with how you already build

Automatic Threat Blocking

SQL injection, XSS, CSRF, and 85,000+ threat patterns across 24 categories blocked automatically. No rules to write. No policies to configure.

85,000+ attack patterns

3-Line Integration

Install SDK, wrap your app, done. Works with FastAPI, Flask, Express, NestJS, Gin, and every major framework.

3 lines of code

OpenAPI Native

Point G8KEPR at your OpenAPI spec. Auto-generate security policies, validate schemas, and document coverage.

Swagger 3.0 support

Monitor Mode

Test in production without blocking traffic. Shadow mode logs threats and validates policies without enforcement.

Zero-risk testing

Smart Rate Limiting

Intelligent defaults that protect your API from abuse without blocking legitimate users. Per-IP, per-key, per-endpoint.

Adaptive thresholds

AI Gateway Built-In

Building AI features? Route LLM requests through G8KEPR for cost tracking, automatic failover, and unified billing.

Claude, GPT-4, Gemini

Every Tool Call Passes 7 Sequential Checks

Same protection on every endpoint, MCP tool call, and LLM proxy. Target: Sub-5ms gateway proxy overhead on cached, single-region paths.

1
Permission check
RBAC: does this API key/JWT have scope to this endpoint?
2
MFA verification
TOTP required for admin operations and high-risk endpoints (configurable)
3
Rate limiting
Sliding-window check: per-key, per-IP, per-org, per-endpoint, Redis-backed
4
Rug-pull verification
SHA-256 of MCP tool definition vs. registered hash — block on drift
5
Threat detection
4-tier pipeline + cross-session correlator: regex → embeddings → NLI → LLM → correlator
6
Server forwarding
Execute via stdio subprocess, HTTP, or WebSocket transport
7
Response scanning
IndirectInjectionScanner blocks LLM-directed instructions in tool output
Audit log written
Hash-chain entry: arguments, response, decision, correlation ID
Fail-closed quota state on Redis error • Per-key asyncio lock prevents TOCTOU races • 10 dedicated Prometheus metrics

5 Capabilities You Won't Find Anywhere Else

Not in Anthropic's MCP spec. Not in API gateways. Not in WAFs. Platform-level additions you can drop in with three lines of code.

01

OS-Level MCP Sandbox

Subprocess MCP tools execute inside a hardened Linux sandbox. RLIMIT_CPU/AS/NOFILE/NPROC, setsid() process-group isolation, capability dropping, per-tool egress filtering, and shell binaries removed.

modules/mcp/sandbox/executor.py — 934 LOC
02

Tool Definition Hash Registry

SHA-256 hash of every tool definition pinned at tools/list. On every tools/call, the cached definition is re-hashed and compared. Drift raises MCPRugPullDetectedError, blocks execution, publishes a CRITICAL event.

modules/mcp/tool_registry.py • Redis-backed
03

Adaptive Z-Score Circuit Breaker

Statistical, not threshold-based. Z-score > 3.0 against per-hour time-of-day baselines. 4 overlapping sliding windows (1m/5m/15m/1h). Progressive recovery (10→25→50→100%).

gateway/ — 2,208 LOC combined
04

Cross-Pillar Correlation

Every event linked across all four pillars via shared correlation ID. One query: "Show me everything that happened from request X — across MCP + API + Gateway + Verification." Architecturally impossible when layers are separate products.

mcp_contexts • parent-child causal chain
05

Tamper-Evident Audit System

SHA-256 genesis block, each entry signing the previous. Three verification levels (full / single / last-N). Tamper-evident — exportable for SOC 2 audit observation, customer attestations, and incident forensics.

7 modules • 3,866 LOC combined
+

MCP Correlation Analyzer

Cross-session attack detection: 6-dimension risk score (max 110) across tool sensitivity, data volume, burst, denials, prior detections, and tool diversity. Catches coordinated attacks and 24h slow-and-low patterns.

MCPCorrelationAnalyzer — alert at score > 50

One Correlation ID. All Four Pillars.

A single user request traces forward to the AI agent it spawned, the downstream API call, and the verification check that caught any drift — all under one correlation ID.

User
Session
Prompt
Agent
Tool Call
API Endpoint
Response
Verification
Recorded in mcp_contexts for parent-child replay • Causal chain reconstruction in one query • Hash-chain entries are tamper-evident

Works With Your Stack

Official SDKs for every major language and framework

Python

  • FastAPI
  • Flask
  • Django

Node.js

  • Express
  • Fastify
  • NestJS

Go

  • Gin
  • Echo
  • Fiber

Ruby

  • Rails
  • Sinatra

Java

  • Spring Boot
  • Quarkus

Rust

  • Actix
  • Rocket
View All SDK Documentation

Audit Evidence, Built In From Day One

Your customers ask for SOC 2 evidence, you have it. Cross-framework sync means a SOC 2 control automatically contributes evidence toward GDPR and ISO 27001 where they overlap — no duplicate work.

SOC 2 Type II
observation in progress
GDPR-Ready
Articles 5 / 17 / 32
HIPAA-Ready
BAA available
PCI DSS v4.0
300+ requirements
ISO 27001
93 Annex A · aligned
OWASP API Top 10
covered

"-Ready" / "aligned" reflect capability posture. SOC 2 Type II observation in progress with external audit H2 2026. PCI DSS certification requires a Qualified Security Assessor (QSA) engagement on the customer's side.

Developer FAQs

Common questions from developers getting started

Most developers have G8KEPR running in minutes. Docker deployment is a single command, and SDK integration takes 3 lines of code. No security expertise required.

Need help getting started?

Read the full documentation →
Quick Deploy

Start Building Securely
Right Now

Free tier with 10,000 requests/month. No credit card required.

10K requests/mo free
OWASP protected
quick setup
All SDKs included
Get Started FreeRead the Docs

No credit card required • Free forever tier • Full feature access