Documentation

Protect each LLM request with one server-side scan before you call your model.

1. Request Flow

  1. Your backend receives a prompt or other user-controlled input.
  2. Your backend calls POST /v1/scan/input with that input in the content field.
  3. Axiom returns a result with an action.
  4. If action is block, stop the request before it reaches your LLM.
  5. Use verdict as the scanner judgment and action as the behavior your app should obey.

2. Environment

Generate a key in the dashboard and store it server-side only.

  • API keys use the ax_live_ prefix.
  • The plaintext key is shown once after generation.
  • Do not send the key to browser code or mobile clients.
  • Never put API keys in query params; use the Authorization header.
  • Use the staging URL below until the production API domain is live.
# .env
AXIOM_API_KEY=ax_live_your_generated_key
AXIOM_API_BASE=https://axiom-stg-app.ashycoast-7f303533.eastus2.azurecontainerapps.io

3. Simple Scan Request

const res = await fetch("https://axiom-stg-app.ashycoast-7f303533.eastus2.azurecontainerapps.io/v1/scan/input", {
  method: "POST",
  headers: {
    "content-type": "application/json",
    "authorization": `Bearer ${process.env.AXIOM_API_KEY}`,
  },
  body: JSON.stringify({
    content: userPrompt,
  }),
});

const result = await res.json();

if (result.action === "block") {
  throw new Error("Prompt blocked by Axiom");
}

4. Next.js Route Example

// app/api/chat/route.ts
export const runtime = "nodejs";

export async function POST(req: Request) {
  const { prompt } = await req.json();

  const scan = await fetch(`${process.env.AXIOM_API_BASE}/v1/scan/input`, {
    method: "POST",
    headers: {
      "content-type": "application/json",
      "authorization": `Bearer ${process.env.AXIOM_API_KEY}`,
    },
    body: JSON.stringify({ content: prompt }),
  });

  const result = await scan.json();

  if (result.action === "block") {
    return Response.json({ error: "Prompt blocked by Axiom" }, { status: 403 });
  }

  // Continue to your LLM call here.
  return Response.json({ ok: true });
}

5. Key Management

  • GenerateCreate keys from the dashboard. The website stores only a SHA-256 hash.
  • StoreSave the plaintext key in your server environment when it is shown.
  • RevokeRevoke keys from the dashboard when they are rotated or no longer needed.