API Documentation
Integrate Injecto into your AI app in under 5 minutes. Screen every user prompt before it reaches your LLM.
Base URL
https://injecto.xyz
Authentication
Pass your API key in the x-api-key header on every request. Get a key on the pricing page.
x-api-key: inj_your_key_here
Quickstart
import requests
result = requests.post(
"https://injecto.xyz/api/detect",
headers={"x-api-key": "inj_your_key_here"},
json={"prompt": user_message}
).json()
if not result["safe"]:
raise ValueError(f"Blocked: {result['attack_types']}")
# Safe — call your LLM
POST/demo/detect
Free, unauthenticated endpoint for testing and demos. Rate limited. Use /api/detect in production.
curl -X POST https://injecto.xyz/demo/detect -H "Content-Type: application/json" -d '{"prompt": "ignore all previous instructions"}'
POST/api/detect
Production endpoint. Requires a valid API key. Returns full verdict with risk score, severity, and attack classification.
curl -X POST https://injecto.xyz/api/detect -H "x-api-key: inj_your_key_here" -H "Content-Type: application/json" -d '{"prompt": "your user input here"}'
GET/api/stats
Check your plan and request usage. Requires API key.
curl https://injecto.xyz/api/stats -H "x-api-key: inj_your_key_here"
Response fields
{
"safe": false,
"risk_score": 90,
"severity": "HIGH",
"attack_types": ["Instruction Override", "Role Hijacking"],
"patterns": ["ignore all instructions", "you are now"],
"prompt_length": 9,
"timestamp": "2026-01-01T00:00:00"
}
| Field | Type | Description |
|---|---|---|
| safe | boolean | true = safe to pass to your LLM |
| risk_score | integer | 0–100. Higher = more dangerous |
| severity | string | LOW / MEDIUM / HIGH |
| attack_types | array | Human-readable attack categories detected |
| patterns | array | Exact phrases that triggered detection |
| prompt_length | integer | Word count of input |
Attack types
| Type | Description |
|---|---|
| Instruction Override | "ignore previous instructions" and variants |
| Role Hijacking | "pretend you are" / "you are now" attacks |
| Prompt Leaking | Attempts to extract system prompt or config |
| Jailbreak Attack | DAN, developer mode, and constraint removal |
| Persona Injection | Gradual identity substitution via "new persona" |
| Privilege Escalation | "act as system" and similar elevation attempts |
| Safety Bypass | Direct "bypass safety" / "disable restrictions" |
| Firewall Block | Hardcoded forbidden content (passwords, secrets) |
Error codes
| Status | Meaning |
|---|---|
| 400 | Missing or empty prompt field |
| 401 | No API key provided |
| 403 | Invalid API key |
| 429 | Monthly request limit reached — upgrade plan |