The cryptographic ALLOW / DENY layer between the internet and your app.
Sub-millisecond decisions · AES-256 encrypted rules · HMAC-SHA256 signed responses · MIT licensed
Acrossed is a stateless decision engine. You send it a small request fingerprint
(IP, method, path, a few headers); it judges the request against rules you
configured and returns allow or deny in under a millisecond, signed with
HMAC-SHA256 so your origin can verify the verdict came from us.
You never send us request bodies. We never store your traffic. We just decide.
import { Acrossed } from "acrossed";
const ac = new Acrossed({ apiKey: process.env.ACROSSED_KEY! });
app.use(async (req, res, next) => {
const d = await ac.check(req);
if (d.deny) return res.status(403).send(d.reason);
next();
});| Path | Description |
|---|---|
engine/ |
Rust decision engine — the hot path. p50 < 1 ms on a single CPU core. |
dashboard/ |
Next.js 15 + Clerk dashboard (the UI you see at acrossed.com). |
sdk-js/ |
Official JavaScript / TypeScript SDK (published as acrossed on npm). |
sdk-python/ |
Official Python SDK (published as acrossed on PyPI). |
sdk-go/ |
Lives in acrossed-com/sdk-go so go get works without a sub-path. |
assets/ |
Brand assets — logo, social cards. |
| Language | Install | Quickstart |
|---|---|---|
| Node / TS | npm i acrossed |
docs/sdk-js.md |
| Python | pip install acrossed |
docs/sdk-python.md |
| Go | go get github.com/acrossed-com/sdk-go |
docs/sdk-go.md |
git clone https://github.com/acrossed-com/acrossed
cd acrossed/engine
cargo run --releaseThe engine listens on :4000 by default and exposes:
POST /check— submit a request fingerprint, receive a signed verdict.GET /healthz— liveness probe.GET /metrics— Prometheus exposition.
See docs/self-hosting.md for the full deployment
guide (Docker, Kubernetes, systemd, NGINX/Caddy reverse proxy, mTLS).
| Traditional WAF | Acrossed | |
|---|---|---|
| Decision authority | Inline / proxy | Out-of-band, returned to your origin |
| Body access | Often inspects the body | Body never leaves your servers |
| Verification | Trusted blindly | HMAC-SHA256 signed verdicts you can verify |
| Hot path latency | 5–25 ms typical | < 1 ms p50 |
| Storage of customer traffic | Yes, usually | None |
Full developer docs at acrossed.com/docs.
For social, news, and the link tree: acrsd.dev.
Acrossed offers a free tier (10K decisions/month, all security features included) and paid plans for higher volumes and custom domains.
See acrossed.com/pricing for the live plan list, quotas, and pay-as-you-go rates.
The plan table is the canonical source of truth — surfaced via GET /billing/plans on the API and rendered consistently across the marketing page, in-app dashboard, and SDK error responses.
MIT — see LICENSE.