Guardian SDK

Surt Guardian is a device intelligence SDK for mobile and web applications. It collects device signals, performs cryptographic attestation where available, and sends everything to the Surt backend for risk assessment. All security decisions are made server-side.

1

Install

Add the SDK to your project

2

Initialize

Configure at app startup

3

Mint JWT + Verify

Fetch a JWT from your backend, then call verify()

How It Works

1. Install the SDK in your project
2. Initialize the SDK at app startup (no API key in the client)
3. Your backend mints a short-lived JWT by calling Surt's preflight endpoint with your sp_live_* API key and the transaction context
4. Call verify(jwt) with a fresh JWT for a direct risk decision, or collect(jwt?) for the server-to-server flow
5. Receive a risk decision from verify(), or an encrypted payload from collect() that your backend sends to Surt

The SDK handles device fingerprinting, attestation challenges, and data collection internally. The sp_live_* API key never leaves your backend - the client only ever holds short-lived JWTs.

Two verification paths

• verify(jwt): SDK calls Surt directly, returns allowed: true/false to your app. Requires a fresh JWT per call (the attestation nonce embedded in the JWT is single-use). Native SDKs only.
• collect(jwt?): SDK collects and encrypts data locally, your backend calls Surt's evaluate endpoint. The JWT is optional - pass it only if you want the device's public IP embedded in the payload. Supported on every platform, including web.

Platform Support

Platform	Package	Distribution	verify()	collect()
Web (Browser)	@surtai/guardian-web	npm	n/a	✓
React Native	@surtai/guardian-rn	npm	✓	✓
iOS (Swift)	SurtGuardianSDK	Swift Package Manager	✓	✓
Android (Kotlin)	com.surt.guardian:securitysdk	Maven (GitHub Packages)	✓	✓

Native platforms share the same API surface and are versioned in sync. The web SDK is collect-only: it has no verify() and no app-level initialization.

What It Collects

Without permissions: Hardware info, security indicators (root/jailbreak, emulator, debugger, VPN, Frida, Xposed, Magisk), software info, battery, network type.

With permissions (opt-in): GPS location, WiFi details, SIM/carrier info, camera info.

Quick Links

• Quick Start: get running in 5 minutes
• Web (Browser): npm install @surtai/guardian-web, no init
• React Native: npm install + GuardianProvider
• iOS: Swift Package Manager setup
• Android: Maven/Gradle setup
• Authentication: minting short-lived JWTs via preflight
• Collect (Server-to-Server): backend-to-backend verification
• Risk Levels: understand risk assessment
• Configuration: all SDK options