Install the SDK
Install browser RUM, Shield, server threat signals, and the typed API client from one npm package.
Getting started
Install the PreFlight SDK
Use one maintained package for browser performance, secret-leak Shield, server-side Threat Signals, and API automation. You can also copy a fixed prompt into Cursor, Codex, Claude, or another coding agent.
Install
npm install @getpreflight/sdk
Next.js
Create public browser variables from your project’s SDK setup page, then add the component once in the shared root layout.
import { PreFlight } from "@getpreflight/sdk/next";
export default function RootLayout({ children }: { children: React.ReactNode }) {
return (
<html>
<body>
{children}
<PreFlight
projectId={process.env.NEXT_PUBLIC_PREFLIGHT_PROJECT_ID!}
clientKey={process.env.NEXT_PUBLIC_PREFLIGHT_CLIENT_KEY!}
rum
shield
/>
</body>
</html>
);
}
The component is a small client boundary, so the layout remains a Server Component. It reports Core Web Vitals and scans shipped browser content for supported secret patterns. URL query strings and fragments are removed before collection.
Server Threat Signals
Keep PREFLIGHT_SERVER_KEY server-only. Report an event only after a real application defense has already rejected or limited a request.
import { createClientFingerprint, createPreFlightThreatReporter } from "@getpreflight/sdk/server";
const threats = createPreFlightThreatReporter({
projectId: process.env.PREFLIGHT_PROJECT_ID!,
serverKey: process.env.PREFLIGHT_SERVER_KEY!,
});
await threats.report({
eventKind: "rate_abuse",
severity: "medium",
routePattern: "/api/login",
method: "POST",
clientFingerprint: await createClientFingerprint(actorId, process.env.FINGERPRINT_SECRET!),
evidence: { count: 12, windowSeconds: 60, statusCode: 429, ruleId: "login-rate-limit" },
});
Never send a request body, cookie, authorization header, query value, email address, raw IP address, token, or customer content.
API client
Use account API keys only in CI or server code.
import { createPreFlightClient } from "@getpreflight/sdk/api";
const preflight = createPreFlightClient({ apiKey: process.env.PREFLIGHT_API_KEY! });
const gate = await preflight.deployGate.evaluate(process.env.PREFLIGHT_PROJECT_ID!, "strict");
if (!gate.allowed) process.exitCode = 1;
Use with a coding agent
Open Project → SDK setup and choose Copy agent prompt. The prompt is maintained in the PreFlight codebase, includes the public project configuration, and tells the agent exactly what it must not expose. It does not contain the server or account API key.
