Integration
Three lines of code. Un-bypassable execution control.
GoFirm is a drop-in execution boundary guard. You call one function at the point where a consequential action is about to execute. GoFirm handles the rest.
No infrastructure to manage. No cryptography to implement. No OOB channel to build. No audit trail to maintain. A three-line integration footprint that enforces what your organisation's toughest security requirements demand.
The Integration
// 1. Install
npm install @gofirm/sdk
// 2. Initialise
const goFirm = new GoFirm({ apiKey: process.env.GOFIRM_API_KEY });
// 3. Confirm before execution
const { verdict } = await goFirm.confirm({
action_type: 'financial.transfer',
payload: { amount, beneficiary, reference },
});
if (verdict !== 'confirmed') return res.status(403).json({ error: 'Not authorised' });
// proceed with transferThat is the entire integration. GoFirm handles the OOB channel, the biometric confirmation, the nonce validation, the N-of-N orchestration, and the signed audit trail. You act on the verdict.
What GoFirm Handles Invisibly
Routes the confirmation request to the named authority via their preferred out-of-band channel.
Enforces biometric confirmation on the authority’s registered device. The confirmation cannot be satisfied remotely, by stolen credentials, or by a deepfake.
Validates the payload-bound nonce to prevent replay attacks against modified payloads.
Enforces the N-of-N model if the action type requires multiple independent authorities.
Returns the signed verdict to the caller with receipt_id, signed_receipt, and timestamp.
Writes the full event to the immutable audit trail. You do not manage the receipt.
Fails safe on any GoFirm infrastructure issue: verdict returns ‘denied’ with GOFIRM_UNAVAILABLE. Never a permissive default.
What You Manage
Your API key.
Which authority_id maps to which action type in your organisation.
Acting on the verdict GoFirm returns.
Zero Trust at the Execution Boundary
Zero Trust principles say never trust, always verify. Most Zero Trust implementations verify identity at login. GoFirm verifies authority at execution.
You are not managing a cryptographic protocol. You are not building an OOB channel. You are calling a function and acting on a verdict. GoFirm turns the toughest concepts in enterprise security into a three-line integration footprint.
Where It Fits in Your Stack
API endpoint
Call goFirm.confirm() before processing any action in the seven categories. Return 403 if verdict is not confirmed.
Microservice pipeline
Embed the SDK at the execution step. The service waits for the verdict before proceeding.
AI agent workflow
Call goFirm.confirm() at the agent’s action threshold. The agent cannot proceed without the signed receipt.
Infrastructure control plane
GoFirm Deep Guard deploys via connector at the database gateway, secrets vault, or cloud IAM layer. Same SDK. Same verdict. Same audit trail.
What Your CISO Gets
Un-bypassable cryptographic protection at the execution boundary.
Named authority confirmation tied to real-time employment status via HR directory.
Non-repudiable audit trail on every consequential action.
N-of-N multi-authority enforcement on the highest-consequence actions.
MFA fatigue attacks architecturally eliminated.
You get a three-line integration. Your CISO gets a board-ready governance primitive. Both from the same SDK call.