AxioRankDocs
Integrations

TYPO3

Verify the AI agents that log in, call JSON endpoints, search, and submit forms on your TYPO3 site with the AxioRank Agent Verification extension. A native TYPO3 v13 extension and a thin client of the inbound verify endpoint that blocks unverified agents in real time.

Most AxioRank integrations govern the calls your agents make outbound. The TYPO3 extension is on the inbound side: it verifies the AI agents reaching a website surface you operate, your backend and login, JSON page types, search, and forms. It is a native TYPO3 v13 extension and a thin client of the verify endpoint, so each checked request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict drives what happens. There is no template code to write and no local model.

A real inline block, because it runs on your server

Unlike a hosted app, the extension is a PSR-15 middleware in your TYPO3 site's own request path. So it enforces synchronously: an unverified agent is stopped at the login, a JSON endpoint, search, or a form, before the page is rendered. It runs after site resolution and before page rendering, on both the frontend and backend stacks.

Install

  1. Register a website surface in AxioRank under Inbound, Surfaces (or with POST /api/surfaces) for your site's domain and copy its site key (axr_site_...), distinct from your agent key.

  2. Install the extension with Composer:

    composer require axiorank/typo3-agent-verification

    Activate it, then update the database schema so the local log table is created.

  3. Add the site key. To keep it out of the database, define it as an environment constant in config/system/additional.php:

    putenv('AXIORANK_SITE_KEY=axr_site_...');

    You can also set a per-site value in the Sites module, or paste it into the extension configuration under Admin Tools, Settings.

  4. Open the AxioRank backend module, press Test connection, and leave the mode on Monitor.

What gets verified

The extension only checks the traffic worth checking, so ordinary human page views never call out:

  • Any request carrying Web Bot Auth signature material (always verified).
  • The backend and login, JSON page types (a numeric type parameter), on-site search (Indexed Search and Solr), and form submissions (EXT:form), when the request is signed or its user agent looks like a bot. Each is a toggle.

On the backend stack, only signed or bot-like requests call out, so an administrator's own clicks stay fast. Each check is scored and logged in your AxioRank dashboard, and in the local verdict log you can browse in TYPO3.

Manage agents in the backend

The extension ships two backend modules. Overview shows the connection status, lifetime activity, the most recent verdicts, and a self-test. Agents is an in-backend policy manager: with a site key that has the inbound:manage scope, you can create allow, challenge, and block rules by agent, category, verification status, or risk, and flip monitor and enforce, without leaving TYPO3. There are also dashboard widgets (agents verified, agents blocked, recent agents) and an entry in the Reports status module.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log and the backend module, then set both the AxioRank surface and the extension to enforce. Enforcement is a deliberate double-gate: it acts only when the response's own enforced flag is true, so the surface posture stays authoritative and a single flag cannot cause an accidental outage.

Fail-open by design

Verification sits in your request path, so it fails open. Only a rejected site key raises a notice; any timeout or transport failure resolves to an allow, so a verification outage never takes your site down.

What is sent to AxioRank

For each checked request, the extension sends the basics needed to verify identity: the method, host, path, query, the stated user agent, the IP address, and the headers that carry the agent's signature. It never sends cookies, passwords, or the Authorization header.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the extension speaks.

On this page