> ## Documentation Index
> Fetch the complete documentation index at: https://usefoil.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Going to production

> Take Foil to production safely: start in report-only mode, monitor verdicts, add soft challenges, then enable hard enforcement once signals look stable.

## Rollout checklist

Before enforcing verdicts in production, follow this sequence:

### 1. Report-only mode

Start by logging verdicts without blocking anyone. This lets you understand your traffic baseline.

<CodeGroup>
  ```javascript Node.js theme={"dark"}
  const { safeVerifyFoilToken } = require('@abxy/foil-server');

  app.post('/signup', async (req, res) => {
    const result = safeVerifyFoilToken(
      req.body.sealedToken,
      process.env.FOIL_SECRET_KEY,
    );

    // Log but don't block
    if (result.ok) {
      console.log('Foil verdict:', result.data.decision.verdict, 'score:', result.data.decision.risk_score);
    }

    // Continue with signup regardless
    createAccount(req.body);
  });
  ```

  ```python Python theme={"dark"}
  from foil_server import safe_verify_foil_token
  import os

  @app.post("/signup")
  def signup(request):
      result = safe_verify_foil_token(
          request.json["sealedToken"],
          os.environ["FOIL_SECRET_KEY"],
      )

      # Log but don't block
      if result.ok:
          logger.info(
              f"Foil verdict: {result.data.decision.verdict}, "
              f"score: {result.data.decision.risk_score}"
          )

      # Continue with signup regardless
      create_account(request.json)
  ```

  ```bash cURL theme={"dark"}
  curl https://api.usefoil.com/v1/sessions/sid_... \
    -H "Authorization: Bearer sk_live_..."
  ```
</CodeGroup>

### 2. Soft challenge

After a week of report-only data, add friction for suspicious sessions:

* Show a CAPTCHA for `inconclusive` verdicts
* Add email verification for `bot` verdicts
* Let `human` verdicts through without friction

### 3. Hard enforcement

Once you're confident in the signal quality:

* Block `bot` verdicts outright
* Challenge `inconclusive` verdicts
* Pass `human` verdicts through

## Monitoring

Track these metrics in your dashboard:

* **Verdict distribution** — what % of traffic is human/bot/inconclusive?
* **False positive rate** — are real users being flagged?
* **Block rate** — how many sessions are you blocking?

## What's next

* [Verdicts & scoring](/verdicts-and-scoring) — understand verdict thresholds
* [Troubleshooting](/resources/troubleshooting) — common production issues
