Castle Destination

Destination Info
  • Browser
Connection Modes
Device-mode Cloud-mode
Web Web
Mobile Mobile
Server Server

Castle monitors every step of the customer journey to help visualize and proactively block fraud that would otherwise fly under the radar. Types of fraud or abuse that can be managed include bots, fake accounts, multi-accounting, and account sharing.

Castle maintains this destination. For any issues with the destination, contact the Castle support team.

Getting Started

  1. Navigate to Connections > Catalog in the Segment web app.
  2. Search for Castle in the Destinations tab of the catalog, and select it, and click Configure Castle.
  3. Choose the sources you want to connect the destination to.
  4. Enter the “Publishable Key” the Publishable Key field. Find the Publishable Key on the Castle dashboard. Calls are now visible in Castle dashboards in real-time.

Castle ingests Segment Client-side events. Server-side events are dropped and not processed. Castle only supports web integrations through Segment, but is in the process of working on mobile support.


If you’re not familiar with the Segment Specs, take a look to understand what the Page call does. An example call looks like:

Segment sends Page calls to Castle as $page events.


If you’re not familiar with the Segment Specs, take a look to understand what the Track method does. An example call looks like:

analytics.track('Added to Cart')

Segment sends Track calls to Castle as a $custom events.

Secure Mode

Send user information as a signed JWT when you use Castle in production. This prevents bad actors from spoofing any user information.

In your backend code, encode the user as a JWT and sign it using your Castle “API Secret”. When Castle receives the JWT, the integrity of the user data is verified to ensure that the data wasn’t tampered with.

Below is an example of how to generate a JWT on your backend using the Ruby language:

jwt_from_backend = JWT.encode({
  id: '97980cfea0067',
  email: ''
}, ENV.fetch('CASTLE_API_SECRET'), 'HS256')

Transfer the user_jwt object to your frontend through a separate API call, or by injecting the code using a templating language:

var userJwt = "<%= jwt_from_backend %>";

// Then use the `userJwt` argument instead of `user` when using any of the tracking methods{userJwt: userJwt});

analytics.identify('97980cfea0067', {
  email: '',
}, {
  Castle: {
    userJwt: userJwt

When Castle receives a JWT version of the user object, its contents override the user object sent the standard Segment way.


You can send computed traits and audiences generated using Engage to this destination as a user property. To learn more about Engage, schedule a demo.

For user-property destinations, an identify call is sent to the destination for each user being added and removed. The property name is the snake_cased version of the audience name, with a true/false value to indicate membership. For example, when a user first completes an order in the last 30 days, Engage sends an Identify call with the property order_completed_last_30days: true. When the user no longer satisfies this condition (for example, it’s been more than 30 days since their last order), Engage sets that value to false.

When you first create an audience, Engage sends an Identify call for every user in that audience. Later audience syncs only send updates for users whose membership has changed since the last sync.

Real-time to batch destination sync frequency

Real-time audience syncs to Castle may take six or more hours for the initial sync to complete. Upon completion, a sync frequency of two to three hours is expected.


Segment lets you change these destination settings from the Segment app without having to touch any code.

Setting Description
Automatic Page tracking boolean, defaults to FALSE .

When you enable automatic page tracking, Castle will track a page view whenever the url of the site changes as opposed to mapping explicitly to your implementation of Segment .page() calls.
string. If your authenticated area is located at a different domain, use the cookie domain setting to change on which url the cookie is set.
API Publishable Key
string. You can find your publishable key under Settings in the Castle dashboard. It should look something like this: pk_KmoUyttyEiHCdFTWSqhAF1SL1z9Fi1yg. This is required and will be used to initialize Castle’s library on your device as well as when you make mobile/server calls through our server side integration.

This page was last modified: 06 Oct 2022

Get started with Segment

Segment is the easiest way to integrate your websites & mobile apps data to over 300 analytics and growth tools.
Create free account