# Search and export recommendations via API

The Fraud Prevention lets you query historical actions for your tenant programmatically within a bounded time window. Use it to build investigation workflows, export records in bulk for offline analytics, or feed downstream fraud-review systems.

Results include the same action and recommandation details as [Recommendations API](/openapi/risk/recommendations.openapi/other/getriskrecommendation)—the same `context`, `risk_signals`, `transaction_data`, and `recommendation` objects—so any existing integration can consume historical actions without learning a second schema.

## Query actions

Use the [Search Actions API](/openapi/risk/actions-search.openapi/other/searchactions) to retrieve a paginated list of actions. Both `start_time` and `end_time` are required as Unix epoch time in milliseconds.

Tip
Keep the time window as narrow as your use case allows: a tighter range keeps responses fast and pagination predictable. When iterating across multiple pages, fix `start_time` and `end_time` once and reuse the same values on every subsequent call.

**Rate limit:** 20 requests per 60 seconds per tenant.

**Authorization**: Requests are authorized with a client access token obtained via the [token endpoint](/openapi/token.openapi/other/getaccesstoken). The token authenticates requests and scopes results to your tenant.

### Basic query

Retrieve the first page of all actions for a 24-hour window:

```http
GET https://api.transmitsecurity.io/risk/v1/search/actions?start_time=1779600000000&end_time=1779686400000
Authorization: Bearer <access_token>
```

### Filter by recommendation and action type

Narrow results to login actions that received a `DENY` recommendation. The `filters` parameter accepts URL-encoded JSON:

```http
GET https://api.transmitsecurity.io/risk/v1/search/actions
  ?start_time=1779600000000
  &end_time=1779686400000
  &filters=<url-encoded-json>
Authorization: Bearer <access_token>
```

Decoded filter value:

```json
{
  "and": [
    { "field": "recommendation.type", "operator": "eq", "value": "DENY" },
    { "field": "context.action_type", "operator": "eq", "value": "login" }
  ]
}
```

You can also filter on a single condition or use `or` instead of `and`. Supported operators include `eq`, `neq`, `lt`, `gt`, `between`, `in`, and `nin`.

## Bulk export

To export all actions within a window, page through results using `skip` and `take`:

- `take`: page size, up to 400 items per request (default: 100)
- `skip`: offset, up to 10,000


Use the `fields` parameter to return only the fields you need, which reduces response size significantly for large exports:

```http
GET https://api.transmitsecurity.io/risk/v1/search/actions
  ?start_time=1779600000000
  &end_time=1779686400000
  &take=400
  &skip=0
  &fields=<url-encoded-json>
Authorization: Bearer <access_token>
```

Decoded `fields` value:

```json
["id", "issued_at", "recommendation.type", "risk_score", "context.user_id", "context.action_type"]
```

For datasets larger than 10,000 items, split the export into shorter, non-overlapping time windows and run requests for each segment.

## API reference

For the full parameter list, filter syntax, and response schema, see [Search actions](/openapi/risk/actions-search.openapi/other/searchactions).