# Get recommendation

Get a risk recommendation for a client action reported to the SDK (via triggerActionEvent() call)

Endpoint: GET /recommendation
Security: risk_access_token

## Query parameters:

  - `action_token` (string, required)
    Action token returned by the SDK when the action was reported

  - `user_id` (string)
    *Deprecated – This parameter is no longer required. Identity and context should be provided during the triggerActionEvent or reportActionResult call. This API now only retrieves the calculated recommendation tied to the action_token.

## Response 200 fields (application/json):

  - `id` (string, required)
    Recommendation identifier
    Example: "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d"

  - `issued_at` (number, required)
    Unix epoch time in milliseconds this recommendation was issued at
    Example: 1648028118123

  - `recommendation` (object, required)
    Decision the engine produced for the action.

  - `recommendation.type` (string, required)
    Recommendation type.
    Enum: "ALLOW", "CHALLENGE", "DENY", "TRUST"

  - `recommendation.result` (string,null)
    The outcome of the action.
    Enum: "success", "failure", "incomplete"

  - `recommendation.challenge_type` (string)
    The type of challenge enforced for the reported action.
    Enum: "sms_otp", "email_otp", "totp", "push_otp", "voice_otp", "idv", "captcha", "invisible_captcha", "password", "passkey"

  - `risk_score` (number, required)
    Used to assess the risk level of the action.
    Example: 73.2

  - `context` (object, required)
    Identifies the context in which the action occurred.

  - `context.action_id` (string, required)
    Identifier of the client action.
    Example: "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d"

  - `context.action_type` (string, required)
    Type of client action this recommendation was issued for.
    Example: "login"

  - `context.action_performed_at` (integer, required)
    Unix epoch time in milliseconds the action event was reported.
    Example: 1648028118123

  - `context.device_timestamp` (integer)
    Unix epoch timestamp (ms) from the device clock when the action is triggered via triggerActionEvent(). For backend-triggered actions, uses the server time. Used to correlate client and server events.
    Example: 1648028107819

  - `context.client_id` (string)
    Identifies the client associated with the action.
    Example: "d152ddd.ece93f4.c2a3d12.riskid.security"

  - `context.application_id` (string, required)
    Identifies the application associated with the action.
    Example: "ece93f4"

  - `context.tenant_id` (string)
    Identifies your tenant within Transmit.
    Example: "c2a3d12"

  - `context.device_id` (string, required)
    Unique device identifier generated by Transmit Security and stored by the SDK. On web, stored in the cookie. On mobile, uses platform-provided identifiers such as Android ID (hex string) or iOS identifierForVendor (alphanumeric). Not derived from IMEI or other hardware identifiers.
    Example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg"

  - `context.correlation_id` (string)
    Any ID that could help relate the action with external context or session (if set via triggerActionEvent() SDK calls).
    Example: "bcb934d8-89cb-433b-a4c7-b7d94299586b"

  - `context.device_fingerprint` (string, required)
    Hash value on all the device data collected from the browser.
    Example: "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5"

  - `context.device_public_key` (string)
    A unique and persistent identifier derived from cryptographic binding.
    Example: "625ad815e47a1a05318c98185ff8cfb35fd706d836a1ad7459842f381929a8e3"

  - `context.user_id` (string)
    Opaque identifier of the user in your system (if set via setAuthenticatedUser() or init() SDK calls).
    Example: "5c4afa75c"

  - `context.claimed_user_id` (string)
    User ID of the not-yet-authenticated user, used to enhance risk and trust assessments. Once the user is authenticated, setAuthenticatedUser() should be called.
    Example: "5c4afa75c"

  - `context.location` (string)
    The place in the application in which the action was performed (such as the page URL).
    Example: "https://www.amazingapp.com/shops?target=1"

  - `context.ip` (string)
    IP address.
    Example: "160.221.187.219"

  - `context.ip_country` (string)
    Country code, specified in a two-letter format (ISO 3166-1 alpha-2).
    Example: "US"

  - `context.ip_location_region` (string)
    Location region identified by IP address.
    Example: "California"

  - `context.ip_domain` (string)
    Domain name resolved from IP address.
    Example: "example.com"

  - `context.ip_location_city` (string)
    Location city identified by IP address.
    Example: "Los Angeles"

  - `context.ip_location_zip` (string)
    Location ZIP code identified by IP address.
    Example: "92131"

  - `context.ip_location_longitude` (string)
    Geolocation longitude identified by IP address.
    Example: "-117.0903"

  - `context.ip_location_latitude` (string)
    Geolocation latitude identified by IP address.
    Example: "32.9167"

  - `context.ip_asn_id` (string)
    Globally unique identifier that defines a group of one or more IP prefixes.
    Example: "AS174"

  - `context.ip_asn_name` (string)
    ASN name of the IP address.
    Example: "AS174 Cogent Communications"

  - `context.ip_organization_name` (string)
    IP organization name.
    Example: "Cogent Communications"

  - `context.ip_organization_type` (string)
    Type of IP connection (for example, isp, hosting, business).
    Example: "isp"

  - `context.ip_location_timezone` (string)
    Timezone location identified by IP address.
    Example: "America/Los_Angeles"

  - `context.device_timezone` (string)
    Timezone on device.
    Example: "America/Los_Angeles"

  - `context.device_languages` (array)
    Languages on device.
    Example: ["en-US","en"]

  - `context.device_platform` (string)
    Type of device platform.
    Example: "desktop"

  - `context.os_name` (string)
    Name of the operating system.
    Example: "macOS"

  - `context.os_version` (string)
    Operating system version.
    Example: "14.1.0"

  - `context.browser_name` (string)
    Name of the browser.
    Example: "Chrome"

  - `context.browser_version` (string)
    Browser major version.
    Example: "113"

  - `context.user_agent` (string)
    User agent string.
    Example: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"

  - `risk_signals` (object)
    Additional informative signals derived from the action.

  - `risk_signals.device` (object)
    Device-relevant signals.

  - `risk_signals.device.ram` (number)
    Device memory, a floating-point number.

  - `risk_signals.device.total_storage` (number)
    Device total storage, as received from the mobile native platform.

  - `risk_signals.device.available_storage` (number)
    Device available storage, as received from the mobile native platform.

  - `risk_signals.device.battery_level` (number)
    Device battery level, a floating-point number.

  - `risk_signals.device.device_power_state` (string)
    Indicates if the device is currently plugged into a power source.

  - `risk_signals.device.core_number` (number)
    Device core number.

  - `risk_signals.device.graphic_card` (string)
    Device graphics card, as received from the web platform.

  - `risk_signals.device.model` (string)
    Device model.

  - `risk_signals.device.screen_width` (number)
    Device screen width in pixels.

  - `risk_signals.device.screen_height` (number)
    Device screen height in pixels.

  - `risk_signals.device.screen_pixel_depth` (number)
    Pixel depth of the device screen.

  - `risk_signals.device.screen_color_depth` (number)
    Color depth of the device screen.

  - `risk_signals.device.screen_avail_width` (number)
    Available width of the screen.

  - `risk_signals.device.screen_avail_height` (number)
    Available height of the screen.

  - `risk_signals.device.incognito` (boolean)
    Whether the event was performed using incognito browsing.

  - `risk_signals.device.tampered` (boolean)
    Whether the device is tampered (root or jailbreak).

  - `risk_signals.device.emulated` (boolean)
    Whether the device is emulated.

  - `risk_signals.device.spoofed` (boolean)
    Whether the device is spoofed.

  - `risk_signals.device.tz_mismatch` (boolean)
    Whether the event was performed on a device with a timezone mismatching expected.

  - `risk_signals.device.esim_usage` (boolean)
    Whether the event was performed using eSIM.

  - `risk_signals.device.accept_languages` (string)
    Value of the accept-language header at the action request.

  - `risk_signals.device.mobile_network_code` (string)
    String representation of the device's mobile carrier MCC and MNC.

  - `risk_signals.device.font_count` (number)
    Number of fonts available on the device.

  - `risk_signals.device.cpu_arch` (string)
    Device CPU architecture.

  - `risk_signals.device.navigator_useragent` (string)
    User agent string from the device's browser navigator.

  - `risk_signals.device.true_useragent` (string)
    User agent string reconstructed by the SDK, providing details about the browser, OS, and device.

  - `risk_signals.device.device_timezone_offset` (number)
    Timezone offset of the device, in minutes from UTC.

  - `risk_signals.device.summer_timezone_offset` (number)
    Device's timezone offset in minutes from UTC during daylight saving time.

  - `risk_signals.device.winter_timezone_offset` (number)
    Device's timezone offset in minutes from UTC during standard time.

  - `risk_signals.device.device_name` (string)
    Device's name as recorded on iOS, reflecting the user-set name.

  - `risk_signals.network` (object)
    Network-relevant signals.

  - `risk_signals.network.vpn` (boolean)
    Whether the event was performed using a VPN connection.

  - `risk_signals.network.tor` (boolean)
    Whether the event was performed using a Tor connection.

  - `risk_signals.network.hosting` (boolean)
    Whether the event was performed from a hosting provider.

  - `risk_signals.network.proxy` (boolean)
    Whether the event was performed via a proxy.

  - `risk_signals.network.anonymizer` (boolean)
    Whether the event was performed via an anonymizer.

  - `risk_signals.network.x_forwarded_for` (array)
    The X-Forwarded-For header value, indicating the chain of intermediate proxies.
    Example: ["160.221.187.219","52.23.177.192","172.70.34.26"]

  - `risk_signals.behavior` (object)
    User-behavior-relevant signals.

  - `risk_signals.behavior.typing_velocity` (number)
    Percentile of user typing speed.
    Example: 0.867

  - `risk_signals.behavior.movement_velocity` (number)
    Number of input events per second.
    Example: 10

  - `risk_signals.behavior.input_method` (array)
    A list of used input methods.

| Value | Description | Platform |
|---|---|---|
| is_typing | Standard character-by-character keyboard text entry. | Web, Mobile |
| is_paste | Content inserted via paste (e.g. Ctrl/Cmd+V or context-menu paste). | Web, Mobile |
| is_autocomplete | Value entered via an OS/keyboard autocomplete or autofill suggestion. | Mobile |
| is_password_manager | Value populated by a password manager / browser autofill. | Web |
| is_insert_replacement_text | Existing text replaced with a suggested value (e.g. spell-check/autocorrect or autofill replacement). | Web |
| is_insert_composition | Text inserted from an in-progress IME composition (e.g. while composing CJK characters). | Web |
| is_insert_from_composition | Text committed (finalized) from an IME composition. | Web |
| is_insert_line_break | A line break was inserted (e.g. Shift+Enter). | Web |
| is_insert_from_drop | Text inserted by dragging and dropping content into the field. | Web |
| is_delete | A deletion occurred (generic). | Mobile |
| is_delete_content_backward | Deletion of the character before the cursor (Backspace). | Web |
| is_delete_content_forward | Deletion of the character after the cursor (Delete key). | Web |
| is_delete_content | Generic content deletion where direction is unspecified. | Web |
| is_delete_word_backward | Deletion of the word before the cursor (e.g. Ctrl/Alt+Backspace). | Web |
| is_delete_softline_backward | Deletion to the start of the current soft-wrapped line. | Web |
| is_delete_hardline_backward | Deletion to the start of the current line/block (hard line boundary). | Web |
| is_delete_by_cut | Content removed via Cut (e.g. Ctrl/Cmd+X). | Web |
| is_delete_by_drag | Content removed by dragging it out of the field. | Web |
| is_delete_composition_text | Deletion of in-progress IME composition text. | Web |
| is_history_undo | An undo action (e.g. Ctrl/Cmd+Z). | Web |
| is_history_redo | A redo action (e.g. Ctrl/Cmd+Y or Shift+Ctrl/Cmd+Z). | Web |
    Example: ["is_typing","is_paste"]

  - `risk_signals.behavior.no_user_interaction` (boolean)
    Whether there was any user interaction before clicks.

  - `risk_signals.behavior.straight_line_ratio` (number)
    Ratio of straight-line movements out of all movements in the action's context.

  - `risk_signals.behavior.right_angels_ratio` (number)
    Ratio of right-angle movements out of all movements in the action's context.

  - `risk_signals.behavior.minor_angels_ratio` (number)
    Ratio of minor-angle movements out of all movements in the action's context.

  - `risk_signals.behavior.movement_latency` (number)
    Median delay of mouse or touchscreen movements (ms) within the action's context.

  - `risk_signals.behavior.corner_click` (boolean)
    Whether there were multiple clicks on the corner of a button in the action's context.

  - `risk_signals.history` (object)
    User-history-relevant signals.

  - `risk_signals.history.ip_action_rate_60_sec` (integer)
    Number of actions originating from the same client IP within 60 seconds prior to this action.
    Example: 7

  - `risk_signals.history.user_action_rate_60_sec` (integer)
    Number of actions with the same user_id within 60 seconds prior to this action.

  - `risk_signals.history.device_action_rate_60_sec` (integer)
    Number of actions originating from the same device_id within 60 seconds prior to this action.

  - `risk_signals.history.ip_user_count_last_hour` (integer)
    Number of distinct user_ids associated with the IP address within the previous hour.

  - `risk_signals.history.ip_device_count_last_hour` (integer)
    Number of distinct device_ids associated with the IP address within the previous hour.

  - `risk_signals.history.linking_device_to_users_count` (integer)
    Number of distinct user_ids associated with this device_id.

  - `risk_signals.history.linking_user_to_device_count` (integer)
    Number of distinct device_ids associated with this user_id.

  - `reasons` (array, required)
    Reasons that contributed to the recommendation.
    Example: ["BEHAVIOR_BOT","IP_RISKY_REPUTATION","DEVICE_SUSPICIOUS_ATTRIBUTE","PROFILE_DEVICE_NEW"]

  - `transaction_data` (object)
    Transaction data-points provided with the action via the SDK.

  - `transaction_data.amount` (number)
    Monetary amount of the transaction. Sanitized server-side with parseFloat; must be strictly positive and at most 999,999,999.99.
    Example: 1500.75

  - `transaction_data.currency` (string)
    Currency code for the transaction (ISO-4217).
    Example: "USD"

  - `transaction_data.type` (string)
    Transaction type.
    Enum: "purchase", "bill_payment", "mobile_recharge", "money_transfer", "credit_transfer", "credit_redemption", "top_up", "withdrawal", "investment", "loan", "refund", "other"

  - `transaction_data.method` (string)
    Transaction method.
    Enum: "bank_account", "wire", "card", "p2p", "wallet"

  - `transaction_data.channelId` (string)
    Identifier for the channel used for the transaction.
    Example: "MOBILE_APP"

  - `transaction_data.reason` (string)
    Reason for the transaction.
    Example: "Monthly subscription payment"

  - `transaction_data.transactionDate` (integer)
    Transaction timestamp (Unix epoch, milliseconds or seconds).
    Example: 1712594340000

  - `transaction_data.payer` (object)
    Payer party of the transaction. Adds customer-tier and billing-info fields on top of the shared party shape.

  - `transaction_data.payer.customerTier` (string)
    Payer's customer tier.
    Example: "premium"

  - `transaction_data.payer.billingInfo` (object)
    Address and contact information (used by billingInfo and shippingInfo).

  - `transaction_data.payer.billingInfo.name` (string)
    Full name.
    Example: "John Doe"

  - `transaction_data.payer.billingInfo.addressLine1` (string)
    Address line 1.
    Example: "123 Main St"

  - `transaction_data.payer.billingInfo.addressLine2` (string)
    Address line 2.
    Example: "Apt 4B"

  - `transaction_data.payer.billingInfo.city` (string)
    City.
    Example: "New York"

  - `transaction_data.payer.billingInfo.state` (string)
    State, province, or region.
    Example: "NY"

  - `transaction_data.payer.billingInfo.zipPostalCode` (string)
    ZIP or postal code.
    Example: "10001"

  - `transaction_data.payer.billingInfo.country` (string)
    Country code (ISO-3166-1 alpha-2).
    Example: "US"

  - `transaction_data.payer.billingInfo.email` (string)
    Email address.
    Example: "john.doe@example.com"

  - `transaction_data.payer.billingInfo.phone` (string)
    Phone number.
    Example: "+1234567890"

  - `transaction_data.payer.name` (string)
    Party's name.
    Example: "John Doe"

  - `transaction_data.payer.accountNumber` (string)
    Party's account number.
    Example: "1234567890123456"

  - `transaction_data.payer.accountId` (string)
    Unique identifier for the party's account.
    Example: "USER_983245"

  - `transaction_data.payer.accountCountryCode` (string)
    Country code of the account (ISO-3166-1 alpha-2).
    Example: "US"

  - `transaction_data.payer.bankIdentifier` (string)
    Party's bank identifier.
    Example: "CHASEUS33"

  - `transaction_data.payer.branchIdentifier` (string)
    Party's branch identifier.
    Example: "123456"

  - `transaction_data.payer.card` (object)
    Card-level identifiers for the party.

  - `transaction_data.payer.card.holderName` (string)
    Name of the card holder.
    Example: "John Doe"

  - `transaction_data.payer.card.bin` (string)
    Bank Identification Number (first 6 digits of the card).
    Example: "411111"

  - `transaction_data.payer.card.last4` (string)
    Last 4 digits of the credit card number.
    Example: "1234"

  - `transaction_data.payee` (object)
    Payee party of the transaction.

  - `transaction_data.payee.name` (string)
    Party's name.
    Example: "John Doe"

  - `transaction_data.payee.accountNumber` (string)
    Party's account number.
    Example: "1234567890123456"

  - `transaction_data.payee.accountId` (string)
    Unique identifier for the party's account.
    Example: "USER_983245"

  - `transaction_data.payee.accountCountryCode` (string)
    Country code of the account (ISO-3166-1 alpha-2).
    Example: "US"

  - `transaction_data.payee.bankIdentifier` (string)
    Party's bank identifier.
    Example: "CHASEUS33"

  - `transaction_data.payee.branchIdentifier` (string)
    Party's branch identifier.
    Example: "123456"

  - `transaction_data.payee.card` (object)
    Card-level identifiers for the party.

  - `transaction_data.purchase` (object)
    Purchase details for the transaction.

  - `transaction_data.purchase.totalItems` (integer)
    Total number of items in the purchase.
    Example: 3

  - `transaction_data.purchase.products` (array)
    Line items in the purchase.

  - `transaction_data.purchase.products.id` (string)
    Unique identifier for the product.
    Example: "PROD_12345"

  - `transaction_data.purchase.products.name` (string)
    Name of the product.
    Example: "iPhone 15"

  - `transaction_data.purchase.products.amount` (integer)
    Quantity of this product line item.
    Example: 1

  - `transaction_data.purchase.products.price` (number)
    Price per unit of the product.
    Example: 999.99

  - `transaction_data.purchase.shippingInfo` (object)
    Address and contact information (used by billingInfo and shippingInfo).

  - `transaction_data.avs` (object)
    Address Verification Service result for the transaction.

  - `transaction_data.avs.code` (string)
    AVS response code.
    Example: "Y"

  - `transaction_data.avs.provider` (string)
    AVS provider name.
    Example: "Stripe"

  - `transaction_data.avs.matchLevel` (string)
    AVS match level.
    Enum: "none", "postal", "street", "full", "unknown"

  - `custom_attributes` (object)
    Tenant-defined custom attributes attached to the action. These add context to an action but must match the schema defined in the Admin Portal. Invalid attributes are ignored and not included in the response.

  - `threats` (array)
    List of all detected threats.
    Example: ["ACCOUNT_TAKEOVER","NEW_FRAUD_ACCOUNT"]

  - `preview_rule` (object)
    Rule configured in preview mode that would have determined this action's recommendation if all enabled rules were in production. Useful for impact analysis without changing live behavior.

  - `preview_rule.rule_name` (string)
    Name of the preview rule.

  - `preview_rule.recommendation` (string)
    Recommendation the preview rule would have applied.
    Enum: same as `recommendation.type` (4 values)

  - `preview_rule.risk_score` (number)
    Risk score the preview rule would have applied.


## Response 400 fields

## Response 401 fields

## Response 403 fields

## Response 429 fields

## Response 463 fields

## Response 500 fields
