# Get recommendation Get a risk recommendation for a client action reported to the SDK (via triggerActionEvent() call) Endpoint: GET /recommendation Security: risk_access_token ## Query parameters: - `action_token` (string, required) Action token returned by the SDK when the action was reported - `user_id` (string) *Deprecated – This parameter is no longer required. Identity and context should be provided during the triggerActionEvent or reportActionResult call. This API now only retrieves the calculated recommendation tied to the action_token. ## Response 200 fields (application/json): - `id` (string, required) Recommendation identifier Example: "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d" - `issued_at` (number, required) Unix epoch time in milliseconds this recommendation was issued at Example: 1648028118123 - `recommendation` (object, required) Recommended way to handle the reported action - `recommendation.type` (string, required) Recommendation type Enum: "CHALLENGE", "DENY", "ALLOW", "TRUST" - `recommendation.result` (string) The outcome of the action. Enum: "success", "failure", "incomplete" - `recommendation.challenge_type` (string) The type of challenge enforced for the reported action. Enum: "email_otp", "totp", "push_otp", "voice_otp", "idv", "captcha", "invisible_captcha", "password", "passkey" - `risk_score` (number, required) Used to assess the risk level of the client action Example: 73.2 - `context` (object, required) Identifies the context in which the action occurred - `context.action_id` (string, required) Identifier of the client action Example: "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d" - `context.action_type` (string, required) Type of client action this recommendation was issued for Example: "login" - `context.action_performed_at` (number, required) Unix epoch time in milliseconds the action event was reported Example: 1648028118123 - `context.device_timestamp` (number) Unix epoch timestamp (ms) from the device clock when the action is triggered via triggerActionEvent(). For backend-triggered actions, uses the server time (Date.now()). Used to correlate client and server events. Example: 1648028107819 - `context.client_id` (string) Identifies the client associated with the action Example: "d152ddd.ece93f4.c2a3d12.riskid.security" - `context.application_id` (string, required) Identifies the application associated with the action Example: "ece93f4" - `context.tenant_id` (string) Identifies your tenant within Transmit Example: "c2a3d12" - `context.device_id` (string, required) Unique device identifier. On web, stored in the cookie. On mobile, uses platform-provided identifiers such as Android ID (hex string) or iOS identifierForVendor (alphanumeric). Not derived from IMEI or other hardware identifiers. Example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg" - `context.correlation_id` (string) Any ID that could help relate the action with external context or session (if set via triggerActionEvent() SDK calls) Example: "bcb934d8-89cb-433b-a4c7-b7d94299586b" - `context.device_fingerprint` (string, required) Hash value on all the device data collected from the browser Example: "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5" - `context.device_public_key` (string) A unique and persistent identifier derived from cryptographic binding Example: "625ad815e47a1a05318c98185ff8cfb35fd706d836a1ad7459842f381929a8e3" - `context.user_id` (string) Opaque identifier of the user in your system (if set via setAuthenticatedUser() or init() SDK calls) Example: "5c4afa75c" - `context.claimed_user_id` (string) User ID of the not yet authenticated user, used to enhance risk and trust assessments. Once the user is authenticated, drs.setAuthenticatedUser() should be called. Example: "5c4afa75c" - `context.location` (string) The place in the application in which the action was performed (such as the page URL) Example: "https://www.amazingapp.com/shops?target=1" - `context.ip` (string) IP address - `context.ip_country` (string) Country code, specified in a two-letter format (ISO 3166-1 alpha-2) Example: "UK" - `context.ip_region` (string) Location region identified by IP address Example: "California" - `context.ip_location_city` (string) Location city identified by IP address Example: "Los Angeles" - `context.ip_location_zip` (string) Location zip code identified by IP address Example: 92131 - `context.ip_location_longitude` (string) Geolocation longitude identified by IP address Example: "-117.0903" - `context.ip_location_latitude` (string) Geolocation latitude identified by IP address Example: "32.9167" - `context.ip_asn_name` (string) Globally unique identifier that defines a group of one or more IP prefixes Example: "AS174 Cogent Communications" - `context.ip_asn_id` (string) Globally unique identifier that defines a group of one or more IP prefixes Example: "AS174" - `context.ip_organization_name` (string) IP organization name Example: "Cogent Communications" - `context.ip_organization_type` (string) Type of IP connection Example: "isp" - `context.ip_location_timezone` (string) Timezone location identified by IP address Example: "America/Los_Angeles" - `context.device_timezone` (string) Timezone on device Example: "America/Los_Angeles" - `context.device_languages` (array) Languages on device Example: ["en-US","en"] - `context.device_platform` (string) Type of device platform Example: "desktop" - `context.os_name` (string) Name of the operating system (e.g., macOS) Example: "macOS" - `context.os_version` (string) Operating system version Example: "14.1.0" - `context.browser_name` (string) Name of the browser (e.g., Chrome) Example: "Chrome" - `context.browser_version` (string) Browser major version Example: "113" - `context.user_agent` (string) User agent Example: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" - `risk_signals` (object) Additional informative signals - `risk_signals.device` (object) Device relevant signals - `risk_signals.device.ram` (number) Device memory property, a floating point number. - `risk_signals.device.total_storage` (number) Device total storage, as received from the mobile native platform - `risk_signals.device.available_storage` (number) Device available storage, as received from the mobile native platform - `risk_signals.device.battery_level` (number) Device battery level, a floating point number - `risk_signals.device.device_power_state` (string) Indicates if the device is currently plugged into a power source. - `risk_signals.device.core_number` (number) Device core number - `risk_signals.device.graphic_card` (string) Device graphic card, as received from the web platform - `risk_signals.device.model` (string) Device model - `risk_signals.device.screen_width` (number) Device screen width in pixels - `risk_signals.device.screen_height` (number) Device screen height in pixels - `risk_signals.device.incognito` (boolean) Was the event performed using incognito browsing - `risk_signals.device.tampered` (boolean) Is the device tampered (root/jailbreak) - `risk_signals.device.emulated` (boolean) Is the device emulated - `risk_signals.device.spoofed` (boolean) Is the device spoofed - `risk_signals.device.tz_mismatch` (boolean) Was the event performed on a device with a timezone mismatching expected - `risk_signals.device.esim_usage` (boolean) Was the event performed using eSIM - `risk_signals.device.accept_languages` (string) Value of header 'accept-language' as it was at the action request - `risk_signals.device.mobile_network_code` (string) A string representation of the Device Carrier Mcc & Device Carrier Mnc - `risk_signals.device.screen_avail_width` (number) Number represents the available width size of the screen - `risk_signals.device.screen_avail_height` (number) Number represents the available height size of the screen - `risk_signals.device.screen_pixel_depth` (number) The pixel depth of the device screen - `risk_signals.device.screen_color_depth` (number) The color depth of the device screen - `risk_signals.device.font_count` (number) Number of font used in the website where the action occured - `risk_signals.device.cpu_arch` (string) A string represents the device cpu architecture - `risk_signals.device.device_navigator_useragent` (string) The user agent string from the device's browser navigator, providing details about the browser, operating system, and device. - `risk_signals.device.true_useragent` (string) The user agent string constructed by Mosaic, providing details about the browser, operating system, and device. - `risk_signals.device.device_timezone_offset` (number) The time zone offset of the device used. - `risk_signals.device.summer_timezone_offset` (number) The device’s timezone offset in minutes from UTC during daylight saving time. - `risk_signals.device.winter_timezone_offset` (number) The device’s timezone offset in minutes from UTC during standard (non-daylight saving) time. - `risk_signals.device.device_name` (string) The device’s name as recorded on iOS, reflecting the user-set name. - `risk_signals.network` (object) Network relevant signals - `risk_signals.network.vpn` (boolean) Was the event performed using VPN connection - `risk_signals.network.tor` (boolean) Was the event performed using Tor connection - `risk_signals.network.hosting` (boolean) Was the event performed using hosting connection - `risk_signals.network.proxy` (boolean) Was the event performed using proxy connection - `risk_signals.network.anonymizer` (boolean) Was the event performed using anonymized connection - `risk_signals.network.x_forwarded_for` (array) The X-Forwarded-For header value, indicating the originating IP address of the client connecting to the web server through an HTTP proxy or load balancer. - `risk_signals.behavior` (object) User behavior relevant signals - `risk_signals.behavior.typing_velocity` (number) Percentile of user typing speed Example: 0.867 - `risk_signals.behavior.movement_velocity` (number) Number of input event per second Example: 10 - `risk_signals.behavior.input_method` (array) A list of used input methods Example: ["is_typing","is_paste"] - `risk_signals.behavior.no_user_interaction` (boolean) Was there any user interaction before clicks - `risk_signals.behavior.straight_line_ratio` (number) The ratio of straight-line movements out of all movements in the context of the user action. High ratios could suggest automated or scripted behavior. - `risk_signals.behavior.right_angels_ratio` (number) The ratio of right-angle movements out of all movements in the context of the user action. Unusually high ratios may indicate non-human interactions. - `risk_signals.behavior.minor_angels_ratio` (number) The ratio of minor-angle movements out of all movements in the context of the user action. High ratios might suggest careful, precise movements often seen in automated processes. - `risk_signals.behavior.movement_latency` (number) Measures the median delay of mouse or touchscreen movements, calculated as the time between each captured location change in milliseconds within the context of the user action - `risk_signals.behavior.corner_click` (boolean) Indicates whether there were multiple clicks on the corner of a button in the context of the user action. Corner clicks could indicate repetitive, automated clicking patterns. - `risk_signals.history` (object) User history relevant signals - `risk_signals.history.ip_action_rate_60_sec` (integer) Number of actions originating from the same client IP address within 60 seconds prior to the current action Example: 1 - `risk_signals.history.user_action_rate_60_sec` (integer) Number of actions with the same userId that occurred within 60 seconds prior to the current action Example: 2 - `risk_signals.history.device_action_rate_60_sec` (integer) Number of actions originating from the same deviceId within 60 seconds prior to the current action Example: 1 - `risk_signals.history.ip_user_count_last_hour` (integer) Number of userId's associated with the IP address within an hour prior to the current event Example: 1 - `risk_signals.history.linking_user_to_device_count` (integer) Number of userId's associated with the current deviceId Example: 1 - `risk_signals.history.linking_device_to_users_count` (integer) Number of deviceId's associated with the current userId Example: 1 - `risk_signals.history.ip_device_count_last_hour` (integer) Number of deviceId's associated with the IP address within an hour prior to the current event Example: 1 - `reasons` (array, required) Explains the reasons for the recommendation Example: ["BEHAVIOR_BOT","IP_RISKY_REPUTATION","DEVICE_SUSPICIOUS_ATTRIBUTE","PROFILE_DEVICE_NEW"] - `transaction_data` (object) Transaction data-points given in the relevant action, from the SDK - `transaction_data.amount` (integer) The amount of the transaction Example: 120 - `transaction_data.currency` (string) The currency used for the transaction Example: "USD" - `transaction_data.reason` (string) The reason for the transaction - `transaction_data.transactionDate` (integer) The transaction timestamp date - `transaction_data.payer` (object) The provided data points for the transaction payer - `transaction_data.payer.name` (string) Payer name - `transaction_data.payer.bankIdentifier` (string) Payer bank identifier - `transaction_data.payer.branchIdentifier` (string) Payer branch identifier - `transaction_data.payer.accountNumber` (string) Payer account number - `transaction_data.payee` (object) The provided data points for the transaction payee - `transaction_data.payee.name` (string) Payee name - `transaction_data.payee.bankIdentifier` (string) Payee bank identifier - `transaction_data.payee.branchIdentifier` (string) Payee branch identifier - `transaction_data.payee.accountNumber` (string) Payee account number - `threats` (array) List of all detected threats Example: ["ACCOUNT_TAKEOVER","NEW_FRAUD_ACCOUNT"] - `preview_rule` (object) Rule configured in preview mode that would have determined the result of this recommendation if all enabled rules were in production. This is returned to allow you to evaluate the impact of preview rules, and did not impact the actual outcome. - `preview_rule.rule_name` (string) The name of the preview rule - `preview_rule.recommendation` (string) The recommendation of the preview rule ## Response 400 fields ## Response 401 fields ## Response 403 fields ## Response 429 fields ## Response 463 fields ## Response 500 fields