minFraud API Requests

Authorization and Security

The HTTP Authorization header is required for authorization. The username is your MaxMind account ID. The password is your MaxMind license key.

You must be approved for a trial or purchase credit for use with our web services in order to receive an account ID and license key.

We use basic HTTP authentication. The APIs which require authentication are only available via HTTPS. The credentials are never transmitted unencrypted. If you attempt to access this service via HTTP, you will receive a 403 Forbidden HTTP response.

We require TLS 1.2 or greater for all requests to our servers to keep your data secure.

Service Endpoints

The endpoint for each service is as specified below.

Service	HTTP Method	Endpoint
Score	`POST`	`https://minfraud.maxmind.com/minfraud/v2.0/score`
Insights	`POST`	`https://minfraud.maxmind.com/minfraud/v2.0/insights`
Factors	`POST`	`https://minfraud.maxmind.com/minfraud/v2.0/factors`

The minfraud.maxmind.com hostname automatically picks the data center geographically closest to you.

Headers

The Authorization header is always required. See Authorization and Security for more details.

The Accept header for a request is entirely optional. If you do include one, you must accept one of the following, substituting the [SERVICE-TYPE] with either score, insights, or factors as appropriate:

application/json
application/vnd.maxmind.com-minfraud-[SERVICE TYPE]+json
application/vnd.maxmind.com-minfraud-[SERVICE TYPE]+json; charset=UTF-8; version=2.0

A request for any other MIME type will result in a 415 Unsupported Media Type error.

If you set the Accept-Charset header in your client code, you must accept the UTF-8 character set. If you don’t you will receive a 406 Not Acceptable response.

Request Body

Currently minFraud Score, minFraud Insights, and minFraud Factors use the same request document format. The request consists of a JSON object with one or more of the fields shown below. Each key in the top-level object maps to an object or array as described below. New fields that apply to one or both may be added in the future.

String fields are limited to no more than 255 valid Unicode characters unless a shorter length is specified; the null and newline characters are forbidden. Of course, many fields also have additional constraints that limit the length. For example, the ip_address field cannot be longer than the longest valid representation of an IPv6 address. Unless it must match a specific format, it is valid for a string field to be empty.

Boolean fields must be provided as JSON true or false.

Unless otherwise specified, if the value meets the requirements for the field, then it will not be modified. Beyond field specific exceptions, an exception to this is if the value is provided as a type different from what we require. In such cases we convert it to the required type if possible. For example, if you provide a string field as a number, then it will be converted to a string, and vice versa. This conversion happens only between numbers and strings.

The entire request body is limited to 20,000 bytes. Requests larger than this size will be rejected.

 1{
 2  "account": {
 3    "user_id": "3132",
 4    "username_md5": "570a90bfbf8c7eab5dc5d4e26832d5b1"
 5  },
 6  "billing": {
 7    "address": "400 Blake St.",
 8    "address_2": "Suite 5",
 9    "city": "New Haven",
10    "company": "Big Corp.",
11    "country": "US",
12    "first_name": "John",
13    "last_name": "Doe",
14    "phone_country_code": "1",
15    "phone_number": "203-000-0000",
16    "postal": "06511",
17    "region": "CT"
18  },
19  "credit_card": {
20    "avs_result": "Y",
21    "bank_name": "Bank of America",
22    "bank_phone_country_code": "1",
23    "bank_phone_number": "800-342-1232",
24    "country": "US",
25    "cvv_result": "N",
26    "issuer_id_number": "323132",
27    "last_digits": "7643",
28    "token": "OQRST14PLQ98323",
29    "was_3d_secure_successful": true
30  },
31  "custom_inputs": {
32    "a_custom_input_key": "NSC0083121",
33    "another_custom_input_key": false
34  },
35  "device": {
36    "accept_language": "en-US,en;q=0.8",
37    "ip_address": "2001:db8::ff00:42:8329",
38    "session_age": 3600.5,
39    "session_id": "c2ffa1b7-f5c5-4702-beb2-4254794fe391",
40    "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
41  },
42  "email": {
43    "address": "977577b140bfb7c516e4746204fbdb01",
44    "domain": "maxmind.com"
45  },
46  "event": {
47    "party": "customer",
48    "shop_id": "s2123",
49    "time": "2012-04-12T23:20:50.52Z",
50    "transaction_id": "txn3134133",
51    "type": "purchase"
52  },
53  "order": {
54    "affiliate_id": "af12",
55    "amount": 323.21,
56    "currency": "USD",
57    "discount_code": "FIRST",
58    "has_gift_message": false,
59    "is_gift": true,
60    "referrer_uri": "http://www.google.com/",
61    "subaffiliate_id": "saf42"
62  },
63  "payment": {
64    "decline_code": "card_declined",
65    "method": "card",
66    "processor": "stripe",
67    "was_authorized": false
68  },
69  "shipping": {
70    "address": "82 Wall St.",
71    "address_2": "#1",
72    "city": "New Haven",
73    "company": "Smaller, Inc.",
74    "country": "US",
75    "delivery_speed": "same_day",
76    "first_name": "Jane",
77    "last_name": "Doe",
78    "phone_country_code": "1",
79    "phone_number": "203-000-0000",
80    "postal": "06515",
81    "region": "CT"
82  },
83  "shopping_cart": [
84    {
85      "category": "pets",
86      "item_id": "ad23232",
87      "price": 20.43,
88      "quantity": 2
89    },
90    {
91      "category": "beauty",
92      "item_id": "bst112",
93      "price": 100,
94      "quantity": 1
95    }
96  ]
97}

Device

device is a JSON object that contains information about the device used in the transaction.

1{
2  "accept_language": "en-US,en;q=0.8",
3  "ip_address": "2001:db8::ff00:42:8329",
4  "session_age": 3600.5,
5  "session_id": "c2ffa1b7-f5c5-4702-beb2-4254794fe391",
6  "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
7}

Key	Value Type	Description
`ip_address`	string	The IP address associated with the device used by the customer in the transaction. The IP address must be in IPv4 or IPv6 presentation format, i.e., dotted-quad notation or the IPv6 hexadecimal-colon notation. Get tips for how to pass the /device/ip_address input on our Knowledge Base. format: IPv4 or IPv6
`user_agent`	string	The HTTP `User-Agent` header of the browser used in the transaction. Learn more about the /device/user_agent input on our Knowledge Base. max length: 512
`accept_language`	string	The HTTP `Accept-Language` header of the device used in the transaction. Learn more about the /device/accept_language input on our Knowledge Base. max length: 255
`session_age`	decimal	The number of seconds between the creation of the user’s session and the time of the transaction. Note that `session_age` is not the duration of the current visit, but the time since the start of the first visit. Learn more about the /device/session_age input on our Knowledge Base. min: 0, max: 10e13-1
`session_id`	string	An ID that uniquely identifies a visitor’s session on the site. Learn more about the /device/session_id input on our Knowledge Base. max length: 255

Event

event is a JSON object that contains general information related to the event being scored

1{
2  "party": "customer",
3  "shop_id": "s2123",
4  "time": "2012-04-12T23:20:50.52Z",
5  "transaction_id": "txn3134133",
6  "type": "purchase"
7}

Key	Value Type	Description
`transaction_id`	string	Your internal ID for the transaction. We can use this to locate a specific transaction in our logs, and it will also show up in email alerts and notifications from us to you. No specific format is required. Learn more about the /event/transaction_id input on our Knowledge Base. max length: 255
`shop_id`	string	Your internal ID for the shop, affiliate, or merchant this order is coming from. Required for minFraud users who are resellers, payment providers, gateways and affiliate networks. No specific format is required. However, if you are testing the minFraud service, please add a `test` prefix to your shop ID (e.g. `testfoo23` or `test:foo23`) or set your shop ID to `test` if you don’t have a shop ID. Learn more about the /event/shop_id input on our Knowledge Base. max length: 255
`time`	string	The date and time the event occurred. The string must be in the RFC 3339 date-time format. The time must be within the past year. If this field is not in the request, the current time will be used. It is not recommended to use this input when scoring live transactions as they occur. However, it can be useful if you store transactions to be submitted to the service for scoring later. Please note that you cannot submit times more than one year in the past. If you submit an event time more than one year in the past, the current time will be used to score the transaction, and a warning will be returned. Learn more about the /event/time input on our Knowledge Base.
`type`	string	The type of event being scored. The valid types are: `account_creation` `account_login` `credit_application` `email_change` `fund_transfer` `password_reset` `payout_change` `purchase` `recurring_purchase` `referral` `survey` Learn more about the /event/type input on our Knowledge Base. format: enum
`party`	string	The party submitting this transaction. The valid values are: `agent` `customer` format: enum

Account

account is a JSON object that contains account information for the end-user on the site where the event took place

1{
2  "user_id": "3132",
3  "username_md5": "570a90bfbf8c7eab5dc5d4e26832d5b1"
4}

Key	Value Type	Description
`user_id`	string	A unique user ID associated with the end-user in your system. If your system allows the login name for the account to be changed, this should not be the login name for the account, but rather should be an internal ID that does not change. This is not your MaxMind account ID. No specific format is required. Learn more about the /account/user_id input on our Knowledge Base. max length: 255
`username_md5`	string	An MD5 hash as a hexadecimal string of the username or login name associated with the account. max length: 32

Email

email is a JSON object that contains information about the email address of the end-user who initiated the event.

1{
2  "address": "977577b140bfb7c516e4746204fbdb01",
3  "domain": "maxmind.com"
4}

Key	Value Type	Description
`address`	string	This field must be either be a valid email address or an MD5 of the email used in the transaction. Learn more about the /email/address input on our Knowledge Base. max length: 255, type: Email or MD5 of Email
`domain`	string	The domain of the email address used in the transaction. Do not include the`@` in this field. You do not need to pass the email domain input unless you are passing the email address as an MD5 hash. Learn more about hashed email inputs on our Knowledge Base. max length: 255

Billing

billing is a JSON object that contains the billing address and contact information provided by the end-user who initiated the event.

Learn more about the billing address inputs on our Knowledge Base.

 1{
 2  "address": "400 Blake St.",
 3  "address_2": "Suite 5",
 4  "city": "New Haven",
 5  "company": "Big Corp.",
 6  "country": "US",
 7  "first_name": "John",
 8  "last_name": "Doe",
 9  "phone_country_code": "1",
10  "phone_number": "203-000-0000",
11  "postal": "06511",
12  "region": "CT"
13}

Key	Value Type	Description
`first_name`	string	The first name of the end user as provided in their billing information. max length: 255
`last_name`	string	The last name of the end user as provided in their billing information. max length: 255
`company`	string	The company of the end user as provided in their billing information. max length: 255
`address`	string	The first line of the user’s billing address. max length: 255
`address_2`	string	The second line of the user’s billing address. max length: 255
`city`	string	The city of the user’s billing address. max length: 255
`region`	string	The ISO 3166-2 subdivision code for the user’s billing address. max length: 4
`country`	string	The two character ISO 3166-1 alpha-2 country code of the user’s billing address. max length: 2
`postal`	string	The postal code of the user’s billing address. max length: 255
`phone_number`	string	The phone number without the country code for the user’s billing address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255
`phone_country_code`	string	The country code for phone number associated with the user’s billing address. If you provide this information then you must provide at least one digit. max length: 4

Shipping

shipping is a JSON object that contains the shipping address and contact information provided by the end-user who initiated the event.

Learn more about the shipping address inputs on our Knowledge Base.

 1{
 2  "address": "82 Wall St.",
 3  "address_2": "#1",
 4  "city": "New Haven",
 5  "company": "Smaller, Inc.",
 6  "country": "US",
 7  "delivery_speed": "same_day",
 8  "first_name": "Jane",
 9  "last_name": "Doe",
10  "phone_country_code": "1",
11  "phone_number": "203-000-0000",
12  "postal": "06515",
13  "region": "CT"
14}

Key	Value Type	Description
`first_name`	string	The first name of the end user as provided in their shipping information. max length: 255
`last_name`	string	The last name of the end user as provided in their shipping information. max length: 255
`company`	string	The company of the end user as provided in their shipping information. max length: 255
`address`	string	The first line of the user’s shipping address. max length: 255
`address_2`	string	The second line of the user’s shipping address. max length: 255
`city`	string	The city of the user’s shipping address. max length: 255
`region`	string	The ISO 3166-2 subdivision code for the user’s shipping address. max length: 4
`country`	string	The two character ISO 3166-1 alpha-2 country code of the user’s shipping address. max length: 2
`postal`	string	The postal code of the user’s shipping address. max length: 255
`phone_number`	string	The phone number without the country code for the user’s shipping address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255
`phone_country_code`	string	The country code for phone number associated with the user’s shipping address. If you provide this information then you must provide at least one digit. max length: 4
`delivery_speed`	string	The shipping delivery speed for the order. The valid values are: `same_day` `overnight` `expedited` `standard` format: enum

Payment

payment is a JSON object that contains information from and about the payment process that was used for the event.

1{
2  "decline_code": "card_declined",
3  "method": "card",
4  "processor": "stripe",
5  "was_authorized": false
6}

Key	Value Type	Description
`method`	string	The payment method associated with the transaction. The valid values are: `bank_debit` `bank_redirect` `bank_transfer` `buy_now_pay_later` `card` `crypto` `digital_wallet` `gift_card` `real_time_payment` `rewards` format: enum
`processor`	string	The payment processor used for the transaction. The valid values are: `adyen` `affirm` `afterpay` `altapay` `amazon_payments` `american_express_payment_gateway` `apple_pay` `aps_payments` `authorizenet` `balanced` `beanstream` `bluepay` `bluesnap` `boacompra` `boku` `bpoint` `braintree` `cardknox` `cardpay` `cashfree` `ccavenue` `ccnow` `cetelem` `chase_paymentech` `checkout_com` `cielo` `collector` `commdoo` `compropago` `concept_payments` `conekta` `coregateway` `creditguard` `credorax` `cryptomus` `ct_payments` `cuentadigital` `curopayments` `cybersource` `dalenys` `dalpay` `datacap` `datacash` `dibs` `digital_river` `dlocal` `dotpay` `ebs` `ecomm365` `ecommpay` `elavon` `emerchantpay` `epay` `epayco` `eprocessing_network` `epx` `eway` `exact` `first_atlantic_commerce` `first_data` `fiserv` `g2a_pay` `global_payments` `gocardless` `google_pay` `heartland` `hipay` `ingenico` `interac` `internetsecure` `intuit_quickbooks_payments` `iugu` `klarna` `komoju` `lemon_way` `mastercard_payment_gateway` `mercadopago` `mercanet` `merchant_esolutions` `mirjeh` `mollie` `moneris_solutions` `neopay` `neosurf` `nmi` `oceanpayment` `oney` `onpay` `openbucks` `openpaymx` `optimal_payments` `orangepay` `other` `pacnet_services` `payconex` `payeezy` `payfast` `paygate` `paylike` `payment_express` `paymentwall` `payone` `paypal` `payplus` `paysafecard` `paysera` `paystation` `paytm` `paytrace` `paytrail` `payture` `payulatam` `payvision` `payu` `payway` `payza` `pinpayments` `placetopay` `posconnect` `princeton_payment_solutions` `psigate` `pxp_financial` `qiwi` `quickpay` `raberil` `razorpay` `rede` `redpagos` `rewardspay` `safecharge` `sagepay` `securepay` `securetrading` `shopify_payments` `simplify_commerce` `skrill` `smartcoin` `smartdebit` `solidtrust_pay` `sps_decidir` `stripe` `synapsefi` `systempay` `telerecargas` `towah` `transact_pro` `trustly` `trustpay` `tsys` `usa_epay` `vantiv` `verepay` `vericheck` `vindicia` `virtual_card_services` `vme` `vpos` `windcave` `wirecard` `worldpay` If your payment processor is missing from this list, please contact our support team. format: enum
`was_authorized`	boolean	The authorization outcome from the payment processor. If the transaction has not yet been approved or denied, do not include this field.
`decline_code`	string	The decline code as provided by your payment processor. If the transaction was not declined, do not include this field. max length: 255

Credit Card

credit_card is a JSON object that contains information provided by the end-user and the payment processor about the credit card used for the for the event.

 1{
 2  "avs_result": "Y",
 3  "bank_name": "Bank of America",
 4  "bank_phone_country_code": "1",
 5  "bank_phone_number": "800-342-1232",
 6  "country": "US",
 7  "cvv_result": "N",
 8  "issuer_id_number": "323132",
 9  "last_digits": "7643",
10  "token": "OQRST14PLQ98323",
11  "was_3d_secure_successful": true
12}

Key	Value Type	Description
`issuer_id_number`	string	The issuer ID number for the credit card. This is the first six or eight digits of the credit card number. It identifies the issuing bank. If you do not know whether the IIN is six or eight digits long, send us six digits. Learn more about the /credit_card/issuer_id_number input on our Knowledge Base. max length: 8
`last_digits`	string	The last digits of the credit card number. In most cases, you should send the last four digits for `last_digits`. If you send anissuer_id_numberthat contains an eight digit IIN, and if the credit card brand is not one of the following, you should send the last two digits for `last_digits`:`Discover`, `JCB`, `Mastercard`, `UnionPay`, `Visa`. Learn more about the /credit_card/last_digits input on our Knowledge Base. max length: 4
`token`	string	A token uniquely identifying the card. The token should consist of non-space printable ASCII characters. If the token is all digits, it must be more than 19 characters long. The token must not be a primary account number (PAN) or a simple transformation of it. If you have a valid token that looks like a PAN but is not one, you may prefix that token with a fixed string, e.g.,`token-`. Learn more about the /credit_card/token input on our Knowledge Base. max length: 255
`bank_name`	string	The name of the issuing bank as provided by the end user. max length: 255
`bank_phone_country_code`	string	The phone country code for the issuing bank as provided by the end user. If you provide this information then you must provide at least one digit. max length: 4
`bank_phone_number`	string	The phone number, without the country code, for the issuing bank as provided by the end user. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255
`country`	string	The two character ISO 3166-1 alpha-2 country code where the issuer of the card is located. This may be passed instead of the issuer_id_number if you do not wish to pass partial account numbers, or if your payment processor does not provide them. Learn more about the /credit_card/country input on our Knowledge Base. max length: 2
`avs_result`	string	The address verification system (AVS) check result, as returned to you by the credit card processor. The minFraud service supports the standard AVS codes. Learn more about the /credit_card/avs_result input on our Knowledge Base. max length: 1
`cvv_result`	string	The card verification value (CVV) code as provided by the payment processor. Learn more about the /credit_card/cvv_result input on our Knowledge Base. max length: 1
`was_3d_secure_successful`	boolean	Whether the outcome of 3-D Secure verification (e.g. Safekey, SecureCode, Verified by Visa) was successful. `true` if customer verification was successful, or `false` if the customer failed verification. If 3-D Secure verification was not used, was unavailable, or resulted in another outcome other than success or failure, do not include this field. Learn more about the /credit_card/was_3d_secure_successful input on our Knowledge Base.

Order

order is a JSON object that contains information about the order associated with the event.

 1{
 2  "affiliate_id": "af12",
 3  "amount": 323.21,
 4  "currency": "USD",
 5  "discount_code": "FIRST",
 6  "has_gift_message": false,
 7  "is_gift": true,
 8  "referrer_uri": "http://www.google.com/",
 9  "subaffiliate_id": "saf42"
10}

Key	Value Type	Description
`amount`	decimal	The total order amount for the transaction before taxes and discounts. Learn more about the /order/amount input on our Knowledge Base. min: 0, max: 1e14 – 1
`currency`	string	The ISO 4217 currency code for the currency used in the transaction. Learn more about the /order/currency input on our Knowledge Base. max length: 3
`discount_code`	string	The discount code applied to the transaction. If multiple discount codes were used, please separate them with a comma. Learn more about the /order/discount_code input on our Knowledge Base. max length: 255
`affiliate_id`	string	The ID of the affiliate where the order is coming from. No specific format is required. Learn more about the /order/affiliate_id input on our Knowledge Base. max length: 255
`subaffiliate_id`	string	The ID of the sub-affiliate where the order is coming from. No specific format is required. Learn more about the /order/subaffiliate_id input on our Knowledge Base. max length: 255
`referrer_uri`	string	The URI of the referring site for this order. Needs to be absolute and have a URI scheme such as `https://`. Learn more about the /order/referrer_uri input on our Knowledge Base. max length: 1024
`is_gift`	boolean	Whether order was marked as a gift by the purchaser. Learn more about the /order/is_gift input on our Knowledge Base.
`has_gift_message`	boolean	Whether the purchaser included a gift message. Learn more about the /order/has_gift_message input on our Knowledge Base.

Shopping Cart

shopping_cart is an array of shopping cart item objects.

Passing hashed values for shopping cart items can increase the privacy of your customers’ information while continuing to fulfill the needs for fraud detection. A suitable hashed value can be produced by using a cryptographic hash function and a fixed salt. Using a random salt is not recommended as that will result in different hashed values for the same plain value, which would make them ineffective for our fraud detection service. For more information, see:

Learn more about the shopping cart inputs on our Knowledge Base.

 1[
 2  {
 3    "category": "pets",
 4    "item_id": "ad23232",
 5    "price": 20.43,
 6    "quantity": 2
 7  },
 8  {
 9    "category": "beauty",
10    "item_id": "bst112",
11    "price": 100,
12    "quantity": 1
13  }
14]

Key	Value Type	Description
`category`	string	The category of the item. This can also be a hashed value; see below. max length: 255
`item_id`	string	Your internal ID for the item. No specific format is required. This can also be a hashed value; see below. max length: 255
`quantity`	integer	The quantity of the item in the shopping cart. The value must be a whole number. min: 0, max: 10e13-1
`price`	Decimal	The per-unit price of this item in the shopping cart. This should use the same currency as the order currency. format: Decimal, min: 0, max: 1e14-1

Custom Inputs

custom_inputs are optional inputs to the minFraud service that must first be defined for your account. Select Custom Inputs from the Account Portal in order to do so. See our Custom Inputs documentation for more information.

You should never send a full credit card number as an input. If you attempt to send a full credit card number as an input, the minFraud service will reject the input and issue a warning.

Learn more about valid payment number inputs above.

1{
2  "a_custom_input_key": "NSC0083121",
3  "another_custom_input_key": false
4}

Key	Value Type	Description
`your_custom_BOOLEAN_key`	boolean	A custom key of your choice, with a boolean value.
`your_custom_FLOAT_NUMBER_key`	float	A custom key of your choice, with a floating number value. min: -1e14, max: 1e14
`your_custom_PHONE_NUMBER_key`	string	A custom key of your choice with a string value, formatted as a phone number. Numbers, spaces and punctuation accepted, although spaces and punctuation will be stripped. The following ASCII characters constitute the accepted punctuation: ` ~ ! @ # $ % ^ & * ( ) – _ = + ‘ ” ; : , < . > / ? \ \| [ ] { and }. format: Phone number, max length: 255
`your_custom_STRING_key`	string	A custom key of your choice with a string value. The null character is not allowed. max length: 255

minFraud API Requests

On this page