minFraud API Requests
On this page
Authorization and Security
The HTTP Authorization header is required for authorization. The username is
your
MaxMind account ID.
The password is your
MaxMind license key.
We use
basic HTTP authentication.
The APIs which require authentication are only available via HTTPS. The
credentials are never transmitted unencrypted. If you attempt to access this
service via HTTP, you will receive a 403 Forbidden HTTP response.
We require TLS 1.2 or greater for all requests to our servers to keep your data secure.
Service Endpoints
The endpoint for each service is as specified below.
| Service | HTTP Method | Endpoint |
|---|---|---|
| Score | POST | https://minfraud.maxmind.com/minfraud/v2.0/score |
| Insights | POST | https://minfraud.maxmind.com/minfraud/v2.0/insights |
| Factors | POST | https://minfraud.maxmind.com/minfraud/v2.0/factors |
The minfraud.maxmind.com hostname automatically picks the data center geographically closest to you.
Headers
The Authorization header is always required. See
Authorization and Security for more details.
The Accept header for a request is entirely optional. If you do include one,
you must accept one of the following, substituting the [SERVICE-TYPE] with
either score, insights, or factors as appropriate:
application/jsonapplication/vnd.maxmind.com-minfraud-[SERVICE TYPE]+jsonapplication/vnd.maxmind.com-minfraud-[SERVICE TYPE]+json; charset=UTF-8; version=2.0
A request for any other MIME type will result in a 415 Unsupported Media Type
error.
If you set the Accept-Charset header in your client code, you must accept the
UTF-8 character set. If you don’t you will receive a 406 Not Acceptable
response.
Request Body
Currently minFraud Score, minFraud Insights, and minFraud Factors use the same request document format. The request consists of a JSON object with one or more of the fields shown below. Each key in the top-level object maps to an object or array as described below. New fields that apply to one or both may be added in the future.
String fields are limited to no more than 255 valid Unicode characters unless a
shorter length is specified; the null and newline characters are forbidden. Of
course, many fields also have additional constraints that limit the length. For
example, the ip_address field cannot be longer than the longest valid
representation of an IPv6 address. Unless it must match a specific format, it
is valid for a string field to be empty.
Boolean fields must be provided as JSON true or false.
Unless otherwise specified, if the value meets the requirements for the field, then it will not be modified. Beyond field specific exceptions, an exception to this is if the value is provided as a type different from what we require. In such cases we convert it to the required type if possible. For example, if you provide a string field as a number, then it will be converted to a string, and vice versa. This conversion happens only between numbers and strings.
The entire request body is limited to 20,000 bytes. Requests larger than this size will be rejected.
1{
2 "account": {
3 "user_id": "3132",
4 "username_md5": "570a90bfbf8c7eab5dc5d4e26832d5b1"
5 },
6 "billing": {
7 "address": "400 Blake St.",
8 "address_2": "Suite 5",
9 "city": "New Haven",
10 "company": "Big Corp.",
11 "country": "US",
12 "first_name": "John",
13 "last_name": "Doe",
14 "phone_country_code": "1",
15 "phone_number": "203-000-0000",
16 "postal": "06511",
17 "region": "CT"
18 },
19 "credit_card": {
20 "avs_result": "Y",
21 "bank_name": "Bank of America",
22 "bank_phone_country_code": "1",
23 "bank_phone_number": "800-342-1232",
24 "country": "US",
25 "cvv_result": "N",
26 "issuer_id_number": "323132",
27 "last_digits": "7643",
28 "token": "OQRST14PLQ98323",
29 "was_3d_secure_successful": true
30 },
31 "custom_inputs": {
32 "a_custom_input_key": "NSC0083121",
33 "another_custom_input_key": false
34 },
35 "device": {
36 "accept_language": "en-US,en;q=0.8",
37 "ip_address": "2001:db8::ff00:42:8329",
38 "session_age": 3600.5,
39 "session_id": "c2ffa1b7-f5c5-4702-beb2-4254794fe391",
40 "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
41 },
42 "email": {
43 "address": "977577b140bfb7c516e4746204fbdb01",
44 "domain": "maxmind.com"
45 },
46 "event": {
47 "shop_id": "s2123",
48 "time": "2012-04-12T23:20:50.52Z",
49 "transaction_id": "txn3134133",
50 "type": "purchase"
51 },
52 "order": {
53 "affiliate_id": "af12",
54 "amount": 323.21,
55 "currency": "USD",
56 "discount_code": "FIRST",
57 "has_gift_message": false,
58 "is_gift": true,
59 "referrer_uri": "http://www.google.com/",
60 "subaffiliate_id": "saf42"
61 },
62 "payment": {
63 "decline_code": "card_declined",
64 "processor": "stripe",
65 "was_authorized": false
66 },
67 "shipping": {
68 "address": "82 Wall St.",
69 "address_2": "#1",
70 "city": "New Haven",
71 "company": "Smaller, Inc.",
72 "country": "US",
73 "delivery_speed": "same_day",
74 "first_name": "Jane",
75 "last_name": "Doe",
76 "phone_country_code": "1",
77 "phone_number": "203-000-0000",
78 "postal": "06515",
79 "region": "CT"
80 },
81 "shopping_cart": [
82 {
83 "category": "pets",
84 "item_id": "ad23232",
85 "price": 20.43,
86 "quantity": 2
87 },
88 {
89 "category": "beauty",
90 "item_id": "bst112",
91 "price": 100,
92 "quantity": 1
93 }
94 ]
95}
Device
device is a JSON object that contains information about the device used in the transaction.
1{
2 "accept_language": "en-US,en;q=0.8",
3 "ip_address": "2001:db8::ff00:42:8329",
4 "session_age": 3600.5,
5 "session_id": "c2ffa1b7-f5c5-4702-beb2-4254794fe391",
6 "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
7}
| Key | Value Type | Description |
|---|---|---|
ip_address | string | The IP address associated with the device used by the customer in the transaction. The IP address must be in IPv4 or IPv6 presentation format, i.e., dotted-quad notation or the IPv6 hexadecimal-colon notation. Get tips for how to pass the /device/ip_address input on our Knowledge Base. format: IPv4 or IPv6 |
user_agent | string | The HTTP Learn more about the /device/user_agent input on our Knowledge Base. max length: 512 |
accept_language | string | The HTTP Learn more about the /device/accept_language input on our Knowledge Base. max length: 255 |
session_age | decimal | The number of seconds between the creation of the user’s session and the time of the transaction. Note that Learn more about the /device/session_age input on our Knowledge Base. min: 0, max: 10e13-1 |
session_id | string | An ID that uniquely identifies a visitor’s session on the site. Learn more about the /device/session_id input on our Knowledge Base. max length: 255 |
Event
event is a JSON object that contains general information related to the event being scored
1{
2 "shop_id": "s2123",
3 "time": "2012-04-12T23:20:50.52Z",
4 "transaction_id": "txn3134133",
5 "type": "purchase"
6}
| Key | Value Type | Description |
|---|---|---|
transaction_id | string | Your internal ID for the transaction. We can use this to locate a specific transaction in our logs, and it will also show up in email alerts and notifications from us to you. No specific format is required. Learn more about the /event/transaction_id input on our Knowledge Base. max length: 255 |
shop_id | string | Your internal ID for the shop, affiliate, or merchant this order is coming from. Required for minFraud users who are resellers, payment providers, gateways and affiliate networks. No specific format is required. Learn more about the /event/shop_id input on our Knowledge Base. max length: 255 |
time | string | The date and time the event occurred. The string must be in the RFC 3339 date-time format. The time must be within the past year. If this field is not in the request, the current time will be used. It is not recommended to use this input when scoring live transactions as they occur. However, it can be useful if you store transactions to be submitted to the service for scoring later. Please note that you cannot submit times more than one year in the past. If you submit an event time more than one year in the past, the current time will be used to score the transaction, and a warning will be returned. Learn more about the /event/time input on our Knowledge Base. |
type | string | The type of event being scored. The valid types are:
Learn more about the /event/type input on our Knowledge Base. format: enum |
Account
account is a JSON object that contains account information for the end-user on the site
where the event took place
1{
2 "user_id": "3132",
3 "username_md5": "570a90bfbf8c7eab5dc5d4e26832d5b1"
4}
| Key | Value Type | Description |
|---|---|---|
user_id | string | A unique user ID associated with the end-user in your system. If your system allows the login name for the account to be changed, this should not be the login name for the account, but rather should be an internal ID that does not change. This is not your MaxMind account ID. No specific format is required. Learn more about the /account/user_id input on our Knowledge Base. max length: 255 |
username_md5 | string | An MD5 hash as a hexadecimal string of the username or login name associated with the account. max length: 32 |
email is a JSON object that contains information about the email address of the end-user who initiated the event.
1{
2 "address": "977577b140bfb7c516e4746204fbdb01",
3 "domain": "maxmind.com"
4}
| Key | Value Type | Description |
|---|---|---|
address | string | This field must be either be a valid email address or an MD5 of the email used in the transaction. Learn more about the /email/address input on our Knowledge Base. max length: 255, type: Email or MD5 of Email |
domain | string | The domain of the email address used in the transaction. Do not include the You do not need to pass the email domain input unless you are passing the email address as an MD5 hash. Learn more about hashed email inputs on our Knowledge Base. max length: 255 |
Billing
billing is a JSON object that contains the billing address and contact information provided by the end-user who initiated the event.
Learn more about the billing address inputs on our Knowledge Base.
1{
2 "address": "400 Blake St.",
3 "address_2": "Suite 5",
4 "city": "New Haven",
5 "company": "Big Corp.",
6 "country": "US",
7 "first_name": "John",
8 "last_name": "Doe",
9 "phone_country_code": "1",
10 "phone_number": "203-000-0000",
11 "postal": "06511",
12 "region": "CT"
13}
| Key | Value Type | Description |
|---|---|---|
first_name | string | The first name of the end user as provided in their billing information. max length: 255 |
last_name | string | The last name of the end user as provided in their billing information. max length: 255 |
company | string | The company of the end user as provided in their billing information. max length: 255 |
address | string | The first line of the user’s billing address. max length: 255 |
address_2 | string | The second line of the user’s billing address. max length: 255 |
city | string | The city of the user’s billing address. max length: 255 |
region | string | The ISO 3166-2 subdivision code for the user’s billing address. max length: 4 |
country | string | The two character ISO 3166-1 alpha-2 country code of the user’s billing address. max length: 2 |
postal | string | The postal code of the user’s billing address. max length: 255 |
phone_number | string | The phone number without the country code for the user’s billing address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255 |
phone_country_code | string | The country code for phone number associated with the user’s billing address. If you provide this information then you must provide at least one digit. max length: 4 |
Shipping
shipping is a JSON object that contains the shipping address and contact information provided by the end-user who initiated the event.
Learn more about the shipping address inputs on our Knowledge Base.
1{
2 "address": "82 Wall St.",
3 "address_2": "#1",
4 "city": "New Haven",
5 "company": "Smaller, Inc.",
6 "country": "US",
7 "delivery_speed": "same_day",
8 "first_name": "Jane",
9 "last_name": "Doe",
10 "phone_country_code": "1",
11 "phone_number": "203-000-0000",
12 "postal": "06515",
13 "region": "CT"
14}
| Key | Value Type | Description |
|---|---|---|
first_name | string | The first name of the end user as provided in their shipping information. max length: 255 |
last_name | string | The last name of the end user as provided in their shipping information. max length: 255 |
company | string | The company of the end user as provided in their shipping information. max length: 255 |
address | string | The first line of the user’s shipping address. max length: 255 |
address_2 | string | The second line of the user’s shipping address. max length: 255 |
city | string | The city of the user’s shipping address. max length: 255 |
region | string | The ISO 3166-2 subdivision code for the user’s shipping address. max length: 4 |
country | string | The two character ISO 3166-1 alpha-2 country code of the user’s shipping address. max length: 2 |
postal | string | The postal code of the user’s shipping address. max length: 255 |
phone_number | string | The phone number without the country code for the user’s shipping address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255 |
phone_country_code | string | The country code for phone number associated with the user’s shipping address. If you provide this information then you must provide at least one digit. max length: 4 |
delivery_speed | string | The shipping delivery speed for the order. The valid values are:
format: enum |
Payment
payment is a JSON object that contains information from and about the payment process that was used for the event.
1{
2 "decline_code": "card_declined",
3 "processor": "stripe",
4 "was_authorized": false
5}
| Key | Value Type | Description |
|---|---|---|
processor | string | The payment processor used for the transaction. The valid values are:
If your payment processor is missing from this list, please contact our support team. format: enum |
was_authorized | boolean | |
decline_code | string | The decline code as provided by your payment processor. If the transaction was not declined, do not include this field. max length: 255 |
Credit Card
credit_card is a JSON object that contains information provided by the end-user and the payment processor about the credit card used for the for the event.
1{
2 "avs_result": "Y",
3 "bank_name": "Bank of America",
4 "bank_phone_country_code": "1",
5 "bank_phone_number": "800-342-1232",
6 "country": "US",
7 "cvv_result": "N",
8 "issuer_id_number": "323132",
9 "last_digits": "7643",
10 "token": "OQRST14PLQ98323",
11 "was_3d_secure_successful": true
12}
| Key | Value Type | Description |
|---|---|---|
issuer_id_number | string | The issuer ID number for the credit card. This is the first six or eight digits of the credit card number. It identifies the issuing bank. If you do not know whether the IIN is six or eight digits long, send us six digits. Learn more about the /credit_card/issuer_id_number input on our Knowledge Base. max length: 8 |
last_digits | string | The last digits of the credit card number. In most cases, you should send the last four digits for Learn more about the /credit_card/last_digits input on our Knowledge Base. max length: 4 |
token | string | A token uniquely identifying the card. The token should consist of non-space printable ASCII characters. If the token is all digits, it must be more than 19 characters long. The token must not be a primary account number (PAN) or a simple transformation of it. If you have a valid token that looks like a PAN but is not one, you may prefix that token with a fixed string, e.g., Learn more about the /credit_card/token input on our Knowledge Base. max length: 255 |
bank_name | string | The name of the issuing bank as provided by the end user. max length: 255 |
bank_phone_country_code | string | The phone country code for the issuing bank as provided by the end user. If you provide this information then you must provide at least one digit. max length: 4 |
bank_phone_number | string | The phone number, without the country code, for the issuing bank as provided by the end user. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits. max length: 255 |
country | string | The two character ISO 3166-1 alpha-2 country code where the issuer of the card is located. This may be passed instead of the issuer_id_number if you do not wish to pass partial account numbers, or if your payment processor does not provide them. Learn more about the /credit_card/country input on our Knowledge Base. max length: 2 |
avs_result | string | The address verification system (AVS) check result, as returned to you by the credit card processor. The minFraud service supports the standard AVS codes. Learn more about the /credit_card/avs_result input on our Knowledge Base. max length: 1 |
cvv_result | string | The card verification value (CVV) code as provided by the payment processor. Learn more about the /credit_card/cvv_result input on our Knowledge Base. max length: 1 |
was_3d_secure_successful | boolean | Whether the outcome of 3-D Secure verification (e.g. Safekey, SecureCode, Verified by Visa) was successful. Learn more about the /credit_card/was_3d_secure_successful input on our Knowledge Base. |
Order
order is a JSON object that contains information about the order associated with the event.
1{
2 "affiliate_id": "af12",
3 "amount": 323.21,
4 "currency": "USD",
5 "discount_code": "FIRST",
6 "has_gift_message": false,
7 "is_gift": true,
8 "referrer_uri": "http://www.google.com/",
9 "subaffiliate_id": "saf42"
10}
| Key | Value Type | Description |
|---|---|---|
amount | decimal | The total order amount for the transaction before taxes and discounts. Learn more about the /order/amount input on our Knowledge Base. min: 0, max: 1e14 – 1 |
currency | string | The ISO 4217 currency code for the currency used in the transaction. Learn more about the /order/currency input on our Knowledge Base. max length: 3 |
discount_code | string | The discount code applied to the transaction. If multiple discount codes were used, please separate them with a comma. Learn more about the /order/discount_code input on our Knowledge Base. max length: 255 |
affiliate_id | string | The ID of the affiliate where the order is coming from. No specific format is required. Learn more about the /order/affiliate_id input on our Knowledge Base. max length: 255 |
subaffiliate_id | string | The ID of the sub-affiliate where the order is coming from. No specific format is required. Learn more about the /order/subaffiliate_id input on our Knowledge Base. max length: 255 |
referrer_uri | string | The URI of the referring site for this order. Needs to be absolute and have a URI scheme such as Learn more about the /order/referrer_uri input on our Knowledge Base. max length: 1024 |
is_gift | boolean | Whether order was marked as a gift by the purchaser. Learn more about the /order/is_gift input on our Knowledge Base. |
has_gift_message | boolean | Whether the purchaser included a gift message. Learn more about the /order/has_gift_message input on our Knowledge Base. |
Shopping Cart
shopping_cart is an array of shopping cart item objects.
Passing hashed values for shopping cart items can increase the privacy of your customers’ information while continuing to fulfill the needs for fraud detection. A suitable hashed value can be produced by using a cryptographic hash function and a fixed salt. Using a random salt is not recommended as that will result in different hashed values for the same plain value, which would make them ineffective for our fraud detection service. For more information, see:
Learn more about the shopping cart inputs on our Knowledge Base.
1[
2 {
3 "category": "pets",
4 "item_id": "ad23232",
5 "price": 20.43,
6 "quantity": 2
7 },
8 {
9 "category": "beauty",
10 "item_id": "bst112",
11 "price": 100,
12 "quantity": 1
13 }
14]
| Key | Value Type | Description |
|---|---|---|
category | string | The category of the item. This can also be a hashed value; see below. max length: 255 |
item_id | string | Your internal ID for the item. No specific format is required. This can also be a hashed value; see below. max length: 255 |
quantity | integer | The quantity of the item in the shopping cart. The value must be a whole number. min: 0, max: 10e13-1 |
price | Decimal | The per-unit price of this item in the shopping cart. This should use the same currency as the order currency. format: Decimal, min: 0, max: 1e14-1 |
Custom Inputs
custom_inputs are optional inputs to the minFraud service that must first be defined for your account. Select Custom Inputs from the Account Portal in order to do so. See our Custom Inputs documentation for more information.
You should never send a full credit card number as an input. If you attempt to send a full credit card number as an input, the minFraud service will reject the input and issue a warning.
Learn more about valid payment number inputs above.
1{
2 "a_custom_input_key": "NSC0083121",
3 "another_custom_input_key": false
4}
| Key | Value Type | Description |
|---|---|---|
your_custom_BOOLEAN_key | boolean | A custom key of your choice, with a boolean value. |
your_custom_FLOAT_NUMBER_key | float | A custom key of your choice, with a floating number value. min: -1e14, max: 1e14 |
your_custom_PHONE_NUMBER_key | string | A custom key of your choice with a string value, formatted as a phone number. Numbers, spaces and punctuation accepted, although spaces and punctuation will be stripped. The following ASCII characters constitute the accepted punctuation: ` ~ ! @ # $ % ^ & * ( ) – _ = + ‘ ” ; : , < . > / ? \ | [ ] { and }. format: Phone number, max length: 255 |
your_custom_STRING_key | string | A custom key of your choice with a string value. The null character is not allowed. max length: 255 |