minFraud API Requests

Authorization and Security

The HTTP Authorization header is required for authorization. The username is your MaxMind account ID. The password is your MaxMind license key.

You must be approved for a trial or purchase credit for use with our web services in order to receive an account ID and license key.

We use basic HTTP authentication. The APIs which require authentication are only available via HTTPS. The credentials are never transmitted unencrypted. If you attempt to access this service via HTTP, you will receive a 403 Forbidden HTTP response.

We require TLS 1.2 or greater for all requests to our servers to keep your data secure.

Service Endpoints

The endpoint for each service is as specified below.

ServiceHTTP MethodEndpoint
ScorePOSThttps://minfraud.maxmind.com/minfraud/v2.0/score
InsightsPOSThttps://minfraud.maxmind.com/minfraud/v2.0/insights
FactorsPOSThttps://minfraud.maxmind.com/minfraud/v2.0/factors

The minfraud.maxmind.com hostname automatically picks the data center geographically closest to you.

Headers

The Authorization header is always required. See Authorization and Security for more details.

The Accept header for a request is entirely optional. If you do include one, you must accept one of the following, substituting the [SERVICE-TYPE] with either score, insights, or factors as appropriate:

  • application/json

  • application/vnd.maxmind.com-minfraud-[SERVICE TYPE]+json

  • application/vnd.maxmind.com-minfraud-[SERVICE TYPE]+json; charset=UTF-8; version=2.0

    A request for any other MIME type will result in a 415 Unsupported Media Type error.

If you set the Accept-Charset header in your client code, you must accept the UTF-8 character set. If you don't you will receive a 406 Not Acceptable response.

Bodies

minFraud Score, Factors and Insights share the same request body format. Below is a full example of the JSON body document. For detailed explainations of each property within the request body, please refer to the object reference section below.

Object Reference

Below are the schema definitions of that make up the minFraud request body object.

Each schema definition contains a description of an object, along with a list of properties that belong to the object. The following information is listed for each object property:

  • name
  • type (array<type>, boolean, number, integer, object, string)
  • description
  • example
  • formatting
  • constraints (format, min/max, max length, etc.)
  • supported services (Score, Factors, Insights)

Additionally, for object properties, a link is provided to view a schema definition that further describes that specific object.

Requestobject

Currently minFraud Score, minFraud Insights, and minFraud Factors use the same request document format. The request consists of a JSON object with one or more of the fields shown below. Each key in the top-level object maps to an object or array as described below. New fields that apply to one or both may be added in the future.

String fields are limited to no more than 255 valid Unicode characters unless a shorter length is specified; the null and newline characters are forbidden. Of course, many fields also have additional constraints that limit the length. For example, the ip_address field cannot be longer than the longest valid representation of an IPv6 address. Unless it must match a specific format, it is valid for a string field to be empty.

Boolean fields must be provided as JSON true or false.

Unless otherwise specified, if the value meets the requirements for the field, then it will not be modified. Beyond field specific exceptions, an exception to this is if the value is provided as a type different from what we require. In such cases we convert it to the required type if possible. For example, if you provide a string field as a number, then it will be converted to a string, and vice versa. This conversion happens only between numbers and strings.

The entire request body is limited to 20,000 bytes. Requests larger than this size will be rejected.

Example
deviceobject

This object contains information about the device used in the transaction.

Example
ScoreInsightsFactors
eventobject

This object contains general information related to the event being scored.

Example
ScoreInsightsFactors
accountobject

This object contains account information for the end-user on the site where the event took place.

Example
ScoreInsightsFactors
emailobject

This object contains information about the email address of the end-user who initiated the event.

Example
ScoreInsightsFactors
billingobject

This object contains the billing address and contact information provided by the end-user who initiated the event.

Example
ScoreInsightsFactors
shippingobject

This object contains the shipping address and contact information provided by the end-user who initiated the event.

Example
ScoreInsightsFactors
paymentobject

This object contains information from and about the payment process that was used for the event.

Example
ScoreInsightsFactors
credit_cardobject

This object contains information provided by the end-user and the payment processor about the credit card used for the for the event.

Example
ScoreInsightsFactors
orderobject

This object contains information about the order associated with the event.

Example
ScoreInsightsFactors
shopping_cartarray

This is an array of shopping cart item objects. A shopping cart should consist of an array of one or more item objects.

Example
ScoreInsightsFactors
custom_inputsobject

Custom Inputs are optional inputs to the minFraud service that must first be defined for your account. Select “Custom Inputs” from the Account Portal in order to do so. See our Custom Inputs documentation for more information.

Example
ScoreInsightsFactors

This object contains information about the device used in the transaction.

Example
ip_addressstring

The IP address associated with the device used by the customer in the transaction. The IP address must be in IPv4 or IPv6 presentation format, i.e., dotted-quad notation or the IPv6 hexadecimal-colon notation.

Example
Format: IPv4 or IPv6
ScoreInsightsFactors
user_agentstring

The HTTP User-Agent header of the browser used in the transaction.

Example
Max Length: 512
ScoreInsightsFactors
accept_languagestring

The HTTP Accept-Language header of the device used in the transaction.

Example
Max Length: 255
ScoreInsightsFactors
session_agenumber

The number of seconds between the creation of the user's session and the time of the transaction. Note that session_age is not the duration of the current visit, but the time since the start of the first visit.

Example
Format: decimalMin: 0Max: 10e13-1
ScoreInsightsFactors
session_idstring

An ID that uniquely identifies a visitor's session on the site.

Example
Max Length: 255
ScoreInsightsFactors

This object contains general information related to the event being scored.

Example
transaction_idstring

Your internal ID for the transaction. We can use this to locate a specific transaction in our logs, and it will also show up in email alerts and notifications from us to you. No specific format is required.

Example
Max Length: 255
ScoreInsightsFactors
shop_idstring

Your internal ID for the shop, affiliate, or merchant this order is coming from. Required for minFraud users who are resellers, payment providers, gateways and affiliate networks. No specific format is required.

Example
Max Length: 255
ScoreInsightsFactors
timestring

The date and time the event occurred. The string must be in the RFC 3339 date-time format. The time must be within the past 10 years. If this field is not in the request, the current time will be used.

It is not recommended to use this input when scoring live transactions as they occur. However, it can be useful if you store transactions to be submitted to the service for scoring later.

Example
ScoreInsightsFactors
typestring

The type of event being scored. The valid types are:

  • account_creation
  • account_login
  • email_change
  • password_reset
  • payout_change
  • purchase
  • recurring_purchase
  • referral
  • survey
Example
Enum
ScoreInsightsFactors

This object contains account information for the end-user on the site where the event took place.

Example
user_idstring

A unique user ID associated with the end-user in your system. If your system allows the login name for the account to be changed, this should not be the login name for the account, but rather should be an internal ID that does not change. This is not your MaxMind account ID. No specific format is required.

Example
Max Length: 255
ScoreInsightsFactors
username_md5string

An MD5 hash as a hexadecimal string of the username or login name associated with the account.

Example
Max Length: 32
ScoreInsightsFactors

This object contains information about the email address of the end-user who initiated the event.

Example
addressstring

This field must be either be a valid email address or an MD5 of the email used in the transaction.

If using the MD5 hash, please be sure to normalize it before calculating its MD5 hash.

Example
Max Length: 255Type: Email or MD5 of Email
ScoreInsightsFactors
domainstring

The domain of the email address used in the transaction. Do not include the @ in this field.

Example
Max Length: 255
ScoreInsightsFactors

This object contains the billing address and contact information provided by the end-user who initiated the event.

Example
first_namestring

The first name of the end user as provided in their billing information.

Example
Max Length: 255
ScoreInsightsFactors
last_namestring

The last name of the end user as provided in their billing information.

Example
Max Length: 255
ScoreInsightsFactors
companystring

The company of the end user as provided in their billing information.

Example
Max Length: 255
ScoreInsightsFactors
addressstring

The first line of the user's billing address.

Example
Max Length: 255
ScoreInsightsFactors
address_2string

The second line of the user's billing address.

Example
Max Length: 255
ScoreInsightsFactors
citystring

The city of the user's billing address.

Example
Max Length: 255
ScoreInsightsFactors
regionstring

The ISO 3166-2 subdivision code for the user's billing address.

Example
Max Length: 4
ScoreInsightsFactors
countrystring

The two character ISO 3166-1 alpha-2 country code of the user's billing address.

Example
Max Length: 2
ScoreInsightsFactors
postalstring

The postal code of the user's billing address.

Example
Max Length: 255
ScoreInsightsFactors
phone_numberstring

The phone number without the country code for the user's billing address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits.

Example
Max Length: 255
ScoreInsightsFactors
phone_country_codestring

The country code for phone number associated with the user's billing address. If you provide this information then you must provide at least one digit.

Example
Max Length: 4
ScoreInsightsFactors

This object contains the shipping address and contact information provided by the end-user who initiated the event.

Example
first_namestring

The first name of the end user as provided in their shipping information.

Example
Max Length: 255
ScoreInsightsFactors
last_namestring

The last name of the end user as provided in their shipping information.

Example
Max Length: 255
ScoreInsightsFactors
companystring

The company of the end user as provided in their shipping information.

Example
Max Length: 255
ScoreInsightsFactors
addressstring

The first line of the user's shipping address.

Example
Max Length: 255
ScoreInsightsFactors
address_2string

The second line of the user's shipping address.

Example
Max Length: 255
ScoreInsightsFactors
citystring

The city of the user's shipping address.

Example
Max Length: 255
ScoreInsightsFactors
regionstring

The ISO 3166-2 subdivision code for the user's shipping address.

Example
Max Length: 4
ScoreInsightsFactors
countrystring

The two character ISO 3166-1 alpha-2 country code of the user's shipping address.

Example
Max Length: 2
ScoreInsightsFactors
postalstring

The postal code of the user's shipping address.

Example
Max Length: 255
ScoreInsightsFactors
phone_numberstring

The phone number without the country code for the user's shipping address. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits.

Example
Max Length: 255
ScoreInsightsFactors
phone_country_codestring

The country code for phone number associated with the user's shipping address. If you provide this information then you must provide at least one digit.

Example
Max Length: 4
ScoreInsightsFactors
delivery_speedstring

The shipping delivery speed for the order. The valid values are:

  • same_day
  • overnight
  • expedited
  • standard
Example
Enum
ScoreInsightsFactors

This object contains information from and about the payment process that was used for the event.

Example
processorstring

The payment processor used for the transaction. The valid values are:

  • adyen
  • affirm
  • afterpay
  • altapay
  • amazon_payments
  • american_express_payment_gateway
  • apple_pay
  • aps_payments
  • authorizenet
  • balanced
  • beanstream
  • bluepay
  • bluesnap
  • bpoint
  • braintree
  • cardknox
  • cardpay
  • cashfree
  • ccavenue
  • ccnow
  • cetelem
  • chase_paymentech
  • checkout_com
  • cielo
  • collector
  • commdoo
  • compropago
  • concept_payments
  • conekta
  • creditguard
  • credorax
  • ct_payments
  • cuentadigital
  • curopayments
  • cybersource
  • dalenys
  • dalpay
  • datacap
  • datacash
  • dibs
  • digital_river
  • dlocal
  • dotpay
  • ebs
  • ecomm365
  • ecommpay
  • elavon
  • emerchantpay
  • epay
  • eprocessing_network
  • epx
  • eway
  • exact
  • first_atlantic_commerce
  • first_data
  • g2a_pay
  • global_payments
  • gocardless
  • heartland
  • hipay
  • ingenico
  • interac
  • internetsecure
  • intuit_quickbooks_payments
  • iugu
  • klarna
  • komoju
  • lemon_way
  • mastercard_payment_gateway
  • mercadopago
  • mercanet
  • merchant_esolutions
  • mirjeh
  • mollie
  • moneris_solutions
  • nmi
  • oceanpayment
  • oney
  • onpay
  • openpaymx
  • optimal_payments
  • orangepay
  • other
  • pacnet_services
  • payeezy
  • payfast
  • paygate
  • paylike
  • payment_express
  • paymentwall
  • payone
  • paypal
  • payplus
  • paysafecard
  • paystation
  • paytm
  • paytrace
  • paytrail
  • payture
  • payulatam
  • payu
  • payway
  • payza
  • pinpayments
  • posconnect
  • princeton_payment_solutions
  • psigate
  • qiwi
  • quickpay
  • raberil
  • razorpay
  • rede
  • redpagos
  • rewardspay
  • safecharge
  • sagepay
  • securetrading
  • simplify_commerce
  • skrill
  • smartcoin
  • smartdebit
  • solidtrust_pay
  • sps_decidir
  • stripe
  • synapsefi
  • systempay
  • telerecargas
  • towah
  • transact_pro
  • tsys
  • usa_epay
  • vantiv
  • verepay
  • vericheck
  • vindicia
  • virtual_card_services
  • vme
  • vpos
  • wirecard
  • worldpay

If your payment processor is missing from this list, please contact support@maxmind.com.

Example
Enum
ScoreInsightsFactors
was_authorizedboolean

The authorization outcome from the payment processor. If the transaction has not yet been approved or denied, do not include this field.

Example
ScoreInsightsFactors
decline_codestring

The decline code as provided by your payment processor. If the transaction was not declined, do not include this field.

Example
Max Length: 255
ScoreInsightsFactors

This object contains information provided by the end-user and the payment processor about the credit card used for the for the event.

Example
issuer_id_numberstring

The issuer ID number for the credit card. This is the first six digits of the credit card number. It identifies the issuing bank.

Example
Max Length: 6
ScoreInsightsFactors
last_4_digitsstring

The last four digits of the credit card number.

Example
Max Length: 4
ScoreInsightsFactors
tokenstring

A token uniquely identifying the card. The token should consist of non-space printable ASCII characters. If the token is all digits, it must be more than 19 characters long. The token must not be a primary account number (PAN) or a simple transformation of it. If you have a valid token that looks like a PAN but is not one, you may prefix that token with a fixed string, e.g., token-.

Example
Max Length: 255
ScoreInsightsFactors
bank_namestring

The name of the issuing bank as provided by the end user.

Example
Max Length: 255
ScoreInsightsFactors
bank_phone_country_codestring

The phone country code for the issuing bank as provided by the end user. If you provide this information then you must provide at least one digit.

Example
Max Length: 4
ScoreInsightsFactors
bank_phone_numberstring

The phone number, without the country code, for the issuing bank as provided by the end user. Punctuation characters will be stripped. After stripping punctuation characters, the number must contain only digits.

Example
Max Length: 255
ScoreInsightsFactors
avs_resultstring

The address verification system (AVS) check result, as returned to you by the credit card processor. The minFraud service supports the standard AVS codes.

Example
Max Length: 1
ScoreInsightsFactors
cvv_resultstring

The card verification value (CVV) code as provided by the payment processor.

Example
Max Length: 1
ScoreInsightsFactors

This object contains information about the order associated with the event.

Example
amountnumber

The total order amount for the transaction before taxes and discounts.

Example
Format: decimalMin: 0Max: 1e14 – 1
ScoreInsightsFactors
currencystring

The ISO 4217 currency code for the currency used in the transaction.

Example
Max Length: 3
ScoreInsightsFactors
discount_codestring

The discount code applied to the transaction. If multiple discount codes were used, please separate them with a comma.

Example
Max Length: 255
ScoreInsightsFactors
affiliate_idstring

The ID of the affiliate where the order is coming from. No specific format is required.

Example
Max Length: 255
ScoreInsightsFactors
subaffiliate_idstring

The ID of the sub-affiliate where the order is coming from. No specific format is required.

Example
Max Length: 255
ScoreInsightsFactors
referrer_uristring

The URI of the referring site for this order. Needs to be absolute and have a URI scheme such as https://.

Example
Max Length: 1024
ScoreInsightsFactors
is_giftboolean

Whether order was marked as a gift by the purchaser.

Example
ScoreInsightsFactors
has_gift_messageboolean

Whether the purchaser included a gift message.

Example
ScoreInsightsFactors

This is an array of shopping cart item objects. A shopping cart should consist of an array of one or more item objects.

Example

For instance, the response for Oxford in the United Kingdom would have an object for England as the first element in subdivisions array and an object for Oxfordshire as the second element. The subdivisions array for Minneapolis in the United States will have a single object for Minnesota.

This object contains information about an item from the end-user's shopping cart associated with the event

Example
categorystring

The category of the item. This can also be a hashed value; see below.

Example
Max Length: 255
ScoreInsightsFactors
item_idstring

Your internal ID for the item. No specific format is required. This can also be a hashed value; see below.

Example
Max Length: 255
ScoreInsightsFactors
quantityinteger

The quantity of the item in the shopping cart. The value must be a whole number.

Example
Min: 0Max: 10e13-1
ScoreInsightsFactors
pricenumber

The per-unit price of this item in the shopping cart. This should use the same currency as the order currency.

Example
Format: DecimalMin: 0Max: 1e14-1
ScoreInsightsFactors

Passing hashed values for shopping cart items can increase the privacy of your customers' information while continuing to fulfill the needs for fraud detection. A suitable hashed value can be produced by using a cryptographic hash function and a fixed salt. Using a random salt is not recommended as that will result in different hashed values for the same plain value, which would make them ineffective for our fraud detection service. For more information, see:

Custom Inputs are optional inputs to the minFraud service that must first be defined for your account. Select Custom Inputs from the Account Portal in order to do so. See our Custom Inputs documentation for more information.

Example
your_custom_BOOLEAN_keyboolean

A custom key of your choice, with a boolean value.

ScoreInsightsFactors
your_custom_FLOAT_NUMBER_keynumber

A custom key of your choice, with a floating number value.

Format: floatMin: -1e14Max: 1e14
ScoreInsightsFactors
your_custom_PHONE_NUMBER_keystring

A custom key of your choice with a string value, formatted as a phone number. Numbers, spaces and punctuation accepted, although spaces and punctuation will be stripped. The following ASCII characters constitute the accepted punctuation: ` ~ ! @ # $ % ^ & * ( ) – _ = + ‘ ” ; : , < . > / ? \ | [ ] { and }.

Format: Phone numberMax Length: 255
ScoreInsightsFactors
your_custom_STRING_keystring

A custom key of your choice with a string value. The null character is not allowed.

Max Length: 255
ScoreInsightsFactors

This page was last updated on July 29, 2021.