¶ Overview
The risk platform supports two methods, Session & Score. The Payment Guarantee Status defines whether or not Ingo will cover the transaction and chargeback fees, if the transaction is eventually deemed fraudulent.
-
The Session Method provides clients with session identifiers which facilitate enhanced risk assessment.
-
The Score Method utilizes device fingerprinting and behavioral analytics with machine learning against a database of trillions of transaction data points, and more to identify fraud. This method of risk assessment aids in overall Payment Guarantee determination.
Usage of the IngoPay Risk API requires integration of third-party artifacts for Device Fingerprinting and Behavioral Data Collection.
;
¶ Session Method
https://payapi-sandbox.ingo.money/risk/risksession/v2
Purpose: Send a request for Ingo Payments to initiate a risk session.
Participants may declare the Content Types below in the request header to ‘Accept’ back as their response format (default is JSON):
HTTP: POST
Content Type: application/json
application/xml
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| request | REQUIRED | OBJ | Information about the API request - general information associated with the call to the API method. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| participant_id | REQUIRED | STRING | 5 | Unique participant identifier assigned by Ingo. |
| timestamp | REQUIRED | STRING | 32 | Unix timestamp of the request. |
Sample Request
{
"request": {
"participant_id": "12345",
"timestamp": "1721337425"
}
}
| Parameter | Requirement | Type | Description |
|---|---|---|---|
| request | REQUIRED | OBJ | Information about the API request - general information associated with the call to the API method. |
| response | REQUIRED | OBJ | Information about the API response - general information associated with the outcome of the call to the API method. |
| session | REQUIRED | OBJ | Identifiers to be embedded in client-side web/mobile code in support of device fingerprinting and behavioral data collection. |
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| participant_id | REQUIRED | STRING | Unique participant identifier assigned by Ingo. |
| timestamp | REQUIRED | STRING | Unix timestamp of the request. |
Sample Response
{
"request": {
"participant_id": "12345",
"timestamp": "1721413825"
},
"response": {
"status": "100",
"message": "Success",
"duration": "0.30398297309875"
},
"session": {
"risk_session_token": "1e97dde1-f10f-4caf-8726-da6fc207ecb8"
}
}
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| status | REQUIRED | STRING | Numeric code describing status of API request (e.g. 100 = Success). |
| message | REQUIRED | STRING | Text description associated with status code. |
| duration | REQUIRED | STRING | Time in seconds to complete the request. |
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| risk_session_token | STRING | REQUIRED | Ingo-assigned session ID. |
¶ Integrate the Risk SDK
It is critical to identify the device used, and the behavior that the user exhibits during a session. Sardine’s proprietary technology is adept at this very task and is instrumental in identifying risky devices, behavior, and tools that are used during these sessions (example: VPNs, emulators, remote desktop protocols etc.).
SDK Artifacts & packages will be provided by your assigned Integration Manager.
- clientID - Ingo assigned clientID.
- sessionKey - The
risk_session_tokenobtained from the Risk Session Method response. The default session expiry is 30 minutes.
¶ SDK Best Practices
General Checklist
- The SDK should be initialized upon app startup or the transaction initation page at minimum.
- Initializing the SDK and updateOptions() method submits data automatically, there is no need to explicitly call submitData after initialization or updating options.
- The initial "flow" can be set as the first screen the user would view when the app is started or the transaction initiation page.
- submitData should be called as often as possible.
- Ensure you call submitData when app is about to close or sent to the background by calling it in the activity “onPause” method.
- Ensure to update to the latest SDK (quarterly recommendation for mobile integrations).
Integration Guides will be provided by your assigned Integration Manager based on the platform(s) and language(s) selected for your integration.
- Ensure you call submitData when app is about to close or sent to background by calling it in the activity “onPause” method.
- Ensure that you set setSourcePlatform as “Native” in Options during initialization.
- For Field Tracking: Ensure that you set a human-readable id for any input field, as this id will be displayed in the dashboard and represent behavior biometrics.
- Ensure you call submitData in applicationWillResignActive UIApplicationDelegate method.
- Ensure that you set setSourcePlatform as “Native” in Options during initializing.
- Ensure that you set a human-readable placeholder for input fields as this placeholder will be displayed in the dashboard and represent behavior biometrics.
The advantages of using the Custom subdomain Integration:
- Increased Performance: Using a custom subdomain can result in a significant increase in accuracy in browsers with strict privacy features, such as Safari or Firefox. This is because the custom subdomain allows for the recognition of cookies as "first-party", which can extend the lifetime of device IDs and improve performance.
- Ad-blocker Resistance: Ad-blockers will not block the JavaScript (JS) Agent from sending identification API requests to the server, as sending data to an internal URL (such as a subdomain) is allowed. This makes it less likely that the data being sent will be blocked.
- Harder to Detect: Routing through a custom subdomain makes it harder for automated blockers and fraudsters to detect the fingerprinting process, as requests made directly to a separate domain can be easily detected.
You will need to provide two (2) subdomains since our script must connect to two different hosts for collecting various signals.
| Environment | Custom Subdomain (Example) | CNAME |
|---|---|---|
| Sandbox | api.{{custom_domain}}.com | apicustomdomain.sandbox.sardine.ai |
| Sandbox | p.{{custom_domain}}.com | p.sandbox.sardine.ai |
| Environment | Custom Subdomain (Example) | CNAME |
|---|---|---|
| Production | api.{{custom_domain}}.com | apicustomdomain.sardine.ai |
| Production | p.{{custom_domain}}.com | p.sardine.ai |
As part of the WebSDK setup, you will need to include the apiSubdomain and pSubdomain variables set to the newly configured subdomains.
`import { setupSardine } from "@sardine-ai/web-sdk";
setupSardine({
clientId: "YOUR_CLIENT_ID",
environment: "sandbox",
apiSubdomain: "api.{{custom_domain}}.com",
pixelSubdomain: "p.{{custom_domain}}.com"
});
¶ Score Method
| SCORE RANGE | DESCRIPTION |
|---|---|
| 2 - 299 | Discrete scores which indicate some degree of high risk / fraud. |
| 300 - 3000 | Continuous scores that correlate to discerned risk, with 3000 being best. |
https://payapi-sandbox.ingo.money/risk/riskscore/v2
Purpose: Send a request for Ingo Payments to provide a risk score assessment based upon the session identifiers.
Participants may declare the Content Types below in the request header to ‘Accept’ back as their response format (default is JSON):
HTTP: POST
Content Type: application/json
application/xml
| Parameter | Requirement | Type | Description |
|---|---|---|---|
| request | REQUIRED | OBJ | Information about the API request - general information associated with the call to the API method. |
| transaction | REQUIRED | OBJ | General transaction and risk assessment information. |
| transaction_ifa | REQUIRED | OBJ | Additional risk information for Ingo Fraud Alert. |
| transaction_open_banking | CONDITIONAL | OBJ | Open banking data for risk score assessment. See the section below for additional detail. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| participant_id | REQUIRED | STRING | 5 | Unique participant identifier assigned by Ingo. |
| timestamp | REQUIRED | STRING | 32 | Unix timestamp of the request. |
Sample Request
{
"request": {
"participant_id": "12345",
"timestamp": "1721337427"
},
"transaction": {
"account_type": "AC",
"transaction_amount": {
"currency_code": "USD",
"amount": "15.00"
},
"customer_account_token": "f40810e6-b382-4dd5-8012-9d8518136fdc",
"risk_session_token": "e9751823-fed0-4982-802b-6a4bb1cdc86c",
"customer_id": "bb79062e-938c-427e-8494-1d69fa3f2295",
"phone": "4045555555",
"phone_verified": "false",
"email": "[email protected]",
"email_verified": "true",
"dob": "01/02/2000"
},
"transaction_ifa": {
"ssn": "123456789",
"dob": "01/02/2000",
"device_id": "99ABCDEF-01234567-89ABCDE",
"geo_location": {
"latitude": "33.76272140863938",
"longitude": "-84.39188882939422"
}
},
"transaction_open_banking": {
"open_banking_plaid": {
"processor_token": "5964250f-18b3-419c-913c-92f4143ecfd3",
"account_id": "47507fce-a89c-4fd5-b0c7-5b179da4c6a1"
}
}
}
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| account_type | REQUIRED | STRING | 2 | AC = ACH ; CA = Card |
| transaction_amount | REQUIRED | OBJECT | Transaction amount for the requested risk assessment. | |
| customer_account_token | REQUIRED | STRING | 50 | Value representing the account number and customer data as provided in response from a previous Verify API call. |
| customer_id | REQUIRED | STRING | 64 | Client provided unique identifier for the customer. |
| risk_session_token | OPTIONAL | STRING | 36 | The session_id from the Risk Session Method response. |
| phone | REQUIRED | NUMBER | 16 | Customer phone number in ISO E.164 format. The value of this parameter must conform to one of the following: 1. A 10-character (all digits, no spaces) string (e.g. 4151231234) - treated as US number. 2. An ISO E.164 formatted phone number (e.g. +14151231234) The leftmost character of the string must be a plus sign (""+""). All additional characters must be all digits, no spaces. Accepted Characters: 0-9, + |
| phone_verified | REQUIRED | BOOLEAN | 5 | Indicates whether the customer phone number has been verified. |
| REQUIRED | STRING | 150 | Customer primary email address from profile. | |
| email_verified | REQUIRED | BOOLEAN | 5 | Indicates whether the customer email has been verified. |
| dob | REQUIRED | STRING | 10 | Customer date of birth. Acceptable formats include MM/dd/yyyy or MM-dd-yyyy. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| currency_code | REQUIRED | STRING | 3 | 3 character ISO-4217 (alpha) currency code. |
| amount | REQUIRED | STRING | 12 | Amount, in currency indicated by currency_code. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| ssn | REQUIRED | STRING | 10 | The Full SSN (digits only, 9 digits) or Last 4 of SSN (digits only, 4 digits). When specifying the last 4, the dob field is required. |
| dob | CONDITIONAL | STRING | 10 | The DOB in of the format [MM/dd/yyyy] or [MM-dd-yyyy]. * The DOB field is required when using the SSN last four. |
| device_id | OPTIONAL | STRING | 100 | The ID of the device. |
| geo_location | OPTIONAL | OBJECT | Geo-Location information. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| latitude | REQUIRED | STRING | 22 | Latitude of the location: [-90 to 90] with a precision of 18 |
| longitude | REQUIRED | STRING | 23 | Longitude of the location: [-180 to 180] with a precision of 18 |
| Parameter | Requirement | Type | Description |
|---|---|---|---|
| request | REQUIRED | OBJ | Information about the API request - general information associated with the call to the API method. |
| response | REQUIRED | OBJ | Information about the API response - general information associated with the outcome of the call to the API method. |
| transaction | REQUIRED | OBJ | Risk assessment - transaction data (response). |
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| participant_id | STRING | REQUIRED | Unique participant identifier assigned by Ingo. |
| timestamp | STRING | REQUIRED | Unix timestamp of the request. |
Sample Response
{
"request": {
"participant_id": "12345",
"timestamp": "1721414280"
},
"response": {
"status": "100",
"message": "Success",
"duration": "0.074021816253662"
},
"transaction": {
"score": "3000",
"risk_assessment_token": "de1a802d-e6d3-4bd7-8ee9-53171952d812",
"fraud_guarantee": {
"guarantee_requested": "1",
"transaction_guaranteed": "1"
}
}
}
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| status | REQUIRED | STRING | Numeric code describing status of API request (e.g. 100 = Success). |
| message | REQUIRED | STRING | Text description associated with status code. |
| duration | REQUIRED | STRING | Time in seconds to complete the request. |
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| score | REQUIRED | STRING | Ingo risk score. |
| risk_assessment_token | REQUIRED | STRING | Ingo-assigned ID for the risk assessment - must be included in subsequest Process request for the transaction. |
| fraud_guarantee | REQUIRED | OBJ | Indicators associated with transaction guarantee (against fraud). |
¶ fraud_guarantee (object)
| PARAMETER | REQ'T | TYPE | DESCRIPTION |
|---|---|---|---|
| guarantee_requested | REQUIRED | STRING | Indicates whether a guarantee against fraud was requested for the transaction. |
| transaction_guaranteed | CONDITIONAL | STRING | Indicates whether the transaction was guaranteed against fraud. Only present when guarantee_requested = 1. |
¶ Open Banking (Cond. Objects)
Open banking, also known as "open bank data", is a financial services model that allows third-party developers to access financial data from banks and financial institutions through application programming interfaces (APIs). This model allows for secure sharing of financial data between banks and third-party service providers.
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| open_banking_plaid | CONDITIONAL | OBJ | Account data from open banking platform - Plaid. | |
| open_banking_other | CONDITIONAL | OBJ | Account data from open banking platform - Other. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| processor_token | REQUIRED | STRING | 36 | The processor token for the account as provided by Plaid. |
| account_id | REQUIRED | STRING | 36 | The unique identifier of the account for the customer as provided by Plaid. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| bank_data | REQUIRED | OBJECT | Information about bank account and transaction. Please specify this field if you don't use plaid. | |
| source | REQUIRED | STRING | Finicity, yodlee or other. | |
| accounts | REQUIRED | ARRAY (OBJECT) | List of bank accounts and related information. | |
| id | REQUIRED | STRING | ID of bank account, defined by you or financial data provider. | |
| account_number | REQUIRED | STRING | Bank account number. | |
| routing_number | REQUIRED | STRING | Bank routing number. | |
| account_type | REQUIRED | STRING | Checking, saving or other. | |
| name | REQUIRED | STRING | Name of bank account (like "Wells Fargo high-interest savings account"). | |
| balance | REQUIRED | OBJECT | Balance information. | |
| currency_code | REQUIRED | STRING | Currency code in ISO 3digit code (eg USD). | |
| current | REQUIRED | STRING | Current balance in minor currency unit (eg. cents). | |
| available | REQUIRED | STRING | Available balance, in minor currency unit (eg. cents). | |
| last_updated | REQUIRED | STRING | Unix timestamp indicating when balance was updated. | |
| owners | REQUIRED | OBJECT | Account owner. | |
| names | REQUIRED | STRING | A list of names associated with the account (note this is string not array because many banks don't return names as array). | |
| addresses | REQUIRED | ARRAY (OBJECT) | Addresses associated with the account. | |
| city | REQUIRED | STRING | City. | |
| country | REQUIRED | STRING | Country. | |
| postal_code | REQUIRED | STRING | Postal code. | |
| region | REQUIRED | STRING | Region. | |
| is_primary | REQUIRED | STRING | If this is primary address for the bank. | |
| emails | REQUIRED | ARRAY (OBJECT) | Email addresses associated with the account. | |
| REQUIRED | STRING | Email address. | ||
| is_primary | REQUIRED | STRING | If this is primary email address for the bank. | |
| phone_numbers | ||||
| phone_number | REQUIRED | STRING | Phone number in ISO E.164 format. e.g. +14151231234. | |
| is_primary | REQUIRED | STRING | If this is primary phone number for the bank. | |
| transactions | REQUIRED | OBJECT | List of transactions. | |
| id | REQUIRED | STRING | ID of the transaction. | |
| account_id | REQUIRED | STRING | ID of bank account. | |
| amount | REQUIRED | STRING | Amount in minor currency unit (eg cents). | |
| currency_code | REQUIRED | STRING | Currency code in ISO 3digit code (eg USD). | |
| status | REQUIRED | STRING | Active or pending. | |
| description | REQUIRED | STRING | Description of transaction, given by financial institution. | |
| posted_date | REQUIRED | STRING | Date when transction was posted in YYYY-MM-DD format. | |
| transaction_date | REQUIRED | STRING | Date when transction took place in YYYY-MM-DD format. | |
| type | REQUIRED | STRING | Type of transction. one of atm, cash, check, credit, debit, deposit, directDebit, directDeposit, dividend, fee, intrest, payment, pointOfSale, repeatPayment, serviceCharge, transfer or other. | |
| merchant_name | REQUIRED | STRING | Name of merchant. | |
| categories | REQUIRED | ARRAY (STRING) | List of categories. | |
| category | REQUIRED | STRING | Category such as overdraft, bankFee. | |
| location | REQUIRED | ARRAY (OBJECT) | List of locations. | |
| street | REQUIRED | STRING | Street address. | |
| city | REQUIRED | STRING | City. | |
| region | REQUIRED | STRING | Region. | |
| postal_code | REQUIRED | STRING | Postal code. | |
| country | REQUIRED | STRING | Country. | |
| latitude | REQUIRED | STRING | Latitude | |
| longitude | REQUIRED | STRING | Longitude |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| mx_data | CONDITIONAL | OBJECT | List of JSON you get from MX APIs. | |
| accounts_response | REQUIRED | OBJECT | JSON containing HTTP response from MX GET /users/{user_guid}/accounts get API. Reference:https://docs.mx.com/api#core_resources_accounts_list_accounts. We require all page of results to be returned in the response either in a single response or in multiple responses. | |
| transactions_response | REQUIRED | OBJECT | JSON containing HTTP response from MX GET /users/{user_guid}/accounts/{account_guid}/transactions get API. Reference:https://docs.mx.com/api#core_resources_transactions_list_transactions_by_account. We require all page of results to be returned in the response either in a single response or in multiple responses. | |
| account_owners_response | REQUIRED | OBJECT | JSON containing HTTP response from MX GET /users/{user_guid}/members/{member_guid}/account_owners get API. Reference:https://docs.mx.com/api#identification_identity_list_account_owners. We require bank accounts of each {member_guid} which will be used to make ach transactions. | |
| list_account_numbers_response | REQUIRED | OBJECT | JSON containing HTTP response from MX GET /users/{user_guid}/members/{member_guid}/account_numbers get API. Reference:https://docs.mx.com/verification/guides/api_flow#list_account_numbers. We require bank accounts of each {member_guid} which will be used to make ach transactions. This API is required connect account number and routing number used for ach transactions. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| stripe_data | CONDITIONAL | OBJECT | List of JSON you get from Stripe Financial connections APIs. | |
| accounts_response | REQUIRED | OBJECT | JSON containing HTTP response from Stripe Financial connections GET/v1/financial_connections/accounts/:id, POST/v1/financial_connections/accounts/:id/refresh. Balance and ownership information can be retrieved from the accounts API at the stripe account id level. Ownership information only needs to be sent once ever per account; in contrast, for each new ACH transaction, always send the latest balance information. The latest balance can be retrieved through the refresh feature. Reference: https://stripe.com/docs/api/financial_connections/accounts and https://stripe.com/docs/api/financial_connections/accounts/refresh#financial_connections_refresh_account-features. | |
| account_number | REQUIRED | STRING | Account number of the bank account. This field is required only for the first time. After that, we will use the account id to retrieve the account number information. We will link the stripe account id to the mapped account number and routing number in our database. | |
| routing_number | REQUIRED | STRING | Routing number of the bank account. This field is required only for the first time. After that, we will use the account id to retrieve the routing number information. We will link the stripe account id to the mapped account number and routing number in our database. | |
| transactions_response | REQUIRED | OBJECT | JSON containing a list of transactions (in JSON format) from Stripe Financial connections. The list of transactions is specific to the stripe account id level. We require all pages of results to be returned in the response either in a single response or in multiple responses. |
| PARAMETER | REQ'T | TYPE | MAX_LEN | DESCRIPTION |
|---|---|---|---|---|
| teller_data | CONDITIONAL | OBJECT | List of JSON you get from Teller APIs. | |
| account_number | REQUIRED | STRING | Account number of the bank account. This field is required only for the first time. After that, we will use the account id to retrieve the account number information. We will link the teller account id to the mapped account number and routing number in our database. | |
| routing_number | REQUIRED | STRING | Routing number of the bank account. This field is required only for the first time. After that, we will use the account id to retrieve the routing number information. We will link the teller account id to the mapped account number and routing number in our database. | |
| account_response | REQUIRED | OBJECT | Teller's Account API response. | |
| balance_response | REQUIRED | OBJECT | Teller's Account Balance API response. | |
| transactions_response | REQUIRED | OBJECT | Teller's transaction API response. |