REST Resource: projects.assessments

{
  "name": string,
  "event": {
    object (Event)
  },
  "riskAnalysis": {
    object (RiskAnalysis)
  },
  "tokenProperties": {
    object (TokenProperties)
  },
  "accountVerification": {
    object (AccountVerificationInfo)
  },
  "accountDefenderAssessment": {
    object (AccountDefenderAssessment)
  },
  "privatePasswordLeakVerification": {
    object (PrivatePasswordLeakVerification)
  },
  "firewallPolicyAssessment": {
    object (FirewallPolicyAssessment)
  },
  "fraudPreventionAssessment": {
    object (FraudPreventionAssessment)
  },
  "fraudSignals": {
    object (FraudSignals)
  },
  "phoneFraudAssessment": {
    object (PhoneFraudAssessment)
  },
  "assessmentEnvironment": {
    object (AssessmentEnvironment)
  }
}

string

Output only. Identifier. The resource name for the Assessment in the format projects/{project}/assessments/{assessment}.

object (Event)

Optional. The event being assessed.

object (RiskAnalysis)

Output only. The risk analysis result for the event being assessed.

object (TokenProperties)

Output only. Properties of the provided event token.

object (AccountVerificationInfo)

Optional. Account verification information for identity verification. The assessment event must include a token and site key to use this feature.

object (AccountDefenderAssessment)

Output only. Assessment returned by account defender when an account identifier is provided.

object (PrivatePasswordLeakVerification)

Optional. The private password leak verification field contains the parameters that are used to to check for leaks privately without sharing user credentials.

object (FirewallPolicyAssessment)

Output only. Assessment returned when firewall policies belonging to the project are evaluated using the field firewallPolicyEvaluation.

object (FraudPreventionAssessment)

Output only. Assessment returned by Fraud Prevention when TransactionData is provided.

object (FraudSignals)

Output only. Fraud Signals specific to the users involved in a payment transaction.

object (PhoneFraudAssessment)

Output only. Assessment returned when a site key, a token, and a phone number as user_id are provided. Account defender and SMS toll fraud protection need to be enabled.

object (AssessmentEnvironment)

Optional. The environment creating the assessment. This describes your environment (the system invoking assessments.create), NOT the environment of your user.

{
  "token": string,
  "siteKey": string,
  "userAgent": string,
  "userIpAddress": string,
  "expectedAction": string,
  "hashedAccountId": string,
  "express": boolean,
  "requestedUri": string,
  "wafTokenAssessment": boolean,
  "ja3": string,
  "headers": [
    string
  ],
  "firewallPolicyEvaluation": boolean,
  "transactionData": {
    object (TransactionData)
  },
  "userInfo": {
    object (UserInfo)
  },
  "fraudPrevention": enum (FraudPrevention)
}

string

Optional. The user response token provided by the reCAPTCHA Enterprise client-side integration on your site.

string

Optional. The site key that was used to invoke reCAPTCHA Enterprise on your site and generate the token.

string

Optional. The user agent present in the request from the user's device related to this event.

string

Optional. The IP address in the request from the user's device related to this event.

string

Optional. The expected action for this type of event. This should be the same action provided at token generation time on client-side platforms already integrated with recaptcha enterprise.

string (bytes format)

Optional. Deprecated: use userInfo.account_id instead. Unique stable hashed user identifier for the request. The identifier must be hashed using hmac-sha256 with stable secret.

A base64-encoded string.

boolean

Optional. Flag for a reCAPTCHA express request for an assessment without a token. If enabled, siteKey must reference an Express site key.

string

Optional. The URI resource the user requested that triggered an assessment.

boolean

Optional. Flag for running WAF token assessment. If enabled, the token must be specified, and have been created by a WAF-enabled key.

string

Optional. JA3 fingerprint for SSL clients.

string

Optional. HTTP header information about the request.

boolean

Optional. Flag for enabling firewall policy config assessment. If this flag is enabled, the firewall policy is evaluated and a suggested firewall action is returned in the response.

object (TransactionData)

Optional. Data describing a payment transaction to be assessed. Sending this data enables reCAPTCHA Enterprise Fraud Prevention and the FraudPreventionAssessment component in the response.

object (UserInfo)

Optional. Information about the user that generates this event, when they can be identified. They are often identified through the use of an account for logged-in requests or login/registration requests, or by providing user identifiers for guest actions like checkout.

enum (FraudPrevention)

Optional. The Fraud Prevention setting for this assessment.

{
  "paymentMethod": string,
  "cardBin": string,
  "cardLastFour": string,
  "currencyCode": string,
  "value": number,
  "shippingValue": number,
  "shippingAddress": {
    object (Address)
  },
  "billingAddress": {
    object (Address)
  },
  "user": {
    object (User)
  },
  "merchants": [
    {
      object (User)
    }
  ],
  "items": [
    {
      object (Item)
    }
  ],
  "gatewayInfo": {
    object (GatewayInfo)
  },
  "transactionId": string
}

string

Optional. The payment method for the transaction. The allowed values are:

• credit-card
• debit-card
• gift-card
• processor-{name} (If a third-party is used, for example, processor-paypal)
• custom-{name} (If an alternative method is used, for example, custom-crypto)

string

Optional. The Bank Identification Number - generally the first 6 or 8 digits of the card.

string

Optional. The last four digits of the card.

string

Optional. The currency code in ISO-4217 format.

number

Optional. The decimal value of the transaction in the specified currency.

number

Optional. The value of shipping in the specified currency. 0 for free or no shipping.

object (Address)

Optional. Destination address if this transaction involves shipping a physical item.

object (Address)

Optional. Address associated with the payment method when applicable.

object (User)

Optional. Information about the user paying/initiating the transaction.

object (User)

Optional. Information about the user or users fulfilling the transaction.

object (Item)

Optional. Items purchased in this transaction.

object (GatewayInfo)

Optional. Information about the payment gateway's response to the transaction.

string

Unique identifier for the transaction. This custom identifier can be used to reference this transaction in the future, for example, labeling a refund or chargeback event. Two attempts at the same transaction should use the same transaction id.

{
  "recipient": string,
  "address": [
    string
  ],
  "locality": string,
  "administrativeArea": string,
  "regionCode": string,
  "postalCode": string
}

string

Optional. The recipient name, potentially including information such as "care of".

string

Optional. The first lines of the address. The first line generally contains the street name and number, and further lines may include information such as an apartment number.

string

Optional. The town/city of the address.

string

Optional. The state, province, or otherwise administrative area of the address.

string

Optional. The CLDR country/region of the address.

string

Optional. The postal or ZIP code of the address.

{
  "accountId": string,
  "creationMs": string,
  "email": string,
  "emailVerified": boolean,
  "phoneNumber": string,
  "phoneVerified": boolean
}

string

Optional. Unique account identifier for this user. If using account defender, this should match the hashedAccountId field. Otherwise, a unique and persistent identifier for this account.

string (int64 format)

Optional. The epoch milliseconds of the user's account creation.

string

Optional. The email address of the user.

boolean

Optional. Whether the email has been verified to be accessible by the user (OTP or similar).

string

Optional. The phone number of the user, with country code.

boolean

Optional. Whether the phone number has been verified to be accessible by the user (OTP or similar).

{
  "name": string,
  "value": number,
  "quantity": string,
  "merchantAccountId": string
}

string

Optional. The full name of the item.

number

Optional. The value per item that the user is paying, in the transaction currency, after discounts.

string (int64 format)

Optional. The quantity of this item that is being purchased.

string

Optional. When a merchant is specified, its corresponding accountId. Necessary to populate marketplace-style transactions.

{
  "name": string,
  "gatewayResponseCode": string,
  "avsResponseCode": string,
  "cvvResponseCode": string
}

string

Optional. Name of the gateway service (for example, stripe, square, paypal).

string

Optional. Gateway response code describing the state of the transaction.

string

Optional. AVS response code from the gateway (available only when reCAPTCHA Enterprise is called after authorization).

string

Optional. CVV response code from the gateway (available only when reCAPTCHA Enterprise is called after authorization).

{
  "createAccountTime": string,
  "accountId": string,
  "userIds": [
    {
      object (UserId)
    }
  ]
}

string (Timestamp format)

Optional. Creation time for this account associated with this user. Leave blank for non logged-in actions, guest checkout, or when there is no account associated with the current user.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Optional. For logged-in requests or login/registration requests, the unique account identifier associated with this user. You can use the username if it is stable (meaning it is the same for every request associated with the same user), or any stable user ID of your choice. Leave blank for non logged-in actions or guest checkout.

object (UserId)

Optional. Identifiers associated with this user or request.

{

  // Union field id_oneof can be only one of the following:
  "email": string,
  "phoneNumber": string,
  "username": string
  // End of list of possible types for union field id_oneof.
}

string

Optional. An email address.

string

Optional. A phone number. Should use the E.164 format.

string

Optional. A unique username, if different from all the other identifiers and accountId that are provided. Can be a unique login handle or display name for a user.

{
  "score": number,
  "reasons": [
    enum (ClassificationReason)
  ],
  "extendedVerdictReasons": [
    string
  ],
  "challenge": enum (Challenge)
}

number

Output only. Legitimate event score from 0.0 to 1.0. (1.0 means very likely legitimate traffic while 0.0 means very likely non-legitimate traffic).

enum (ClassificationReason)

Output only. Reasons contributing to the risk analysis verdict.

string

Output only. Extended verdict reasons to be used for experimentation only. The set of possible reasons is subject to change.

enum (Challenge)

Output only. Challenge information for SCORE_AND_CHALLENGE keys

{
  "valid": boolean,
  "invalidReason": enum (InvalidReason),
  "createTime": string,
  "hostname": string,
  "androidPackageName": string,
  "iosBundleId": string,
  "action": string
}

boolean

Output only. Whether the provided user response token is valid. When valid = false, the reason could be specified in invalidReason or it could also be due to a user failing to solve a challenge or a sitekey mismatch (i.e the sitekey used to generate the token was different than the one specified in the assessment).

enum (InvalidReason)

Output only. Reason associated with the response when valid = false.

string (Timestamp format)

Output only. The timestamp corresponding to the generation of the token.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Output only. The hostname of the page on which the token was generated (Web keys only).

string

Output only. The name of the Android package with which the token was generated (Android keys only).

string

Output only. The ID of the iOS bundle with which the token was generated (iOS keys only).

string

Output only. Action name provided at token generation.

{
  "endpoints": [
    {
      object (EndpointVerificationInfo)
    }
  ],
  "languageCode": string,
  "latestVerificationResult": enum (Result),
  "username": string
}

object (EndpointVerificationInfo)

Optional. Endpoints that can be used for identity verification.

string

Optional. Language code preference for the verification message, set as a IETF BCP 47 language code.

enum (Result)

Output only. Result of the latest account verification challenge.

string

Username of the account that is being verified. Deprecated. Customers should now provide the accountId field in event.user_info.

{
  "requestToken": string,
  "lastVerificationTime": string,

  // Union field endpoint can be only one of the following:
  "emailAddress": string,
  "phoneNumber": string
  // End of list of possible types for union field endpoint.
}

string

Output only. Token to provide to the client to trigger endpoint verification. It must be used within 15 minutes.

string (Timestamp format)

Output only. Timestamp of the last successful verification for the endpoint, if any.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Email address for which to trigger a verification request.

string

Phone number for which to trigger a verification request. Should be given in E.164 format.

{
  "labels": [
    enum (AccountDefenderLabel)
  ]
}

enum (AccountDefenderLabel)

Output only. Labels for this request.

{
  "lookupHashPrefix": string,
  "encryptedUserCredentialsHash": string,
  "encryptedLeakMatchPrefixes": [
    string
  ],
  "reencryptedUserCredentialsHash": string
}

string (bytes format)

Required. Exactly 26-bit prefix of the SHA-256 hash of the canonicalized username. It is used to look up password leaks associated with that hash prefix.

A base64-encoded string.

string (bytes format)

Optional. Encrypted Scrypt hash of the canonicalized username+password. It is re-encrypted by the server and returned through reencryptedUserCredentialsHash.

A base64-encoded string.

string (bytes format)

Output only. List of prefixes of the encrypted potential password leaks that matched the given parameters. They must be compared with the client-side decryption prefix of reencryptedUserCredentialsHash

A base64-encoded string.

string (bytes format)

Output only. Corresponds to the re-encryption of the encryptedUserCredentialsHash field. It is used to match potential password leaks within encryptedLeakMatchPrefixes.

A base64-encoded string.

{
  "error": {
    object (Status)
  },
  "firewallPolicy": {
    object (FirewallPolicy)
  }
}

object (Status)

Output only. If the processing of a policy config fails, an error is populated and the firewallPolicy is left empty.

object (FirewallPolicy)

Output only. The policy that matched the request. If more than one policy may match, this is the first match. If no policy matches the incoming request, the policy field is left empty.

{
  "code": integer,
  "message": string,
  "details": [
    {
      "@type": string,
      field1: ...,
      ...
    }
  ]
}

integer

The status code, which should be an enum value of google.rpc.Code.

string

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

object

A list of messages that carry the error details. There is a common set of message types for APIs to use.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

{
  "transactionRisk": number,
  "stolenInstrumentVerdict": {
    object (StolenInstrumentVerdict)
  },
  "cardTestingVerdict": {
    object (CardTestingVerdict)
  },
  "behavioralTrustVerdict": {
    object (BehavioralTrustVerdict)
  }
}

number

Output only. Probability of this transaction being fraudulent. Summarizes the combined risk of attack vectors below. Values are from 0.0 (lowest) to 1.0 (highest).

object (StolenInstrumentVerdict)

Output only. Assessment of this transaction for risk of a stolen instrument.

object (CardTestingVerdict)

Output only. Assessment of this transaction for risk of being part of a card testing attack.

object (BehavioralTrustVerdict)

Output only. Assessment of this transaction for behavioral trust.

{
  "risk": number
}

number

Output only. Probability of this transaction being executed with a stolen instrument. Values are from 0.0 (lowest) to 1.0 (highest).

{
  "risk": number
}

number

Output only. Probability of this transaction attempt being part of a card testing attack. Values are from 0.0 (lowest) to 1.0 (highest).

{
  "trust": number
}

number

Output only. Probability of this transaction attempt being executed in a behaviorally trustworthy way. Values are from 0.0 (lowest) to 1.0 (highest).

{
  "userSignals": {
    object (UserSignals)
  },
  "cardSignals": {
    object (CardSignals)
  }
}

object (UserSignals)

Output only. Signals describing the end user in this transaction.

object (CardSignals)

Output only. Signals describing the payment card or cards used in this transaction.

{
  "activeDaysLowerBound": integer,
  "syntheticRisk": number
}

integer

Output only. This user (based on email, phone, and other identifiers) has been seen on the internet for at least this number of days.

number

Output only. Likelihood (from 0.0 to 1.0) this user includes synthetic components in their identity, such as a randomly generated email address, temporary phone number, or fake shipping address.

{
  "cardLabels": [
    enum (CardLabel)
  ]
}

enum (CardLabel)

Output only. The labels for the payment card in this transaction.

{
  "smsTollFraudVerdict": {
    object (SmsTollFraudVerdict)
  }
}

object (SmsTollFraudVerdict)

Output only. Assessment of this phone event for risk of SMS toll fraud.

{
  "risk": number,
  "reasons": [
    enum (SmsTollFraudReason)
  ]
}

number

Output only. Probability of an SMS event being fraudulent. Values are from 0.0 (lowest) to 1.0 (highest).

enum (SmsTollFraudReason)

Output only. Reasons contributing to the SMS toll fraud verdict.

{
  "client": string,
  "version": string
}

string

Optional. Identifies the client module initiating the assessments.create request. This can be the link to the client module's project. Examples include: - "github.com/GoogleCloudPlatform/recaptcha-enterprise-google-tag-manager" - "cloud.google.com/recaptcha/docs/implement-waf-akamai" - "cloud.google.com/recaptcha/docs/implement-waf-cloudflare" - "wordpress.org/plugins/recaptcha-something"

string

Optional. The version of the client module. For example, "1.0.0".