REST Resource: projects.assessments

Resource: Assessment

A reCAPTCHA Enterprise assessment resource.

JSON representation
{
  "name": string,
  "event": {
    object (Event)
  },
  "score": number,
  "tokenProperties": {
    object (TokenProperties)
  },
  "reasons": [
    enum (ClassificationReason)
  ],
  "passwordLeakVerification": {
    object (PasswordLeakVerification)
  },
  "accountDefenderAssessment": {
    object (AccountDefenderAssessment)
  },
  "fraudPreventionAssessment": {
    object (FraudPreventionAssessment)
  }
}
Fields
name

string

Output only. The resource name for the Assessment in the format projects/{project_number}/assessments/{assessment_id}.

event

object (Event)

The event being assessed.

score

number

Output only. Legitimate event score from 0.0 to 1.0. (1.0 means very likely legitimate traffic while 0.0 means very likely non-legitimate traffic).

tokenProperties

object (TokenProperties)

Output only. Properties of the provided event token.

reasons[]

enum (ClassificationReason)

Output only. Reasons contributing to the risk analysis verdict.

passwordLeakVerification

object (PasswordLeakVerification)

Information about the user's credentials used to check for leaks. This feature is part of the Early Access Program (EAP). Exercise caution, and do not deploy integrations based on this feature in a production environment.

accountDefenderAssessment

object (AccountDefenderAssessment)

Assessment returned by account defender when a hashedAccountId is provided.

fraudPreventionAssessment

object (FraudPreventionAssessment)

Assessment returned by Fraud Prevention when TransactionData is provided.

Event

JSON representation
{
  "token": string,
  "siteKey": string,
  "userAgent": string,
  "userIpAddress": string,
  "expectedAction": string,
  "hashedAccountId": string,
  "transactionData": {
    object (TransactionData)
  },
  "fraudPrevention": enum (FraudPrevention)
}
Fields
token

string

Optional. The user response token provided by the reCAPTCHA client-side integration on your site.

siteKey

string

Optional. The site key that was used to invoke reCAPTCHA on your site and generate the token.

userAgent

string

Optional. The user agent present in the request from the user's device related to this event.

userIpAddress

string

Optional. The IP address in the request from the user's device related to this event.

expectedAction

string

Optional. The expected action for this type of event. This should be the same action provided at token generation time on client-side platforms already integrated with reCAPTCHA.

hashedAccountId

string (bytes format)

Optional. Unique stable hashed user identifier for the request. The identifier must be hashed using hmac-sha256 with stable secret.

A base64-encoded string.

transactionData

object (TransactionData)

Optional. Data describing a payment transaction to be assessed. Sending this data enables reCAPTCHA Fraud Prevention and the FraudPreventionAssessment component in the response.

fraudPrevention

enum (FraudPrevention)

Optional. The Fraud Prevention setting for this Assessment.

TransactionData

Transaction data associated with a payment protected by reCAPTCHA.

JSON representation
{
  "paymentMethod": string,
  "cardBin": string,
  "cardLastFour": string,
  "currencyCode": string,
  "value": number,
  "shippingValue": number,
  "shippingAddress": {
    object (Address)
  },
  "billingAddress": {
    object (Address)
  },
  "user": {
    object (User)
  },
  "merchants": [
    {
      object (User)
    }
  ],
  "items": [
    {
      object (Item)
    }
  ],
  "gatewayInfo": {
    object (GatewayInfo)
  },
  "transactionId": string
}
Fields
paymentMethod

string

The payment method for the transaction. The allowed values are:

  • credit-card
  • debit-card
  • gift-card
  • processor-{name} (If a third-party is used, for example, processor-paypal)
  • custom-{name} (If an alternative method is used, for example, custom-crypto)
cardBin

string

The Bank Identification Number - generally the first 6 or 8 digits of the card.

cardLastFour

string

The last four digits of the card.

currencyCode

string

The currency code in ISO-4217 format.

value

number

The decimal value of the transaction in the specified currency.

shippingValue

number

The value of shipping in the specified currency. 0 for free or no shipping.

shippingAddress

object (Address)

Destination address if this transaction involves shipping a physical item.

billingAddress

object (Address)

Address associated with the payment method when applicable.

user

object (User)

Information about the user paying/initiating the transaction.

merchants[]

object (User)

Information about the user or users fulfilling the transaction.

items[]

object (Item)

Items purchased in this transaction.

gatewayInfo

object (GatewayInfo)

Information about the payment gateway's response to the transaction.

transactionId

string

Unique identifier for the transaction. This custom identifier can be used to reference this transaction in the future, for example, labeling a refund or chargeback event. Two attempts at the same transaction should use the same transaction id.

Address

Structured address format for billing and shipping addresses.

JSON representation
{
  "recipient": string,
  "address": [
    string
  ],
  "locality": string,
  "administrativeArea": string,
  "regionCode": string,
  "postalCode": string
}
Fields
recipient

string

The recipient name, potentially including information such as "care of".

address[]

string

The first lines of the address. The first line generally contains the street name and number, and further lines may include information such as an apartment number.

locality

string

The town/city of the address.

administrativeArea

string

The state, province, or otherwise administrative area of the address.

regionCode

string

The CLDR country/region of the address.

postalCode

string

The postal or ZIP code of the address.

User

Details about a user's account involved in the transaction.

JSON representation
{
  "accountId": string,
  "creationMs": string,
  "email": string,
  "emailVerified": boolean,
  "phoneNumber": string,
  "phoneVerified": boolean
}
Fields
accountId

string

Unique account identifier for this user. If using account defender, this should match the hashedAccountId field. Otherwise, a unique and persistent identifier for this account.

creationMs

string (int64 format)

The epoch milliseconds of the user's account creation.

email

string

The email address of the user.

emailVerified

boolean

Whether the email has been verified to be accessible by the user (OTP or similar).

phoneNumber

string

The phone number of the user, with country code.

phoneVerified

boolean

Whether the phone number has been verified to be accessible by the user (OTP or similar).

Item

Line items being purchased in this transaction.

JSON representation
{
  "name": string,
  "value": number,
  "quantity": string,
  "merchantAccountId": string
}
Fields
name

string

The full name of the item.

value

number

The value per item that the user is paying, in the transaction currency, after discounts.

quantity

string (int64 format)

The quantity of this item that is being purchased.

merchantAccountId

string

When a merchant is specified, its corresponding accountId. Necessary to populate marketplace-style transactions.

GatewayInfo

Details about the transaction from the gateway.

JSON representation
{
  "name": string,
  "gatewayResponseCode": string,
  "avsResponseCode": string,
  "cvvResponseCode": string
}
Fields
name

string

Name of the gateway service (for example, stripe, square, paypal).

gatewayResponseCode

string

Gateway response code describing the state of the transaction.

avsResponseCode

string

AVS response code from the gateway (available only when reCAPTCHA is called after authorization).

cvvResponseCode

string

CVV response code from the gateway (available only when reCAPTCHA is called after authorization).

FraudPrevention

Setting that controls Fraud Prevention assessments.

Enums
FRAUD_PREVENTION_UNSPECIFIED Default, unspecified setting. fraudPreventionAssessment is returned if transactionData is present in Event and Fraud Prevention is enabled in the Google Cloud console.
ENABLED Enable Fraud Prevention for this assessment, if Fraud Prevention is enabled in the Google Cloud console.
DISABLED Disable Fraud Prevention for this assessment, regardless of Google Cloud console settings.

TokenProperties

JSON representation
{
  "valid": boolean,
  "invalidReason": enum (InvalidReason),
  "createTime": string,
  "hostname": string,
  "action": string
}
Fields
valid

boolean

Whether the provided user response token is valid. When valid = false, the reason could be specified in invalidReason or it could also be due to a user failing to solve a challenge or a sitekey mismatch (i.e the sitekey used to generate the token was different than the one specified in the assessment).

invalidReason

enum (InvalidReason)

Reason associated with the response when valid = false.

createTime

string (Timestamp format)

The timestamp corresponding to the generation of the token.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

hostname

string

The hostname of the page on which the token was generated.

action

string

Action name provided at token generation.

InvalidReason

Enum that represents the types of invalid token reasons.

Enums
INVALID_REASON_UNSPECIFIED Default unspecified type.
UNKNOWN_INVALID_REASON If the failure reason was not accounted for.
MALFORMED The provided user verification token was malformed.
EXPIRED The user verification token had expired.
DUPE The user verification had already been seen.
SITE_MISMATCH

The user verification token did not match the provided site key. This may be a configuration error (for example, development keys used in production) or end users trying to use verification tokens from other sites.

MISSING The user verification token was not present. It is a required input.
BROWSER_ERROR A retriable error (such as network failure) occurred on the browser. Could easily be simulated by an attacker.

ClassificationReason

Reasons contributing to the risk analysis verdict.

Enums
CLASSIFICATION_REASON_UNSPECIFIED Default unspecified type.
AUTOMATION Interactions matched the behavior of an automated agent.
UNEXPECTED_ENVIRONMENT The event originated from an illegitimate environment.
TOO_MUCH_TRAFFIC Traffic volume from the event source is higher than normal.
UNEXPECTED_USAGE_PATTERNS Interactions with the site were significantly different than expected patterns.
LOW_CONFIDENCE_SCORE Too little traffic has been received from this site thus far to generate quality risk analysis.
SUSPECTED_CARDING The request matches behavioral characteristics of a carding attack.
SUSPECTED_CHARGEBACK The request matches behavioral characteristics of chargebacks for fraud.

PasswordLeakVerification

Password leak verification info.

JSON representation
{
  "hashedUserCredentials": string,
  "credentialsLeaked": boolean,
  "canonicalizedUsername": string
}
Fields
hashedUserCredentials

string (bytes format)

Optional. Scrypt hash of the username+password that the customer wants to verify against a known password leak.

A base64-encoded string.

credentialsLeaked

boolean

Output only. Whether or not the user's credentials are present in a known leak.

canonicalizedUsername

string

Optional. The username part of the user credentials for which we want to trigger a leak check in canonicalized form. This is the same data used to create the hashedUserCredentials on the customer side.

AccountDefenderAssessment

Account defender risk assessment.

JSON representation
{
  "labels": [
    enum (AccountDefenderLabel)
  ]
}
Fields
labels[]

enum (AccountDefenderLabel)

Labels for this request.

AccountDefenderLabel

Labels returned by account defender for this request.

Enums
ACCOUNT_DEFENDER_LABEL_UNSPECIFIED Default unspecified type.
PROFILE_MATCH The request matches a known good profile for the user.
SUSPICIOUS_LOGIN_ACTIVITY The request is potentially a suspicious login event and should be further verified either via multi-factor authentication or another system.
SUSPICIOUS_ACCOUNT_CREATION The request matched a profile that previously had suspicious account creation behavior. This could mean this is a fake account.
RELATED_ACCOUNTS_NUMBER_HIGH The account in the request has a high number of related accounts. It does not necessarily imply that the account is bad but could require investigating.

FraudPreventionAssessment

Assessment for Fraud Prevention.

JSON representation
{
  "transactionRisk": number,
  "stolenInstrumentVerdict": {
    object (StolenInstrumentVerdict)
  },
  "cardTestingVerdict": {
    object (CardTestingVerdict)
  },
  "behavioralTrustVerdict": {
    object (BehavioralTrustVerdict)
  }
}
Fields
transactionRisk

number

Probability (0-1) of this transaction being fraudulent. Summarizes the combined risk of attack vectors below.

stolenInstrumentVerdict

object (StolenInstrumentVerdict)

Assessment of this transaction for risk of a stolen instrument.

cardTestingVerdict

object (CardTestingVerdict)

Assessment of this transaction for risk of being part of a card testing attack.

behavioralTrustVerdict

object (BehavioralTrustVerdict)

Assessment of this transaction for behavioral trust.

StolenInstrumentVerdict

Information about stolen instrument fraud, where the user is not the legitimate owner of the instrument being used for the purchase.

JSON representation
{
  "risk": number
}
Fields
risk

number

Probability (0-1) of this transaction being executed with a stolen instrument.

CardTestingVerdict

Information about card testing fraud, where an adversary is testing fraudulently obtained cards or brute forcing their details.

JSON representation
{
  "risk": number
}
Fields
risk

number

Probability (0-1) of this transaction attempt being part of a card testing attack.

BehavioralTrustVerdict

Information about behavioral trust of the transaction.

JSON representation
{
  "trust": number
}
Fields
trust

number

Probability (0-1) of this transaction attempt being executed in a behaviorally trustworthy way.

Methods

annotate

Annotates a previously created Assessment to provide additional information on whether the event turned out to be authentic or fradulent.

create

Creates an Assessment of the likelihood an event is legitimate.