Format
Risk Intelligence data is returned in a structured JSON format that includes various risk signals and scores. The exact structure of the data may vary depending on which modules you have enabled on your account (as of writing, all modules are included by default).
The structure of the Risk Intelligence data is subject to change. We always aim for backwards compatibility, your validation and parsing logic should be flexible enough to handle new fields being added in the future.
Structure Overview
The Risk Intelligence data is organized into three high level sections:
{
risk_scores: { ... }, // Overall risk scores summarizing the assessment into scores per category (1-5).
network: { ... }, // Information about the user's network and IP address.
client: { ... }, // Detected browser or bot information.
}
Risk Scores
The risk_scores section provides a summary of the risk assessment in the form of scores for different categories. Each score is an integer value between 1 and 5, where 1 indicates very low risk and 5 indicates very high risk.
The available risk scores include:
overall: An overall risk score that combines all available signals into a single score.network: A risk score based on network-related signals such as IP reputation, ASN information, and geolocation. You can interpret this score as, based on the user's network characteristics, how likely the request is to be automated, fraudulent or malicious.browser: A risk score based on browser-related signals such as user agent, browser identification, bot identification and other client-side characteristics. This score helps assess the likelihood of the request being automated or coming from a suspicious client.
JSON Example
"risk_scores": {
"overall": 2,
"network": 2,
"browser": 1
}
Network Information
The network section provides detailed information about the user's network and IP address. This includes.
The IP address is never stored on our servers in an unhashed format. We encode it into the risk intelligence token so that we can pass it on to you.
You can compare this IP address to the one you see in your server logs to correlate the risk intelligence data with specific requests.
ip: The IP address of the user when the risk intelligence data was gathered on the frontend.as: Information about the Autonomous System (AS) associated with the user's IP address, including ASN, AS name, company, description, domain, country, RIR, route and type.geolocation: Geographic information about the user's IP address, including city, region, country.anonymization: Signals indicating whether the user is using anonymization services such as VPNs or proxies, including VPN detection, proxy detection, Tor detection.
JSON Example
"network": {
"ip": "88.64.123.45"
"as": {
"asn": 3209,
"name": "VODANET",
"company": "Vodafone GmbH",
"description": "Provides mobile and fixed broadband and telecommunication services to consumers and businesses.",
"domain": "vodafone.de",
"country": "DE",
"rir": "RIPE",
"route": "88.64.0.0/12",
"type": "isp"
},
"geolocation": {
"country": {
"iso2": "DE",
"iso3": "DEU",
"name": "Germany",
"name_native": "Deutschland",
"region": "Europe",
"subregion": "Western Europe",
"currency": "EUR",
"currency_name": "Euro",
"phone_code": "49",
"capital": "Berlin"
},
"city": "Eschborn",
"state": "Hessen"
},
"anonymization": {
"vpn_score": 2,
"proxy_score": 1,
"tor": false,
"icloud_private_relay": false
}
}
Client Information
The client section provides information about the user's client, which can be a browser or a bot. This includes:
browser: Detected browser information, including browser name, version, rendering engine, device type, brand and model, and operating system.tls_signature: TLS/SSL-derived information, including JA3 and JA4 signatures. These signatures can be used to identify specific clients and detect anomalies.automation: Signals related to automation and bot detection, including detected automation tools and bot types.
JSON Example
"client": {
"header_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0",
"time_zone": {
"name": "Europe/Berlin",
"country_iso2": "DE"
},
"browser": {
"id": "firefox",
"name": "Firefox",
"version": "146.0",
"release_date": "2026-01-28"
},
"browser_engine": {
"id": "gecko",
"name": "Gecko",
"version": "146.0"
},
"device": {
"type": "desktop",
"brand": "",
"model": ""
},
"os": {
"id": "windows",
"name": "Windows",
"version": "10"
},
"tls_signature": {
"ja3": "d87a30a5782a73a83c1544bb06332780",
"ja3n": "28ecc2d2875b345cecbb632b12d8c1e0",
"ja4": "t13d1516h2_8daaf6152771_02713d6af862"
},
"automation": {
"automation_tool": {
"detected": false,
"id": "",
"name": "",
"type": ""
},
"known_bot": {
"detected": false,
"id": "",
"name": "",
"type": "",
"url": ""
}
}
}
Field Reference
A comprehensive breakdown of all fields in the Risk Intelligence data format.
Risk Scores
risk_scores - Risk assessment scores
Risk scores summarize the entire risk intelligence assessment into scores per category. Each score is an integer from 0-5.
| Value | Meaning |
|---|---|
0 | Unknown or missing |
1 | Very low risk |
2 | Low risk |
3 | Medium risk |
4 | High risk |
5 | Very high risk |
Why are risk scores not a percentage or a decimal score? We use a 1-5 integer scale to make it easier for you to set thresholds and make decisions based on the scores. A percentage or decimal score can give a false sense of precision, while in reality the underlying data and signals are often noisy and not precise enough to justify that level of granularity (ie what is the difference between 81% and 82% risk?).
The 1-5 scale provides a more actionable and interpretable way to use the risk scores in your decision-making processes.
overall - Overall risk score
Type: Integer (0-5)
Description: A combined risk score that aggregates all available signals into a single assessment.
Example:
"overall": 2
network - Network risk score
Type: Integer (0-5)
Description: Risk score based on network-related signals such as IP reputation, ASN information, geolocation, past abuse from this network, and other network characteristics. Indicates the likelihood of automation or malicious activity based on the network.
Example:
"network": 2
browser - Browser risk score
Type: Integer (0-5)
Description: Risk score based on browser-related signals such as user agent consistency, automation traces, past abuse, and browser characteristics. Indicates the likelihood of automation, malicious activity, or browser spoofing.
Example:
"browser": 1
Network
network - Network and IP information
Contains information about the user's network, IP address, and related characteristics.
ip - Client IP address
Type: String
Description: The IP address used when requesting the challenge. You can compare this IP with the one that is submitting to your backend. Note that IP addresses can change mid-session, for example when users are on mobile networks or using certain ISPs - so do create a way for users to update the IP address associated with a session in your system.
Example:
"ip": "88.64.4.22"
as - Autonomous System information
Type: Object or null
Description: Information about the Autonomous System that owns the IP address.
number - ASN
Type: Integer
Description: Autonomous System Number (ASN) identifier.
Example:
"number": 3209
name - AS name
Type: String
Description: Short name or handle of the autonomous system.
Example:
"name": "VODANET"
company - Company name
Type: String
Description: Organization name that owns the ASN.
Example:
"company": "Vodafone GmbH"
description - Company description
Type: String
Description: Short description of the company that owns the ASN.
Example:
"description": "Provides mobile and fixed broadband and telecommunication services to consumers and businesses."
domain - Company domain
Type: String
Description: Domain name associated with the ASN.
Example:
"domain": "vodafone.de"
country - ASN country
Type: String
Description: Two-letter ISO 3166-1 alpha-2 country code where the ASN is registered.
Example:
"country": "DE"
rir - Regional Internet Registry
Type: String
Description: RIR that allocated the ASN.
Possible Values:
"ARIN"- American Registry for Internet Numbers (North America)"RIPE"- Réseaux IP Européens (Europe, Middle East, Central Asia)"APNIC"- Asia-Pacific Network Information Centre"LACNIC"- Latin America and Caribbean Network Information Centre"AFRINIC"- African Network Information Centre
Example:
"rir": "RIPE"
route - IP route
Type: String
Description: IP route in CIDR notation associated with the ASN.
Example:
"route": "88.64.0.0/12"
type - AS type
Type: String
Description: Type classification of the autonomous system.
Possible Values:
"isp"- Internet Service Provider"mobile"- Mobile network operator"government"- Government organization"hosting"- Hosting/data center provider"education"- Educational institution"individual"- Individual/personal ASN"business"- Business/corporate network"other"- Other/uncategorized
Example:
"type": "isp"
geolocation - Geographic location
Type: Object or null
Description: Geographic location information for the IP address.
country - Country information
Type: Object
Description: Detailed information about the country.
iso2 - ISO 3166-1 alpha-2 code
Type: String
Description: Two-letter country code.
Example:
"iso2": "DE"
iso3 - ISO 3166-1 alpha-3 code
Type: String
Description: Three-letter country code.
Example:
"iso3": "DEU"
name - Country name
Type: String
Description: English name of the country.
Example:
"name": "Germany"
name_native - Native country name
Type: String
Description: Country name in its native language.
Example:
"name_native": "Deutschland"
region - Geographic region
Type: String
Description: Major world region.
Example:
"region": "Europe"
subregion - Geographic subregion
Type: String
Description: More specific world region.
Example:
"subregion": "Western Europe"
currency - Currency code
Type: String
Description: ISO 4217 currency code.
Example:
"currency": "EUR"
currency_name - Currency name
Type: String
Description: Full name of the primary currency used in the country.
Example:
"currency_name": "Euro"
phone_code - Country phone code
Type: String
Description: International dialing code.
Example:
"phone_code": "49"
capital - Capital city
Type: String
Description: Name of the capital city.
Example:
"capital": "Berlin"
city - City name
Type: String
Description: City of the IP address. Empty string if unknown.
Example:
"city": "Eschborn"
state - State/region/province
Type: String
Description: State, region, or province of the IP address. Empty string if unknown.
Example:
"state": "Hessen"
abuse_contact - Abuse contact information
Type: Object or null
Description: Contact information for reporting network abuse.
address - Postal address
Type: String
Description: Postal address of the abuse contact.
Example:
"address": "Vodafone GmbH, Campus Eschborn, Duesseldorfer Strasse 15, D-65760 Eschborn, Germany"
name - Contact name
Type: String
Description: Name of the abuse contact person or team.
Example:
"name": "Vodafone Germany IP Core Backbone"
email - Contact email
phone - Contact phone
Type: String
Description: Abuse contact phone number. This can be in various formats, but often includes the country code. Note that not all abuse contacts provide a phone number.
Example:
"phone": "+49 6196 52352105"
anonymization - Anonymization detection
Type: Object or null
Description: Detection of VPNs, proxies, and anonymization services.
vpn_score - VPN detection score
Type: Integer (0-5)
Description: Likelihood that a VPN is being used. Higher scores indicate stronger evidence of VPN usage.
Example:
"vpn_score": 2
proxy_score - Proxy detection score
Type: Integer (0-5)
Description: Likelihood that the user is connecting through a proxy server. Higher scores indicate stronger evidence of proxy usage.
Example:
"proxy_score": 1
tor - Tor exit node
Type: Boolean
Description: Whether the IP is a Tor exit node.
Example:
"tor": false
icloud_private_relay - iCloud Private Relay
Type: Boolean
Description: Whether the IP is from iCloud Private Relay.
Example:
"icloud_private_relay": false
Client
client - User agent and device information
Contains information about the client device, browser, and operating system.
header_user_agent - User-Agent header
Type: String
Description: The User-Agent HTTP header value.
Example:
"header_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0"
time_zone - Time zone information
Type: Object or null
Description: IANA time zone information from the browser.
name - IANA time zone
Type: String
Description: IANA time zone name reported by the browser.
Example:
"name": "America/New_York"
country_iso2 - Country from time zone
Type: String
Description: Two-letter ISO 3166-1 alpha-2 country code derived from the time zone. Returns "XU" if timezone is missing or cannot be mapped to a country (e.g., "Etc/UTC").
Example:
"country_iso2": "US"
browser - Browser information
Type: Object or null
Description: Detected browser details.
id - Browser identifier
Type: String
Description: Unique browser identifier. Empty string if browser could not be identified.
Possible Values:
"chrome"- Chrome"chrome_android"- Chrome for Android"edge"- Microsoft Edge"firefox"- Firefox"firefox_android"- Firefox for Android"ie"- Internet Explorer"oculus"- Quest Browser (Oculus)"opera"- Opera"opera_android"- Opera for Android"safari"- Safari"safari_ios"- Safari on iOS"samsunginternet_android"- Samsung Internet for Android"webview_android"- WebView on Android"webview_ios"- WebView on iOS""- Unknown
Example:
"id": "firefox"
name - Browser name
Type: String
Description: Human-readable browser name. Empty string if browser could not be identified.
Example:
"name": "Firefox"
version - Browser version
Type: String
Description: Browser version number. Assumed to be the most recent release matching the signature if exact version unknown. Empty if unknown.
Example:
"version": "146.0"
release_date - Version release date
Type: String
Description: Release date of the browser version in "YYYY-MM-DD" format. Empty string if unknown.
Example:
"release_date": "2026-01-28"
browser_engine - Rendering engine information
Type: Object or null
Description: Browser rendering engine details.
id - Engine identifier
Type: String
Description: Unique rendering engine identifier. Empty string if engine could not be identified.
Possible Values:
"blink"- Blink (Chromium-based browsers like Chrome, Edge, Opera)"edgehtml"- EdgeHTML (legacy Microsoft Edge, no longer developed)"gecko"- Gecko (Firefox)"presto"- Presto (legacy Opera, no longer developed)"trident"- Trident (Internet Explorer)"v8"- V8 JavaScript engine"webkit"- WebKit (Safari)""- Unknown
Example:
"id": "gecko"
name - Engine name
Type: String
Description: Human-readable engine name. Empty string if engine could not be identified.
Example:
"name": "Gecko"
version - Engine version
Type: String
Description: Rendering engine version. Assumed to be the most recent release matching the signature if exact version unknown. Empty if unknown.
Example:
"version": "146.0"
device - Device information
Type: Object or null
Description: Device type and details.
type - Device type
Type: String
Description: Type of device.
Possible Values:
"desktop"- Desktop device"mobile"- Mobile phone"tablet"- Tablet device"tv"- TV device"console"- Game console (PlayStation, Xbox, etc.)"wearable"- Wearable device (smartwatch, fitness tracker, etc.)"xr"- Extended reality device (VR headset, AR glasses, etc.)"unknown"- Unknown device type
Example:
"type": "desktop"
brand - Device brand
Type: String
Description: Manufacturer brand.
Example:
"brand": "Apple"
model - Device model
Type: String
Description: Device model name.
Example:
"model": "iPhone 17"
os - Operating system information
Type: Object or null
Description: Detected operating system details.
id - OS identifier
Type: String
Description: Unique operating system identifier. Empty string if OS could not be identified.
Possible Values:
"windows"- Microsoft Windows"macos"- Apple macOS"linux"- Linux"android"- Android"ios"- Apple iOS"ipados"- Apple iPadOS"chromeos"- ChromeOS""- Unknown
Example:
"id": "windows"
name - OS name
Type: String
Description: Human-readable operating system name. Empty string if OS could not be identified.
Example:
"name": "Windows"
version - OS version
Type: String
Description: Operating system version number.
Example:
"version": "10"
tls_signature - TLS/SSL signatures
Type: Object or null
Description: TLS client hello signatures (also called TLS fingerprints) derived from the TLS handshake between the client and server.
ja3 - JA3 signature
Type: String
Description: JA3 TLS fingerprint hash.
Example:
"ja3": "d87a30a5782a73a83c1544bb06332780"
ja3n - JA3N signature
Type: String
Description: JA3N TLS fingerprint hash.
Example:
"ja3n": "28ecc2d2875b345cecbb632b12d8c1e0"
ja4 - JA4 signature
Type: String
Description: JA4 TLS fingerprint.
Example:
"ja4": "t13d1516h2_8daaf6152771_02713d6af862"
automation - Automation and bot detection
Type: Object or null
Description: Information about detected automation and bots.
automation_tool - Automation tool detection
Type: Object
Description: Detected automation tool information. Note that many automation tools are designed to mimic real browsers and may not be detected, so a value of detected: false does not necessarily mean that no automation is being used. The browser risk score can help assess the likelihood of automation even when specific tools are not detected.
detected - Detection flag
Type: Boolean
Description: Whether an automation tool was detected.
Example:
"detected": false
id - Tool identifier
Type: String
Description: Automation tool identifier. Empty if no tool detected.
Examples: "puppeteer", "playwright", "webdriver"
Example:
"id": "playwright"
name - Tool name
Type: String
Description: Human-readable tool name. Empty if no tool detected.
Examples: "Puppeteer", "Playwright", "WebDriver"
Example:
"name": "Playwright"
type - Tool type
Type: String
Description: Type of automation tool. Empty if no tool detected.
Possible Values:
"browser_automation"- Browser automation tool (e.g., Puppeteer, WebDriver, Playwright)""- No tool detected
Note
Example:
"type": "browser_automation"
known_bot - Known bot detection
Type: Object
Description: Detected known bot information. Known bots have public documentation about their identity and purpose.
detected - Detection flag
Type: Boolean
Description: Whether a known bot was detected.
Example:
"detected": false
id - Bot identifier
Type: String
Description: Bot identifier. Empty if no bot detected.
Possible Values (Search Engines):
"GoogleBot"- Google search crawler"BingBot"- Microsoft Bing search crawler"YahooBot"- Yahoo search crawler"DuckDuckBot"- DuckDuckGo search crawler"BaiduBot"- Baidu search crawler (China)"YandexBot"- Yandex search crawler (Russia)"360Bot"- 360 search crawler (China)"SogouBot"- Sogou search crawler (China)"SeznamBot"- Seznam search crawler (Czech Republic)
Possible Values (Social Media):
"FacebookBot"- Facebook link preview crawler"TwitterBot"- Twitter/X link preview crawler"LinkedInBot"- LinkedIn link preview crawler"PinterestBot"- Pinterest crawler"DiscordBot"- Discord link preview bot"TelegramBot"- Telegram link preview bot"WhatsAppBot"- WhatsApp link preview bot
Possible Values (AI/LLM):
"OAI-SearchBot"- OpenAI web search bot"GPTBot"- OpenAI GPT crawler"ChatGPT-User"- ChatGPT user-initiated request"ClaudeBot"- Anthropic Claude crawler"PerplexityBot"- Perplexity AI crawler"Perplexity-User"- Perplexity user-initiated request"Google-Extended"- Google AI/LLM crawler"Applebot-Extended"- Apple AI/LLM crawler
Possible Values (SEO/Crawlers):
"SemrushBot"- Semrush SEO crawler"AhrefsBot"- Ahrefs SEO crawler"MJ12Bot"- Majestic SEO crawler"DotBot"- Moz/OpenSiteExplorer crawler"RogerBot"- Moz/RogerBot crawler"PetalBot"- Huawei Petal search crawler"ExaBot"- Exalead crawler"ProximicBot"- Comscore Proximic crawler
Possible Values (Monitoring):
"UptimeRobot"- Uptime monitoring service"PingdomBot"- Pingdom monitoring service"GTmetrixBot"- GTmetrix performance monitoring"Site24x7Bot"- Site24x7 monitoring service"NewRelicBot"- New Relic monitoring service"MonitisBot"- Monitis monitoring service
Possible Values (Other):
"AppleBot"- Apple web crawler"AmazonBot"- Amazon web crawler"MSNBot"- Microsoft MSN crawler (legacy)"InternetArchiveBot"- Internet Archive Wayback Machine crawler"UnknownBot"- Detected as bot but specific identity unknown""- No bot detected
Example:
"id": "GoogleBot"
name - Bot name
Type: String
Description: Human-readable bot name. Empty if no bot detected.
Examples: "Googlebot", "Bingbot", "ChatGPT"
Example:
"name": ""
type - Bot type
Type: String
Description: Bot type classification. Empty if no bot detected.
Possible Values:
"search_engine"- Search engine crawler"social"- Social media crawler/link preview bot"crawler"- General web crawler (SEO, archival, etc.)"monitoring"- Monitoring/uptime check service"ai"- AI bot (generic, when specific type unknown)"ai_crawler"- AI model training/data collection crawler"ai_user_initiated"- AI assistant responding to user request"ai_agent"- Autonomous AI agent""- No bot detected
Example:
"type": "search_engine"
url - Bot documentation URL
Type: String
Description: Link to bot documentation. Empty if no bot detected.
Example:
"url": "https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers"