API Responses

Learn how to interpret RiskOS™ API responses, understand status codes, and handle errors in your integration.

Response format standards

FieldValue
EncodingUTF-8
FormatJSON
TimestampsISO 8601 (UTC) — YYYY-MM-DDTHH:MM:SS.fffZ
ArraysEmpty arrays are always represented as [] (never null)

HTTP status codes

Success

StatusMeaningWhen it occurs
200OKSynchronous evaluation completed. The response contains a final decision and all enrichment results.
201CreatedEvaluation started but paused for asynchronous input (for example, OTP verification or document upload). Poll with GET /api/evaluation/{eval_id} or subscribe to webhooks for the Evaluation Completed event.

Errors

StatusMeaningWhen it occurs
400Bad requestInvalid JSON, missing required fields, or invalid field values.
401UnauthorizedMissing or invalid API key.
403ForbiddenValid API key, but the request is blocked by an IP filter or insufficient permissions.
404Not foundThe endpoint or resource does not exist.
415Unsupported media typeThe Content-Type header is not application/json.
422Unprocessable entityValid JSON, but the values are semantically invalid.
429Too many requestsRate limit exceeded. Retry after the interval specified in the response headers.
500Internal server errorAn unexpected error occurred on the RiskOS™ server.
502Bad gatewayAn upstream dependency failed. Retryable.
503Service unavailableRiskOS™ is temporarily unavailable. Retryable.
504Gateway timeoutAn upstream dependency timed out. Retryable.

See Errors for the complete error response schema, error codes, and retry guidance.


Evaluation response

Every evaluation endpoint (POST /api/evaluation, GET /api/evaluation/{eval_id}, PATCH /api/evaluation/{eval_id}) returns the same JSON structure.

Where to find what you need

If you need to...Use these fields
Route application logic based on the outcomedecision, score, tags
Send a case to manual reviewreview_queues, notes
Correlate logs, webhooks, and support requestsid, eval_id
Identify which workflow version produced the resultworkflow, workflow_id, workflow_version
Inspect enrichment outputs (risk scores, OTP status, device data)data_enrichments[]
Track async evaluation progresseval_status, status, sub_status
Measure latency and confirm environmenteval_start_time, eval_end_time, environment_name

Decision and routing

These are the primary control signals. Branch your application logic on decision.

FieldTypeDescriptionExample
decisionStringFinal evaluation outcome. Default values: ACCEPT, REVIEW, REJECT. Your workflow may define custom decision values."REJECT"
decision_atString (date-time)RFC 3339 UTC timestamp when the decision was finalized."2025-12-11T17:49:28.930Z"
scoreIntegerAggregate risk score across all workflow steps. Present when scoring is configured for the workflow. Use for risk banding, routing, or analytics alongside decision.91
tagsArray of stringsLabels applied during workflow execution — routing choices, notable signals, or rule outcomes. Useful for reporting, segmentation, or UI highlighting in the RiskOS™ Dashboard.["High Risk", "Bad Device"]
review_queuesArray of stringsManual review queues the evaluation was assigned to. Empty when the case was auto-resolved.["Default Queue"]
notesStringFreeform text for analyst or system comments. Often captures manual review rationale or investigation context.""
📘

Note:

decision values are workflow-specific and may differ from the defaults shown here. Contact Socure to configure custom decision values for your integration.

Identifiers and traceability

Persist these fields to correlate API calls, logs, webhooks, and support cases.

FieldTypeDescriptionExample
idStringYour customer-defined identifier, echoed back from the request."onb-12345"
eval_idString (UUID)RiskOS™-generated unique identifier for this evaluation. Use this for GET and PATCH operations."6dc8f39c-ecc3-4fe0-9283-fc8e5f99e816"
workflowStringName of the workflow that was executed."consumer_onboarding"
workflow_idString (UUID)Unique identifier of the workflow definition."472288ff-b3a8-4e69-89dd-069d5e2bcb41"
workflow_versionStringVersion of the executed workflow."3.7.0"

Evaluation lifecycle

Use these fields for monitoring and async workflow tracking.

📘

Important:

Do not branch business logic on eval_status or status. Use decision for routing decisions.

FieldTypeDescriptionExample
eval_statusStringEvaluation lifecycle state. Values: evaluation_completed, evaluation_paused, evaluation_in_progress."evaluation_completed"
statusStringCase-level status. Values: OPEN, ON_HOLD, CLOSED."CLOSED"
sub_statusStringAdditional status detail. Values vary by workflow (for example, Under Review, Pending Verification, Accept, Reject)."Reject"

Execution context

Observability metadata for latency tracking, environment validation, and source attribution.

FieldTypeDescriptionExample
eval_sourceStringWhere the evaluation was initiated. Values: API, Dashboard."API"
eval_start_timeString (date-time)RFC 3339 UTC timestamp when processing started."2025-01-15T10:28:24.456Z"
eval_end_timeString (date-time)RFC 3339 UTC timestamp when processing finished. Pair with eval_start_time to compute total latency."2025-01-15T10:29:10.999Z"
environment_nameStringEnvironment the evaluation ran in. Values: Sandbox, Production."Sandbox"

Extended fields

These fields appear under specific conditions.

FieldTypeConditionDescription
inputObjectReturned when include_input=true is set in the request query string.Original input data. Contains data (as submitted) and updated_data (after workflow transformations).
computedObjectDisabled by default. Contact Socure to enable.Derived and aggregated results computed during workflow execution.
aggregationsObjectDisabled by default. Contact Socure to enable.Historical aggregation data across prior evaluations for this identity.
group_idStringPresent when evaluations are linked.Identifier linking related evaluations in a group.
redirect_uriStringPresent for Hosted UX (Capture App) workflows.URL to redirect the end user to the Socure-hosted capture experience.

Enrichment results

The data_enrichments array contains one object per enrichment module executed in the workflow. The array order matches the execution sequence.

Enrichment object fields

FieldTypeDescription
enrichment_nameStringName of the enrichment module (for example, "Socure Email Risk", "Deliver OTP SMS").
enrichment_providerStringProvider that executed the enrichment (for example, "Socure", "SocureOTP", "SocureCNam").
enrichment_endpointStringAPI endpoint called for this enrichment.
status_codeIntegerHTTP status code returned by the enrichment provider.
requestObjectPayload sent to the provider. Useful for debugging integration issues.
responseObjectNormalized response from the provider. Socure enrichments always include a referenceId.
is_source_cacheBooleantrue if the response was served from cache instead of a live provider call.
total_attemptsNumberTotal API call attempts, including retries.
error_messageStringError details if the enrichment call failed. Empty on success.

Provider response shapes

The response object structure varies by enrichment provider. Expand each section for the schema and field descriptions.

Risk score enrichments (Address, Email, Phone)

Risk score enrichments return a consistent structure. The top-level key matches the module name: addressRisk, emailRisk, or phoneRisk.

{
  "referenceId": "4ca693ee-af2a-45ef-9688-834683ac1b34",
  "addressRisk": {
    "reasonCodes": ["I704", "I705", "I708"],
    "score": 0.01,
    "scores": [
      {
        "name": "addressrisk_cus1",
        "score": 0.01,
        "version": "10.0"
      }
    ]
  }
}
FieldTypeDescription
referenceIdString (UUID)Unique identifier for this enrichment result.
{module}.reasonCodesArray of stringsReason codes that explain the score.
{module}.scoreNumberPrimary risk score for this module.
{module}.scoresArray of objectsScore model variants, each with name, score, and version.
OTP enrichments (Deliver and Verify)

OTP enrichments handle one-time password delivery and verification across two separate steps.

Deliver OTP response:

{
  "verificationId": "5ac71c12-32df-4fb2-ab76-5493444f3f97",
  "error": ""
}

Verify OTP response:

{
  "verificationId": "5ac71c12-32df-4fb2-ab76-5493444f3f97",
  "status": "approved",
  "attemptCount": 1,
  "error": ""
}
FieldTypePresent inDescription
verificationIdString (UUID)Deliver, VerifyIdentifier linking the delivery and verification steps.
statusStringVerify onlyVerification result (for example, "approved").
attemptCountIntegerVerify onlyNumber of OTP entry attempts.
errorStringDeliver, VerifyError message if the operation failed. Empty on success.
CNAM enrichment

CNAM (Caller Name) enrichments return phone number ownership data.

{
  "callerName": "Jane Smith",
  "callerType": "CONSUMER",
  "countryCode": "US",
  "phoneNumber": "+13125551234",
  "valid": true
}
FieldTypeDescription
callerNameStringRegistered name associated with the phone number.
callerTypeStringOwner type (for example, "CONSUMER", "BUSINESS").
countryCodeStringTwo-letter ISO country code.
phoneNumberStringThe queried phone number in E.164 format.
validBooleanWhether the phone number is valid and active.
Digital Intelligence enrichment

Digital Intelligence returns device fingerprinting, network analysis, behavioral data, and entity profiling. This is the largest enrichment response.

{
  "referenceId": "7b3c2c04-0e7e-46e4-afe8-b905cdf91833",
  "digitalIntelligence": {
    "device": {
      "id": "234ac3ff-3ed1-42de-8f33-8f332febfa54",
      "globalDeviceId": "aecddd42-f223-3333-940c-87baab4c6645",
      "sessionCreatedAt": "2025-01-15T18:06:52.248Z",
      "deviceCapturedAt": "2025-01-15T18:09:12.735Z",
      "computed": {
        "statisticalId": "9349d69fef75cd356744293487462f8cd912",
        "isVirtualMachine": false,
        "isTamperedAndroidBuild": true,
        "sessionAgeMinutes": 45,
        "deviceNetworkTimezoneOffsetDiffMinutes": 60
      },
      "network": {
        "connectionIp": "38.48.122.126",
        "realIp": "38.48.122.126",
        "isTor": true,
        "isProxy": true,
        "isVpn": true,
        "isp": "comcast",
        "networkLocation": {
          "countryCode": "US",
          "region": "WA",
          "city": "Tacoma",
          "postalCode": "98401"
        }
      },
      "attributes": {
        "platform": "iOS",
        "os": "iOS",
        "osVersion": 17,
        "deviceModel": "iphone14,7",
        "deviceType": "phone",
        "isEmulator": true
      },
      "history": {
        "firstSeen": "2023-10-24T15:55:16.368Z",
        "lastSeen": "2025-01-15T18:09:12.735Z",
        "daysSeen": ["2023-10-24", "2025-01-15"]
      }
    },
    "behavioral": {
      "sessionId": "d34304a6-a726-4dec-b1cd-9c4a3c192a0d",
      "duration": 120910,
      "aggregations": {
        "totalEventCount": 26,
        "inputChangeCount": 6,
        "pasteCount": 0,
        "clickCount": 3,
        "submissionCount": 1
      }
    },
    "entityProfiler": [
      {
        "entity": "12223334444",
        "entityType": "phone",
        "profile": {
          "seenCount": 2,
          "firstSeen": "2024-08-24T14:15:22Z",
          "lastSeen": "2025-01-15T18:09:12Z",
          "deviceTypes": ["phone", "tablet"],
          "networkLocationStates": ["ca", "az"]
        }
      }
    ],
    "velocityMetrics": {
      "historicalCount": {
        "email": {
          "uniqueCount": 2,
          "uniqueSharePercent": 87
        },
        "mobileNumber": {
          "uniqueCount": 1,
          "uniqueSharePercent": 100
        }
      }
    }
  },
  "customerProfile": {
    "customerUserId": "129",
    "userId": "u8JpWn4QsF3R7tA2"
  }
}

Key sections:

SectionDescription
device.computedDerived signals: isVirtualMachine, isTamperedAndroidBuild, sessionAgeMinutes, statisticalId, timezone offset differences.
device.networkNetwork analysis: IP addresses, VPN/proxy/Tor detection, ISP details, geolocation (networkLocation).
device.attributesDevice metadata: platform, OS version, device model, screen dimensions, battery state, timezone, language, emulator detection. Platform-specific data in androidAttributes, iOSAttributes, or webAttributes.
device.historyHistorical device activity: first and last seen dates, IP history, ISP history, location history.
behavioralSession behavior: event counts (clicks, pastes, form input changes, submissions), session duration, source URL.
entityProfilerCross-device entity profiles by phone, email, or national ID — historical device types, ISPs, timezones, and locations associated with each entity.
velocityMetricsVelocity checks on PII fields: unique count and share percentage for first name, surname, email, and phone number.

Example responses

Completed evaluation (200 OK)

A synchronous evaluation that ran to completion with a final decision and enrichment results.

{
  "id": "onb-12345",
  "eval_id": "6dc8f39c-ecc3-4fe0-9283-fc8e5f99e816",
  "workflow": "consumer_onboarding",
  "workflow_id": "472288ff-b3a8-4e69-89dd-069d5e2bcb41",
  "workflow_version": "3.7.0",
  "eval_status": "evaluation_completed",
  "decision": "REJECT",
  "decision_at": "2025-01-15T10:29:10.999Z",
  "score": 146,
  "status": "CLOSED",
  "sub_status": "Reject",
  "eval_source": "API",
  "eval_start_time": "2025-01-15T10:28:24.456Z",
  "eval_end_time": "2025-01-15T10:29:10.999Z",
  "tags": ["High Risk", "Bad Device"],
  "notes": "",
  "review_queues": [],
  "data_enrichments": [
    {
      "enrichment_name": "Socure Email Risk",
      "enrichment_provider": "Socure",
      "enrichment_endpoint": "https://sandbox.socure.com/api/3.0/EmailAuthScore",
      "status_code": 200,
      "request": {
        "modules": ["emailrisk"],
        "email": "[email protected]"
      },
      "response": {
        "referenceId": "92201637-1ec8-46b4-9537-236971eb6f9b",
        "emailRisk": {
          "reasonCodes": ["I520", "I555"],
          "score": 0.01,
          "scores": [
            {
              "name": "email_risk_cus1",
              "score": 0.01,
              "version": "10.0"
            }
          ]
        }
      },
      "is_source_cache": false,
      "total_attempts": 1,
      "error_message": ""
    },
    {
      "enrichment_name": "Socure Address risk",
      "enrichment_provider": "Socure",
      "enrichment_endpoint": "https://sandbox.socure.com/api/3.0/EmailAuthScore",
      "status_code": 200,
      "request": {
        "modules": ["addressrisk"],
        "city": "bakersfield",
        "country": "US",
        "email": "[email protected]"
      },
      "response": {
        "referenceId": "4ca693ee-af2a-45ef-9688-834683ac1b34",
        "addressRisk": {
          "reasonCodes": ["I704", "I705", "I708"],
          "score": 0.01,
          "scores": [
            {
              "name": "addressrisk_cus1",
              "score": 0.01,
              "version": "10.0"
            }
          ]
        }
      },
      "is_source_cache": false,
      "total_attempts": 1,
      "error_message": ""
    }
  ],
  "environment_name": "Sandbox"
}

Asynchronous evaluation (201 Created)

An evaluation that paused to wait for async input. The eval_end_time, decision_at, score, and tags fields may be absent because the evaluation has not yet completed.

Poll with GET /api/evaluation/{eval_id} or subscribe to webhooks to receive a notification when the evaluation finishes.

{
  "id": "onb-67890",
  "eval_id": "a3f2b91c-17d4-4e8a-b5c2-9f1e3a7d6c08",
  "workflow": "consumer_onboarding",
  "workflow_id": "472288ff-b3a8-4e69-89dd-069d5e2bcb41",
  "workflow_version": "3.7.0",
  "eval_status": "evaluation_paused",
  "decision": "REVIEW",
  "status": "OPEN",
  "sub_status": "Pending Verification",
  "eval_source": "API",
  "eval_start_time": "2025-01-15T10:30:24.456Z",
  "data_enrichments": [
    {
      "enrichment_name": "Deliver OTP SMS",
      "enrichment_provider": "SocureOTP",
      "enrichment_endpoint": "https://idplus.socure.com/api/1.0/otp/send",
      "status_code": 200,
      "request": {
        "channel": "sms",
        "destination": "+13125551234"
      },
      "response": {
        "verificationId": "5ac71c12-32df-4fb2-ab76-5493444f3f97",
        "error": ""
      },
      "is_source_cache": false,
      "total_attempts": 1,
      "error_message": ""
    }
  ]
}

Error responses

When a request fails, RiskOS™ returns a structured JSON error:

{
  "error": "Workflow not found",
  "code": "WORKFLOW_NOT_FOUND",
  "message": "No workflow exists with the specified name",
  "invalid_args": []
}
FieldTypeDescription
errorStringCustomer-facing error message. Always present.
codeStringMachine-readable error code for programmatic handling (for example, INVALID_REQUEST, AUTHENTICATION_FAILED).
messageStringAdditional diagnostic detail. May be absent on some error types.
detailsObjectStructured metadata about the error (for example, size limits, constraints). Optional.
invalid_argsArrayField-level validation errors, each with field, value, and tag properties. Present on 400 responses with validation failures.

For the complete list of error codes, troubleshooting steps, and retry guidance, see Errors.