Verify API v4
This page provides an overview of Arkose Labs Verify API, specifically v4, the latest version. It also describes how to use the Verify API in your application.
Other pages that document the Verify API are:
- Calling Verify v4 API
- Verify Request and Response Schemas
- Verify API v4 Response Fields and Examples
- IP Velocity Fields
- Risk Score
Overview
The Verify API verifies a session for both Arkose Detect and Arkose Protect, the latter after the Enforcement Challenge (EC) process. For security reasons, it is always called for each session from your server-side code. Its parameters are your Arkose private key and the session token returned from the Client API], whether or not an EC was presented.
Verify's response indicates if the user was verified. It can be in a simple 1 or 0 format, or in a full JSON format. Your server-side code deals with handling and analyzing the response.
Scenario 1
A user tries to sign on to a website. No EC is presented, either because the site is running Arkose Detect or because Arkose Protect decides not to serve them an EC. You call the Verify API to validate the session token, with the verification response passed back to your server.
Scenario 2
A user tries to sign on to a website configured for Arkose Protect. Arkose Protect decides to serve them an EC. The user completes the challenge. Your server-side code calls the Verify API to inspect the user’s actions and check their response, with the verification response passed back to your server.
Scenario 3
A user tries to sign on to a website configured for Arkose Detect. The Arkose Labs Platform runs its detection engine. After completion, your server-side code calls the Verify API to inspect the user’s response, with the verification response passed back to your server.
Creating Allowlists and Denylists
You can work with Arkose Labs to define Allowlists and Denylists. Essentially, Arkose takes a list of attributes and values you provide and uses them to create a custom telltale for your sessions. If an Allowlist-associated telltale is triggered, the session is validated, no matter what else happens. If a Denylist-associated telltale is triggered, the session is not validated. This is regardless of any other telltales being triggered.
To create an Allowlist or Denylist telltale, customers create a Zendesk ticket to put an attribute and its value or value range either as in an Allowlist or Denylist (IP values are a frequent choice for list attributes). From that, Arkose will create and set up custom telltales that your Verify API calls will use.
Processing Verify API Responses
- Occasionally, Arkose Labs will add fields to the Verify API response to provide customers with additional enriched information about the session.
- Arkose Labs will NEVER update or delete existing response fields that may have an impact on how its customers process the response.
- Customers should account for this while integrating the API so that any new fields added are gracefully handled on their end.
Updated 28 days ago