See api-docs Menu

Get a Risk Score

Use this API to get a real-time risk score for a user before completing a critical task or action.

For example, as part of an authentication flow you might check username/password and also obtain a risk score for the login. If the username/password is valid but the risk score is high you could step up to multi-factor authentication. Alternately if authentication is successful and the risk score is low then you could skip additional authentication.

The risk score is influenced by how much training data is supplied via the training API. As more event metadata is sent to the training API you can expect the risk scores returned to change.

Resource URL


Header Parameters




Set to bearer:<access_token>.

Set <access_token> to the access token you generated using the Generate Token API.

The access token must have been generated using an API credential pair created using the scope required to call this API. This API can be called using any one of the following scopes: Authentication Only, Read Users, Manage users, Read All, or Manage All.




Set to application/json.

Request Parameters




The IP address of the User’s request.




The user agent of the User’s request.




An Object containing User details.

The available object parameters are:

  • id - required A unique identifier for the user.
  • name - A name for the user.
  • authenticated - A boolean value which indicates if the metadata supplied in this event should be considered as trusted for the user. Defaults to false.

When using this API to get a risk score for user of the Adaptive Authentication service the user id must be in the following format.

{instance region}_{OneLogin User Id}

E.g. US_12345678



This field can used for targeting custom rules based on a group of people, customers, accounts, or even a single user.

The available object parameters are:

  • id - A unique id that represents the source of the event.
  • name - The name of the source



A dictionary of extra information that provides useful context about the session, for example the session ID, or some cookie information.

The available object parameters are:

  • id - If you use a database to track sessions, you can send us the session ID.



Information about the device being used.

The available object parameters are:

  • id - This device’s unique identifier



Set to the value of the __tdli_fp cookie.

Sample Request Body

  "ip" : "",
  "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3)...",
  "user" : {
    "id" : "112233",
    "name" : "Eve Smith"
  "source" : {
    "id" : "1234",
    "name" : "ABC Inc"
  "session" : {
    "id" : "xxxx-xxxxx-xxxxx-xxxxx"
  "device" : {
    "id" : "xxx-xxx-xxx"

Sample Response

    "score": 24,
    "triggers": [
        "Accessed from a new IP address",
        "Infrequent access from",
        "Infrequent access from Auckland, Auckland, New Zealand",
        "Infrequent access from New Zealand",
        "Infrequent access using Chrome on Macintosh",
        "Low trust for session"
    "messages": []



The risk score is a number between 0 and 100. Where 0 is low risk and 100 is the highest risk level possible.



Triggers are indicators of some of the key items that influenced the risk score. This is not an exhausative list of the reasons for the score and should only be used as a guide. We don’t recommend using the text of these triggers for decision making in your code.

Some examples of triggers are

  • “:browser on :platform is used infrequently”
  • “The IP :ip has been flagged as a threat in AlienVault Open Threat Exchange”
  • “:target_value is blacklisted”
  • “Device has not been seen before”
  • “Browser Cookie Expected”
  • “Machine learning processes indicated increased risk”
  • “:value is a new application”
  • “:value is a new location”
  • “:values has not been used before”
  • “Accessed from a new IP address”
  • “Accessed from a new browser session”
  • “The IP :ip has been blacklisted by”
  • “:datetime (UTC/GMT) is an unusual time of day”
  • “Accessed from the Tor network”
  • “Infrequent access from :values”
  • “Infrequent access from :value”
  • “Infrequent access using :values”
  • “Infrequent access from :value”
  • “Low trust for session”
  • “Unexpectedly high velocity (:velocity km/hr)”

  messages: [
    "ip must not be blank",
    "user[id] must not be blank"

Invalid API Key

Sample Code


curl -XPOST 'https://<subdomain>' \
  -H 'Authorization: Bearer xxxxxxxxxxxxx' \
  -d '{
    "ip" : "",
    "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3)...",
    "user" : {
      "id" : "112233",
      "name" : "Eve Smith"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Run in Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.