Evaluate ATO risk

ATO risk evaluate

curl --request POST \
  --url https://api.truthlocks.com/v1/risk/ato/evaluate \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "subject_id": "<string>",
  "ip_address": "<string>",
  "user_agent": "<string>",
  "device_fingerprint": "<string>",
  "action": "<string>"
}
'

{
  "risk_score": 123,
  "decision": "<string>",
  "signals": [
    {}
  ]
}

POST

risk

ato

evaluate

ATO risk evaluate

curl --request POST \
  --url https://api.truthlocks.com/v1/risk/ato/evaluate \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "subject_id": "<string>",
  "ip_address": "<string>",
  "user_agent": "<string>",
  "device_fingerprint": "<string>",
  "action": "<string>"
}
'

{
  "risk_score": 123,
  "decision": "<string>",
  "signals": [
    {}
  ]
}

Evaluates a login event against the ATO heuristic engine. The platform tracks failed logins per subject in a rolling one-hour window and derives a risk level from the current count. When a threshold is crossed, an alert is created and a risk signal is automatically ingested into the risk signal pipeline. See the account takeover detection guide for the full workflow, threshold reference, and integration patterns.

Threshold rules

Failed logins (1 h window)	Risk level	Auto-alert
0–4	normal	No
5–9	elevated	Yes — `velocity_exceeded`
10–19	high	Yes — `velocity_exceeded`
20+	critical	Yes — `credential_stuffing`

Request

subject_id

string

required

User identifier (user ID, email, or external ID).

event_type

string

required

subject_type

string

Type of subject. Defaults to user.

ip_address

string

Source IP address for the login attempt.

Response

subject_id

string

The subject that was evaluated.

subject_type

string

Type of subject (user).

risk_level

string

Current ATO risk level: normal | elevated | high | critical

risk_score

integer

Numeric risk score: 10 (normal), 50 (elevated), 70 (high), 90 (critical).

Number of failed logins in the current one-hour window.

alert

boolean

true if a new alert was triggered by this evaluation.

alert_type

string

Alert category when triggered: velocity_exceeded or credential_stuffing.

signal_id

string

UUID of the auto-ingested risk signal (only present when an alert fired).

event_type

string

The event type that was evaluated.

Authorizations

X-API-Key

string

header

required

API key for machine-to-machine authentication

Body

application/json

subject_id

string

required

ip_address

string

user_agent

string

device_fingerprint

string

action

string

Response

ATO evaluation result

risk_score

integer

decision

string

signals

object[]

Get deepfake scan results Get ATO profile

Attestations

Receipts

Risk Evaluation

Risk Signals

Account Takeover

Velocity Scoring

Verification

Verification Packs

Issuers

API Keys

Policies

Issuer Applications

Identity & Access

Webhooks

Audit & Logs

Consumer (B2C)

Billing

Machine Agents

Agent Sessions & Tools

Trust & Witness

Truth Claims & Documents

Compliance & Anomalies

Datasets & Models

Orchestrations & Workflows

Guardrails & Delegation

MAIP Policies

Observability

Assets

System

Threshold rules

Request

Response

Authorizations

Body

Response

Attestations

Receipts

Risk Evaluation

Risk Signals

Account Takeover

Velocity Scoring

Verification

Verification Packs

Issuers

API Keys

Policies

Issuer Applications

Identity & Access

Webhooks

Audit & Logs

Consumer (B2C)

Billing

Machine Agents

Agent Sessions & Tools

Trust & Witness

Truth Claims & Documents

Compliance & Anomalies

Datasets & Models

Orchestrations & Workflows

Guardrails & Delegation

MAIP Policies

Observability

Assets

System

​Threshold rules

​Request

​Response

Authorizations

Body

Response

Threshold rules

Request

Response