Normalize Identity Event

Normalize risk event

curl --request POST \
  --url https://api.truthlocks.com/v1/risk/events \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "event_type": "<string>",
  "subject_id": "<string>",
  "data": {},
  "timestamp": "<string>"
}
'

{
  "event_id": "<string>",
  "signal_id": "<string>"
}

POST

risk

events

Normalize risk event

curl --request POST \
  --url https://api.truthlocks.com/v1/risk/events \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "event_type": "<string>",
  "subject_id": "<string>",
  "data": {},
  "timestamp": "<string>"
}
'

{
  "event_id": "<string>",
  "signal_id": "<string>"
}

How Normalization Works

When you submit an identity event, the platform:

Records the raw event in the audit trail
Maps the event_type to a canonical signal type and base risk score
Enriches the signal with available metadata (issuer trust tier, geo, device)
Stores a risk_signal record ready for policy evaluation

Built-in Event Mappings

Event Type	Signal Type	Base Score
`verification.failed`	behavior	60
`verification.invalid_sig`	behavior	75
`login.failed.repeated`	ato	70
`login.suspicious_geo`	geo_anomaly	65
`attestation.deepfake_suspect`	deepfake	85
`session.hijack_suspect`	ato	90

Unknown event types are accepted with a base score of 10 and signal type behavior.

Request

event_source

string

required

The system that generated this event: attestation, verification, login, consumer_portal

event_type

string

required

The raw event name (e.g. login.failed, verification.failed, attestation.deepfake_suspect)

subject_id

string

required

Identifier of the entity involved in the event.

event_ref_id

string

External reference ID (attestation_id, session_id, etc.) for cross-referencing.

ip_address

string

Source IP address.

payload

object

Raw event payload for enrichment context.

Response

event_id

string

UUID of the recorded raw event source.

signal_id

string

UUID of the normalized risk signal created from this event.

signal_type

string

The normalized signal type derived from the event.

risk_score

integer

The base risk score assigned during normalization.

normalized

boolean

true if the event matched a known mapping; false if it used the generic fallback.

Authorizations

X-API-Key

string

header

required

API key for machine-to-machine authentication

Body

application/json

event_type

string

required

subject_id

string

required

data

object

timestamp

string

Response

Event ingested

event_id

string

signal_id

string

Get risk signal Deepfake & impersonation scan

Attestations

Receipts

Risk Evaluation

Risk Signals

Account Takeover

Velocity Scoring

Verification

Verification Packs

Issuers

API Keys

Policies

Issuer Applications

Identity & Access

Webhooks

Audit & Logs

Consumer (B2C)

Billing

Machine Agents

Agent Sessions & Tools

Trust & Witness

Truth Claims & Documents

Compliance & Anomalies

Datasets & Models

Orchestrations & Workflows

Guardrails & Delegation

MAIP Policies

Observability

Assets

System

How Normalization Works

Built-in Event Mappings

Request

Response

Authorizations

Body

Response

Attestations

Receipts

Risk Evaluation

Risk Signals

Account Takeover

Velocity Scoring

Verification

Verification Packs

Issuers

API Keys

Policies

Issuer Applications

Identity & Access

Webhooks

Audit & Logs

Consumer (B2C)

Billing

Machine Agents

Agent Sessions & Tools

Trust & Witness

Truth Claims & Documents

Compliance & Anomalies

Datasets & Models

Orchestrations & Workflows

Guardrails & Delegation

MAIP Policies

Observability

Assets

System

​How Normalization Works

​Built-in Event Mappings

​Request

​Response

Authorizations

Body

Response

How Normalization Works

Built-in Event Mappings

Request

Response