Velocity scoring is part of the Anti-Fraud Identity Firewall. Signals generated by velocity anomalies flow into the same pipeline as other fraud signals, so you can query and review them from the Risk & Fraud > Signals console page or the list signals endpoint.
How it works
Record actions
Call
POST /v1/risk/velocity/record each time a subject performs a tracked action — login attempts, API calls, transaction requests, or any custom action type.Rolling window tracking
The platform increments counters for the subject and action type across four rolling windows (1 m, 5 m, 1 h, 24 h). Windows reset automatically when they expire.
Weighted scoring
A velocity score is computed from the window counts. Short windows are weighted more heavily to detect bursts: 1 m × 30, 5 m × 20, 1 h × 10, 24 h × 5.
Automatic signal ingestion
When the velocity score reaches 60 or above, the platform automatically ingests a risk signal with
signal_type: "velocity". You don’t need a separate API call.Prerequisites
- An active Truthlocks tenant with an API key
- Action event data from your application (login attempts, API calls, transactions, or any repeatable action)
Recording an action
Send aPOST request to /v1/risk/velocity/record with the subject, action type, and optional metadata:
Scoring model
The velocity score is a weighted sum of action counts across four rolling windows. Short windows carry higher weight to prioritize burst detection:| Window | Weight | Purpose |
|---|---|---|
| 1 minute | 30 | Detects rapid bursts (credential stuffing, automated attacks) |
| 5 minutes | 20 | Catches sustained short-term abuse |
| 1 hour | 10 | Identifies medium-term patterns |
| 24 hours | 5 | Flags persistent anomalies over longer periods |
signal_type: "velocity".
Score interpretation
| Score range | Interpretation | Example |
|---|---|---|
| 0–29 | Normal | Typical user activity |
| 30–59 | Elevated | Above-average frequency, worth monitoring |
| 60–79 | High | Likely automated or abusive — signal auto-ingested |
| 80–100 | Critical | Strong anomaly — immediate investigation recommended |
Querying velocity windows
Retrieve the current velocity windows for a specific subject:Listing high-velocity anomalies
Query subjects with velocity scores above a threshold across your tenant:Integration patterns
Block or throttle on high velocity
Use the velocity score from the record response to decide whether to allow, throttle, or block an action:Combine with ATO detection
Velocity scoring tracks any action type across multiple time windows, while ATO detection is specifically optimized for login-based account takeover patterns with built-in threshold rules and alert management. Use both together for layered protection:- Velocity scoring for general abuse detection — API rate abuse, transaction flooding, registration spam
- ATO detection for focused login security — failed login velocity, credential stuffing alerts, subject risk profiles
Monitor via webhooks
Configure a webhook endpoint to receive real-time notifications when velocity-based risk signals are created, so your security team can respond without polling.Custom action types
You can track any action type your application produces. Common examples:| Action type | Use case |
|---|---|
login.failed | Failed login attempts |
api.request | API call frequency |
transaction.create | Payment or transfer attempts |
registration.attempt | Account creation spam |
password.reset | Password reset abuse |
verification.request | Verification request flooding |
Usage metering
Each call toPOST /v1/risk/velocity/record increments the antifraud.velocity_records usage counter for your billing cycle. You can monitor your consumption with the usage API or in the console at Settings > Billing > Usage under the Anti-Fraud section.
Velocity record quotas vary by plan tier. See the billing overview for details on all Anti-Fraud metered products.