Device Profiling


This guide will walk you through how to conduct Passive Risk Analysis through Device Profiling with AXN Manage.

Using Device Profiling Test Application

Opening the Test Application will profile your device using JavaScript:


and generate your Session ID:

Your device was profiled successfully. Your session ID is: 5fb9f50f-7068-468c-a8d2-f0f90581dd0a



It is important that the script runs and completes before your user navigates away from the web page. If your user leaves or is able to move passed the web page before the script finishes running, this can produce inconclusive results.

For example, we recommend that if there is a login or continue button, you should disable it until the script has finished running which on average takes around 3-5 seconds (code sample below).

<html lang="en">

    // Generate a Random Session ID.
    var sessionID = crypto.randomUUID()

    // Create an HTML script element.
    var profiler = document.createElement("script");

    // Set the script's source equal to the Threat Metrix endpoint + your Session ID.
        profiler.src = "" + sessionID;
    // Append the script to the current web page.

    // Enable your login button after 5 seconds.
    setInterval(() => {
      document.getElementById('login-button').disabled = false;
      document.getElementById('session-id').innerHTML = "Your Session ID is: " + '<b>' + sessionID + '</b>';
    }, 5000);

    <p id="session-id">Your Session ID is: <b>...loading</b></p>
    <button style="width: 250px; height: 30px;" id="login-button" disabled>Login</button>


Session ID identifies your profiling session.

It is also used to obtain your device profiling results. It can be any length, but it must be a unique value.

Keep this Session ID on-hand. It will be used in the following step.

Using the Device Profiling Postman Project

Open the Postman Project. Then, generate an access token using the first request in the collection: Get Token.

This token will allow you to make requests to the AXN Verify API.


To generate an Access Token, use any API Key/Secret pair from ID DataWeb Admin > Workflows.

Place them in Postman under Get Token > Authorization, as Username and Password.

Your response body will contain the property: access_token. This token ensures that your next request is authenticated.

Grab the Session ID you created with your Test Application, and add it to the body of the next request, Get Score, under apSessionId.


Use the Bearer token obtained from the previous step to authenticate your request.

Click SEND, and within milliseconds, you'll receive the results from your Session.

Scroll further, and you'll find the property, policyDecision.

This value expresses a decision (should the transaction proceed, or halt) made from assessing the information gathered from running your Test Application.

If your Device or User Activity was found to be of high-risk (fraud), this output would inform you of any fraudulent activity found, and the transaction (session) would be prevented from proceeding further.

Understanding the results

The results of this API call provide the full risk score of your device.

For a high-level overview of all the results received

For a detailed-look at any one of your result's properties

For more information on policyDecision, and how it relates to your application

Next Steps

See Trust Device to learn how to trust your user post-device profiling.

What’s Next

Next - let's challenge the user with MFA.