Session Risk
Overview
Session Risk is the opening step in every workflow. It runs a passive device and network risk assessment silently — no identity factor is required from the user. Alongside the risk check, it collects one configurable attribute to establish session context: by default, the user's country, but it can be configured to collect an email address, a username, or to autosubmit with no user input at all.
High-risk sessions (TOR, velocity violations, OFAC matches, flagged IPs, bot signals) are denied at this step before any PII is collected. Low-risk sessions proceed to the next step.
Level of Assurance
Low — passive risk screening only. No identity verification factor collected.
User Friction Level
None to Low — depends on attribute configuration. Autosubmit mode requires no user input at all.
End User Requirements
None (autosubmit) or minimal — select a country, enter an email, or enter a username depending on configuration.
Speed
Real-time — device profiling completes in 3–5 seconds; no user wait is perceptible.
Supported Countries
Global — passive risk assessment runs regardless of country.
Use Cases & Fraud Prevention
- Entry point for User Onboarding and Continuous Re-Authentication — runs at the start of every flow.
- Pre-collection fraud filtering — deny TOR, flagged IPs, velocity abuse, and bot sessions before any PII is collected.
- OFAC screening at session start.
- Localization and routing — country selection sets language, address format, and dial code prefix for downstream steps.
- Early email risk signal (optional add-on) — filter disposable or high-risk email addresses at the lowest-friction point.
How It Works
A JavaScript profiling tag runs on page load, collecting device fingerprint, IP address, browser/OS characteristics, and network signals. These are passed to the Device & Network Risk checker (LexisNexis ThreatMetrix Advanced) for evaluation. In parallel, the configured attribute (country, email, username, or autosubmit) is collected from the user or resolved automatically. No user interaction is required for the risk assessment itself.
Outcome:
- High risk (TOR, OFAC, velocity violation, flagged IP, bot signal): policyDecision =
deny— session ends immediately, before any PII is collected. - Low / medium risk: policyDecision =
obligation— aforwardApiKeyis returned for the next step. - No high risk + trusted device (Continuous Re-Authentication only): policyDecision =
approve— device is recognized and session passes without a possession challenge.
Configuration Options
Attribute Collection Modes
| Mode | User input | Use case |
|---|---|---|
| Country (default) | User selects country from list | Multi-country flows; enables localization and routing |
| User enters email address | Flows where email is already the identifier | |
| Username | User enters username | Re-authentication or step-up MFA flows |
| Autosubmit | None — step submits silently | When session context is already established; eliminates all user input |
The attribute collected here becomes available to downstream steps and can be used in policy routing decisions.
Optional Add-ons
- Email Risk — runs email reputation check as part of this step (zero-friction, no additional user input)
- Login Hint — prefill the collected attribute from your own directory via the Login Hint parameter, allowing autosubmit even when the value is user-specific
Integration: Gateway (OIDC)
Session Risk is handled automatically as the first step in any Gateway deployment. No additional integration work is required beyond the standard workflow setup.
Step-by-step Setup
- Country mode (default): no additional configuration required. Country is presented to the user as a dropdown.
- Autosubmit mode: pass country via
scope=openid+country.US(or other country code) in the/authorizerequest to skip the selector UI. - Email or Username mode: contact your ID Dataweb team to configure the attribute type.
Integration: ID Dataweb API
Session Risk is the first /slverify call in any API integration. The step key for this step is issued separately in the Admin Console.
API Prerequisites
sequenceDiagram
participant App as Your Application
participant IDW as ID Dataweb API
Note over App,IDW: JS profiling tag loads on page — collecting device signals
App->>IDW: POST /token (apiKey:secret)
IDW-->>App: access_token
Note over App,IDW: tmx_profiling_complete fires → profiling is done
App->>IDW: POST /slverify (Session Risk key + APSessionID + attribute)
IDW-->>App: policyDecision (obligation or deny) + forwardApiKey
Note over IDW,App: obligation → forwardApiKey = next step key
Note over IDW,App: deny → session blocked (TOR, OFAC, velocity, flagged IP)
API Reference
Session Risk
Device Profiling Tag
The profiling tag must be loaded on your page before /slverify is called. It runs silently in the background, collecting device fingerprint, IP, browser, OS, and behavioral signals. Add the tag to your page's <head>, generating a unique session_id per session:
<script>
// Generate a unique session ID for this session
var sessionID = crypto.randomUUID();
var profiler = document.createElement('script');
profiler.src = 'https://api.iddataweb.com/v1/profile/tmx/tags.js'
+ '?pageid=3'
+ '&profilingdomain=content.maxconnector.com'
+ '&org_id=716kkpe1'
+ '&session_id=' + sessionID;
document.getElementsByTagName('head')[0].appendChild(profiler);
</script>Calling /slverify via tmx_profiling_complete
The profiling tag fires tmx_profiling_complete automatically when data collection finishes. Call /slverify from inside this function — not on a fixed timer. Calling before profiling completes produces an incomplete risk score and may cause incorrect decisions. Keep any submit button disabled until the callback fires.
function tmx_profiling_complete(session_id) {
// Profiling is complete — safe to call /slverify now
document.getElementById('submit-button').disabled = false;
fetch('https://api.iddataweb.com/v1/slverify', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer ' + accessToken
},
body: JSON.stringify({
apikey: SESSION_RISK_STEP_KEY,
credential: userCredential,
userAttributes: [
{
attributeType: 'APSessionID',
values: { apSessionId: session_id }
},
{
attributeType: 'Country',
values: { country: 'US' }
}
]
})
})
.then(res => res.json())
.then(data => {
// data.policyDecision = 'obligation' (proceed) or 'deny' (blocked)
// data.forwardApiKey = next step key if obligation
});
}Replace Country with EmailAddress or Username depending on your configured attribute collection mode.
Session Risk — Response
{
"errorCode": "string",
"errorDescription": "string",
"transaction_id": "string",
"userAttributes": [],
"acquiredAttributes": [],
"userAssertionList": [],
"policyDecision": "obligation | deny",
"forwardApiKey": "string"
}Step-by-step Setup
- Load the profiling tag on page load with a unique
session_id. - Keep any submit or continue button disabled until
tmx_profiling_completefires. - Call
POST /slverifyfrom insidetmx_profiling_complete, passingAPSessionIDand your configured attribute. - Check
policyDecision: ifdeny, stop. Ifobligation, useforwardApiKeyas the API key for the next step.
Configuration Options — API-specific
Policy Components & Assertions
| Assertion | What it checks |
|---|---|
blacklist.device | Device matches a known bad actor blacklist |
blacklist.ofacIP | IP address matches OFAC sanctions list |
detect.browserAnomaly | Browser characteristics indicate automation or spoofing |
detect.vpn | Connection is routed through a VPN |
detect.tor | Connection is routed through the TOR network |
test.trustedDevice | Device matches a previously trusted device for this user |
test.gte3Credential1d | 3+ credentials attempted from this device in the last 24 hours (velocity) |
Error Handling & Troubleshooting
- Incomplete or unexpected risk scores: Most commonly caused by calling
/slverifybeforetmx_profiling_completefires. Ensure the call is made from inside the callback, not on a timer. - Unexpected denials for legitimate users: Review passive risk threshold settings with your ID Dataweb team. Corporate VPNs, shared IPs, or unusual network configurations can trigger false positives.
- TOR or flagged IP denials: Expected behavior — these are hard blocks by design.
- Velocity denials: A user who has exceeded attempt limits for a session or time window. Check your velocity policy configuration.
- OFAC denials: The session matched a sanctions list entry. These cannot be overridden programmatically.
Testing in Preproduction
Testing Options
- Gateway (Try Now): Open any workflow in the Admin Console — Session Risk runs as the first step automatically.
- API — Device profiling: Use the Device Profiling Postman Collection with the preproduction endpoint to test session ID generation and profiling tag behavior independently.
- API — Full flow: First
/slverifycall in any Postman preproduction collection.
Test Credentials and Values
| Scenario | Input | Expected Result |
|---|---|---|
| Standard session — proceed | Standard browser, clean network, US | obligation — proceed to next step |
| High risk — deny | TOR browser or flagged IP | deny — session blocked |
| Autosubmit | No user input (scope pre-set) | obligation — immediate, no UI shown |
Step-by-step How to Test
- Standard: Use a standard browser on a clean network. Select United States. Expect
obligationandforwardApiKeyfor the next step. - High risk (TOR): Use TOR browser. Expect immediate
deny. - International routing: Select a non-US/UK/CA country in an Identity Verification flow — expect routing to the document step-up path.
Interpreting Results
policyDecision = obligation — session is clear, forwardApiKey is available for the next step.
policyDecision = deny — session blocked by passive risk. Check acquiredAttributes for the risk signals that triggered the denial (IP reputation, bot score, velocity flag, OFAC match).
Related Resources
→ Identity Verification | → Continuous Re-Authentication | → PII Validation | → Device & Session Risk - LexisNexis Checker | → Gateway (OIDC) Integration
Updated 2 days ago