Documentation

FraudSense Developer Docs

Real-time device intelligence and fraud scoring for banks and fintechs. 44 signals, 4 combined patterns, plain English reasons. Integrate in 10 minutes.

On this page

Overview
Quick Start
Risk Signals
Combined Patterns
Response Format

What is FraudSense?

FraudSense is a device intelligence SDK and API that detects fraud at the device level — before transactions are processed. It runs silently inside your React Native app, evaluates 44 signals across 8 categories, and returns a calibrated risk score with confidence labels and plain English reasons.

Component	Description
SDK v1.2.0	React Native module — 44 signals across device, sensor, location, battery, network, security, behavior, and pattern categories
API	REST API that stores device history, enriches with server-side IP intelligence, and returns scored reports
Portal	Self-serve dashboard for API key management, usage monitoring, and client analytics

Signal categories

Category	Signals	What it detects
Device	9	Emulators, integrity failures, locale/timezone mismatches
Security	3	Root/jailbreak, proxy interception, emulator detection
Network	5	VPN, datacenter IPs, carrier country mismatch
Behavior	12	Bots, credential stuffing, paste attacks, superhuman speed
Sensor	5	No movement, no orientation change, extreme brightness
Location	3	GPS spoofing, low accuracy, permission denied
Battery	3	Always charging, no discharge cycle, device farms
Patterns	4	Combined automation, location hiding, credential stuffing, device farm

How it works

Flow

// 1. SDK initializes silently at app startup
// 2. 7 collectors run in background (device, sensor, location, battery, network, behavior, security)
// 3. At a transaction point, your app calls getReport()
// 4. RiskEngine evaluates 44 signals → computes score 0–100
// 5. stableScore averages last 3 reports to eliminate first-load spikes
// 6. Full report returned with confidence labels + plain English reasons

Your App → FraudSense SDK → RiskEngine → Score + Labels + Summary + Patterns

Base URL

https://api.getfraudsense.com

SDK + API

Quick Start

Get from zero to a working risk score in under 10 minutes.

Get your API key

Visit the developer portal → click "Get Free API Key". Your key is generated instantly and starts with fs_live_.

ℹ️

You get 1,000 free calls per month with no credit card required.

Install the SDK

bash

npm install fraudsense-sdk

bash — peer dependencies

npx expo install expo-battery expo-brightness expo-crypto expo-device \
  expo-location expo-network expo-screen-orientation \
  expo-secure-store expo-sensors

Initialize at app startup

JavaScript

import FraudSense from 'fraudsense-sdk';

await FraudSense.init({
  apiKey:        'fs_live_xxxx',
  endpoint:      'https://api.getfraudsense.com',
  collectGPS:    true,
  trustedRegion: 'AE',  // reduces expat false positives
  debug:         false,
});

Score a transaction

JavaScript

// At login, payment, or withdrawal
const report = await FraudSense.getReport();

// Use stableScore after 3+ reports (recommended)
const level = report.risk.isStable
  ? report.risk.stableLevel
  : report.risk.level;

if (level === 'CRITICAL') blockTransaction();
if (level === 'HIGH')     requireVerification();
if (level === 'MEDIUM')   requestOTP();
if (level === 'LOW')      allowTransaction();

// Plain English summary for your fraud team
console.log(report.risk.summary);

API

Authentication

FraudSense uses two authentication methods depending on the caller.

API Key — SDK and server-to-server calls

Pass your API key in the x-api-key header for all risk scoring and event endpoints.

HTTP Header

x-api-key: fs_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

JWT Token — dashboard and management

Use a Bearer token in the Authorization header for account management endpoints.

HTTP Header

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Get a JWT token

curl -X POST https://api.getfraudsense.com/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@company.com","password":"yourpassword"}'

const res = await fetch('https://api.getfraudsense.com/v1/auth/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ email: 'you@company.com', password: 'yourpassword' }),
});
const { token } = await res.json();

SDK

SDK Installation

Requirements

Requirement	Version
React Native	0.73+
Expo SDK	54+
Node.js	v20+
iOS	15+
Android	API 21+

Install via npm

bash

npm install fraudsense-sdk

Install peer dependencies

bash

npx expo install expo-battery expo-brightness expo-crypto expo-device \
  expo-location expo-network expo-screen-orientation \
  expo-secure-store expo-sensors

Add permissions (iOS) — app.json

json

{
  "expo": {
    "plugins": [
      ["expo-location", {
        "locationWhenInUsePermission": "Used to verify transaction safety."
      }]
    ]
  }
}

SDK

Initialization

Call FraudSense.init() once at app startup — ideally on the splash screen before navigating to login.

JavaScript

import FraudSense from 'fraudsense-sdk';

await FraudSense.init({
  apiKey:        'fs_live_xxxx',                      // Required
  endpoint:      'https://api.getfraudsense.com',       // Required
  collectGPS:    true,                                 // Optional — default false
  trustedRegion: 'AE',                                 // Optional — ISO country code
  autoFlush:     true,                                 // Optional — default true
  flushInterval: 30000,                               // Optional — ms, default 30s
  debug:         false,                               // Optional — console logs
});

Configuration options

Option	Type	Default	Description
apiKey	string	—	Your FraudSense API key. Required.
endpoint	string	—	API base URL. Required.
collectGPS	boolean	false	Request location permission and collect GPS for spoofing detection.
trustedRegion	string	—	ISO country code (e.g. "AE"). Reduces false positives for expat-heavy markets where locale and timezone commonly mismatch.
autoFlush	boolean	true	Automatically send reports to backend on interval.
flushInterval	number	30000	Milliseconds between automatic flushes.
debug	boolean	false	Print SDK logs to console. Disable in production.

SDK

Behavior Hooks

Wire up these hooks in your components to collect behavioral signals. The more hooks you add, the more accurate the interactionScore becomes.

Tap recording

JSX

import BehaviorCollector from 'fraudsense-sdk/collectors/BehaviorCollector';

<TouchableOpacity
  onPress={(e) => {
    BehaviorCollector.recordTap(e.nativeEvent.locationX, e.nativeEvent.locationY);
    handleAction();
  }}
/>

Text change / paste detection

Paste detection works automatically via text length jump analysis — no onPaste prop needed.

JSX

<TextInput
  onChangeText={(text) => {
    BehaviorCollector.recordTextChange('email', text); // auto-detects paste
    setEmail(text);
  }}
/>

<TextInput
  onChangeText={(text) => {
    BehaviorCollector.recordTextChange('password', text);
    setPassword(text);
  }}
/>

Scroll recording

JSX

<ScrollView
  onScroll={(e) => BehaviorCollector.recordScroll(e.nativeEvent.contentOffset.y)}
  scrollEventThrottle={16}
>

Screen transition recording

JavaScript

useEffect(() => {
  BehaviorCollector.recordScreenTransition('PaymentScreen');
}, []);

💡

At minimum, add recordTextChange on login fields and recordTap on the submit button. This alone captures credential stuffing and bot patterns reliably.

SDK

SDK Methods

getReport()

Returns a full risk report for the current session. Use risk.stableScore and risk.stableLevel after 3+ reports for more accurate scoring.

JavaScript

const report = await FraudSense.getReport();

console.log(report.risk.stableScore);   // 0–100, averaged over last 3
console.log(report.risk.stableLevel);   // LOW / MEDIUM / HIGH / CRITICAL
console.log(report.risk.isStable);      // true after 3+ reports
console.log(report.risk.summary);       // plain English verdict
console.log(report.risk.triggered);     // array of fired signals with reasons
console.log(report.risk.patternsDetected); // number of combined patterns fired

getRiskScore()

Returns just the score and level. Lighter than getReport() if you only need the number.

JavaScript

const { score, level, triggered } = await FraudSense.getRiskScore();

getDeviceId()

Returns the stable SHA-256 device fingerprint. Persists via secure storage across sessions.

JavaScript

const deviceId = FraudSense.getDeviceId();
// Returns: "fs_a3f9b2c1d4e5..."

Other methods

Method	Description
`FraudSense.flush()`	Force-send pending report to backend immediately
`FraudSense.pause()`	Pause all collectors (e.g. when app goes to background)
`FraudSense.resume()`	Resume collectors after pause
`FraudSense.reset()`	Clear all local data, session state, and score history

SDK

Event Hooks

Subscribe to real-time events from the SDK using FraudSense.on(). Returns an unsubscribe function.

JavaScript

// Fires when SDK is initialized
FraudSense.on('ready', ({ deviceId, version }) => {
  console.log('SDK ready', deviceId);
});

// Fires after every getReport() call
FraudSense.on('report', (report) => {
  setRiskBadge(report.risk.stableLevel);
});

// Fires after every flush attempt
FraudSense.on('flush', ({ success, response }) => {
  if (!success) console.warn('Flush failed');
});

// Unsubscribe when component unmounts
const unsub = FraudSense.on('report', handler);
return () => unsub();

API

Auth Endpoints

POST

/v1/auth/register

Create a new client account. Returns JWT token + first API key.

POST

/v1/auth/login

GET

/v1/auth/me

Get current client profile. Requires Bearer token.

Register

{
  "email":       "you@company.com",
  "password":    "SecurePass1!",
  "companyName": "Acme Bank"
}

{
  "token":  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "apiKey": "fs_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "client": {
    "id":          "uuid...",
    "email":       "you@company.com",
    "companyName": "Acme Bank",
    "plan":        "free"
  }
}

API

Events Endpoint

The SDK automatically posts to this endpoint on every flush. You can also call it directly for server-side integrations.

POST

/v1/events/batch

Submit a device report batch. Called automatically by the SDK every 30 seconds.

ℹ️

Requires x-api-key header. When using the SDK, this endpoint is called automatically — you do not need to call it directly.

Request body

JSON

{
  "deviceId":    "fs_a3f9b2c1...",
  "sessionId":   "1744123456789",
  "deviceProfile": {
    "model":      "iPhone 17 Pro Max",
    "os":         "iOS",
    "timezone":   "Asia/Dubai",
    "locale":     "en-US",
    "isEmulator": false,
    "isRooted":   false
  },
  "events": [{
    "type":             "RISK_REPORT",
    "riskScore":        17,
    "riskLevel":        "LOW",
    "triggeredSignals": [],
    "fingerprint":      "fs_xyz...",
    "sdkVersion":       "1.2.0",
    "timestamp":        1744123456789
  }]
}

API

Device History

GET

/v1/risk/history/:deviceId

Returns the last 50 sessions and a history summary for a device.

cURL

curl https://api.getfraudsense.com/v1/risk/history/fs_abc123 \
  -H "x-api-key: fs_live_xxxx"

API

API Keys

GET

/v1/keys

List all API keys for your account. Requires Bearer token.

POST

/v1/keys

Generate a new API key. Body: {"name":"Production Key"}

DELETE

/v1/keys/:id

Revoke an API key by ID.

API

Dashboard

GET

/v1/dashboard/stats

Usage stats — total calls, calls this month, free calls remaining, estimated bill.

GET

/v1/dashboard/devices

List all devices seen by your account (last 50).

Reference

Risk Signal Catalogue

FraudSense v1.2.0 evaluates 44 signals per session across 8 categories. Each signal includes a confidence rating and plain English reason returned in the report.

ℹ️

Confidence levels: HIGH — almost never a false positive. MEDIUM — reliable but context-dependent. LOW — mild signal, contributes to score but not conclusive alone.

Device signals (9)

Signal	Confidence	Points	Reason
missing_device_name	MEDIUM	+8	Device model name could not be read. Common on emulators or modified devices.
outdated_os	MEDIUM	+6	Device running iOS < 15 or Android < 10. Older OS is more vulnerable to exploits.
not_real_device	HIGH	+20	Device is not a physical device. Strongly indicates an emulator or simulator.
device_integrity_fail	HIGH	variable	Hardware profile failed integrity checks. Model and OS combination appears inconsistent.
resolution_anomaly	MEDIUM	+12	Screen resolution does not match expected values for the reported device model.
font_scale_anomaly	MEDIUM	+8	Font scale is set to an unusual value. Automated tools often use non-standard display settings.
default_font_scale	LOW	+2	Font scale at factory default 1.0. Most real users adjust this over time.
locale_timezone_mismatch	LOW	+2–5	Device language does not match timezone. Common among expats but also seen on spoofed devices. Reduced to +2 when `trustedRegion` is set.
region_ip_mismatch	MEDIUM	+3–10	Device region setting does not match IP address country. May indicate VPN or location spoofing. Reduced to +3 when IP matches `trustedRegion`.

Security signals (3)

Signal	Confidence	Points	Reason
emulator_detected	HIGH	+15–25	Device shows strong signs of being an emulator or simulator. Score scales with confidence level.
rooted_or_jailbroken	HIGH	+25	Device appears to be rooted or jailbroken. Security controls may be bypassed.
proxy_active	HIGH	+15	HTTP proxy is active on this device. Traffic may be intercepted or manipulated.

Network signals (5)

Signal	Confidence	Points	Reason
vpn_detected	MEDIUM	+8–20	VPN or proxy network detected. Score scales with confidence (0–1). Legitimate users use VPNs too.
carrier_country_mismatch	HIGH	+10	SIM card country does not match IP address country. Strong indicator of VPN or location spoofing.
datacenter_ip	HIGH	+12	Request is coming from a datacenter or cloud server IP. Indicates automated or server-side activity.
ip_lookup_blocked	LOW	+3	IP geolocation lookup failed while connected. May indicate network filtering or proxy.
no_connection	LOW	+3	Device has no internet connection. Score may be incomplete.

Behavior signals (12)

Signal	Confidence	Points	Reason
bot_like_behavior	HIGH	+25	Interaction patterns highly consistent with automated bot activity. interactionScore < 20.
suspicious_behavior	MEDIUM	+12	Interaction patterns show some signs of automated behavior. interactionScore 20–40.
human_behavior_confirmed	MEDIUM	-5	Trust signal. Interaction patterns consistent with a real human. interactionScore >= 70.
superhuman_tap_speed	HIGH	+15	Taps occurring faster than humanly possible (< 100ms apart). Strong indicator of automated input.
low_tap_entropy	MEDIUM	+10	All taps hitting the same screen location. Bots typically tap the exact same pixel.
screen_transition_too_fast	HIGH	+15	Screens changing faster than a human can read them (< 500ms per screen). Indicates scripted navigation.
session_too_short	MEDIUM	+10	Entire session completed in under 5 seconds. Too fast for normal human interaction.
paste_on_login_fields	MEDIUM	+15	Email or password was pasted rather than typed. Common pattern in credential stuffing attacks.
multi_field_paste	MEDIUM	+10	Multiple fields filled via paste. Automated tools often paste pre-filled credentials.
paste_on_payment_field	LOW	+8	Payment amount or note was pasted. Could be normal behaviour or automated transaction.
excessive_paste	MEDIUM	+10	Unusually high number of paste events detected (3+) across the session.
default_font_scale_on_emulator	HIGH	+5	Default font scale combined with emulator signals. Consistent with automated test environments.

Sensor signals (5)

Signal	Confidence	Points	Reason
no_accelerometer_data	HIGH	+10	No accelerometer data collected. Real devices always have motion sensors active.
zero_device_movement	MEDIUM	+8	Device showed no physical movement. Bots and emulators typically show zero motion.
minimal_device_movement	LOW	+4	Very low physical movement detected. Device may be stationary or automated.
no_orientation_change	LOW	+5	Screen was never rotated during the session. Could indicate automated or scripted usage.
extreme_brightness	LOW	+5	Screen brightness locked at 0% or 100%. Automated tools often ignore display settings.

Location signals (3)

Signal	Confidence	Points	Reason
location_denied	LOW	+5	Location permission was denied. Reduces available trust signals.
low_location_accuracy	LOW	+5	GPS accuracy is very low (> 500m). Could indicate indoor use or spoofing.
gps_spoofing_detected	HIGH	+25	Device moved at an impossible speed between GPS readings (> 900 km/h). Strong GPS spoofing indicator.

Battery signals (3)

Signal	Confidence	Points	Reason
critically_low_battery	LOW	+4	Battery below 5%. Unusual for a device actively making transactions.
always_charging	MEDIUM	+8	Device is always plugged in. Common in device farms running automated scripts.
no_battery_cycle	MEDIUM	+5	No charge/discharge cycle detected after 20+ readings. Device may be permanently connected to power.

Reference

Combined Pattern Detection

Beyond individual signals, FraudSense detects 4 combined attack patterns. Patterns fire when multiple correlated signals appear together — they carry extra weight because combinations are far more reliable than single signals.

Pattern	Confidence	Points	Triggers when
automation_pattern	HIGH	+10	2+ of: `zero_device_movement`, `minimal_device_movement`, `session_too_short`, `no_accelerometer_data`
location_hiding_pattern	HIGH	+12	2+ of: `vpn_detected`, `locale_timezone_mismatch`, `region_ip_mismatch`, `carrier_country_mismatch`
credential_stuffing_pattern	HIGH	+15	2+ of: `paste_on_login_fields`, `multi_field_paste`, `bot_like_behavior`, `suspicious_behavior`
device_farm_pattern	MEDIUM	+12	2+ of: `always_charging`, `no_battery_cycle`, `zero_device_movement`, `no_orientation_change`

💡

A device that triggers credential_stuffing_pattern should always result in at least a step-up authentication challenge regardless of the total score. The pattern alone is a strong fraud indicator.

Reference

Risk Labels

High-level labels explain why a device scored HIGH — more actionable than a raw score alone. Returned in risk.byCategory and the risk.summary field.

Category	Signals involved	Recommended action
Fake device	emulator_detected, not_real_device, device_integrity_fail	Block immediately
Tampered device	rooted_or_jailbroken, proxy_active	Block or require biometric
Location spoofing	gps_spoofing_detected, location_hiding_pattern	Block on payment/withdrawal
Device farm	device_farm_pattern, always_charging, no_battery_cycle	Flag account for review
Bot behavior	bot_like_behavior, automation_pattern, superhuman_tap_speed	Require CAPTCHA or OTP
Credential stuffing	credential_stuffing_pattern, paste_on_login_fields	Force password reset
Suspicious network	vpn_detected, datacenter_ip, carrier_country_mismatch	Step-up on financial actions
Identity mismatch	locale_timezone_mismatch, region_ip_mismatch	Monitor — low confidence alone

Reference

Response Format

Risk levels

Score	Level	Recommendation
0 – 24	LOW	Allow — proceed normally
25 – 49	MEDIUM	Step-up — request OTP or biometric
50 – 74	HIGH	Block — require manual review
75 – 100	CRITICAL	Block and flag — escalate immediately

Risk object schema (v1.2.0)

Field	Type	Description
score	integer	Raw composite risk score 0–100
level	string	LOW / MEDIUM / HIGH / CRITICAL based on raw score
stableScore	integer	Average of last 3 scores — smooths first-load spikes
stableLevel	string	Level based on stableScore — use this for decisions
isStable	boolean	True after 3+ reports have been generated
summary	string	Plain English verdict for fraud teams
triggered	array	All fired signals with signal name, points, confidence, and reason
byCategory	object	Triggered signals grouped by category
signalCount	integer	Total number of signals that fired
highConfidenceSignals	integer	Number of HIGH confidence signals that fired
patternsDetected	integer	Number of combined patterns that fired
version	string	RiskEngine version used for scoring

Triggered signal object

Field	Type	Description
signal	string	Signal identifier e.g. "paste_on_login_fields"
points	integer	Points added to score (negative = trust signal)
category	string	device / sensor / location / battery / network / security / behavior / pattern
confidence	string	HIGH / MEDIUM / LOW
reason	string	Plain English explanation for fraud teams
detail	string	Optional technical detail e.g. "locale:en-US tz:Asia/Dubai"

Reference

IP Intelligence

Collected automatically via ipapi.co on every session. No extra configuration needed.

Field	Type	Description
ip	string	Client IP address
ipCountry	string	ISO country code (e.g. AE, SA)
ipCity	string	City name
ipOrg	string	ISP or organization name
ipIsDatacenter	boolean	True if IP belongs to a cloud/datacenter provider
isVPN	boolean	True if VPN confidence >= 0.35
vpnConfidence	number	0.0–1.0 VPN likelihood score
carrierCountryMismatch	boolean	True if SIM country differs from IP country

Reference

Device History

Every device that calls the API gets a persistent history record. Accessible via /v1/risk/history/:deviceId.

Field	Type	Description
totalSessions	integer	Total number of sessions for this device
highRiskCount	integer	Sessions scored HIGH or CRITICAL
firstSeenAt	string	When this device was first seen
lastSeenAt	string	Most recent session timestamp
isNewDevice	boolean	True if this is the first session for this device

API

Status Codes

Code	Meaning	Action
200	Success	Process the response normally
400	Bad request	Check required fields — deviceId and sessionId are always required
401	Unauthorized	Check your API key — must be in x-api-key header
403	Forbidden	Account suspended — contact support
404	Not found	Check the endpoint URL
429	Rate limited	Slow down requests — max 1,000/15 min
500	Server error	Retry after a short delay

Reference

Changelog

SDK v1.2.0 — April 2026

Signal count expanded from 18 to 44 signals across 8 categories
Added SecurityCollector — emulator detection with confidence score, root/jailbreak heuristics, proxy detection
Added 4 combined pattern detectors — automation, location hiding, credential stuffing, device farm
Added confidence labels (HIGH/MEDIUM/LOW) and plain English reasons per signal
Added stableScore — averages last 3 reports to eliminate first-load spikes
Added trustedRegion config — reduces expat false positives for UAE and MENA markets
Added summary field — plain English verdict for fraud teams
Added byCategory — signals grouped by category for easier client integration
Added paste detection via text length jump analysis (no onPaste prop required)
Added device integrity scoring — model vs OS cross-validation
Added locale vs timezone mismatch signal
Added region vs IP country mismatch signal
Improved VPN detection — confidence score 0–1 instead of boolean, cross-checks carrier country vs IP country
Improved NetworkCollector — live IP intelligence via ipapi.co (country, city, org, datacenter flag)
Fixed battery level comparison (was checking 0–1 float, now correctly checks 0–100 integer)
Fixed all collector export issues — added collect() method to SensorCollector, BatteryCollector, LocationCollector
Fixed locale/timezone collection via getLocales()/getCalendars() for newer Expo versions

SDK v1.1.0 — April 2026

Initial public release on npm as fraudsense-sdk
6 collectors: Device, Sensor, Location, Battery, Network, Behavior
18 signals in RiskEngine
SHA-256 device fingerprinting via expo-secure-store
Singleton pattern throughout SDK

API v1.0.0 — March 2026

Initial launch at api.getfraudsense.com
JWT authentication, email verification, API key management
Free tier — 1,000 calls/month
Admin panel with suspend/activate/email/usage controls
AI chatbot (Claude Haiku) for developer support
/demo interactive fraud scenarios
Railway deployment with PostgreSQL and Prisma

Support

💬

We respond within 24 hours on business days. For enterprise clients, dedicated support is included.

Contact

Email: support@getfraudsense.com

GitHub Issues: github.com/getfraudsense/fraudsense-api

Before reaching out

Check the Status Codes section for common errors
Verify your API key is active in the developer portal
Make sure deviceId and sessionId are included in every request
For SDK issues, enable debug: true and check console logs
Use the AI chatbot on the portal for instant answers