Welcome to the Ravelin API. Our mission for the API is to make it predictable, easy to understand and painless to integrate with. If there is anything you feel we can do to improve our API, make it easier to understand, or if you encounter any bugs or unexpected behaviour, please email api@ravelin.com and a Ravelin developer will get back to you as soon as possible.
There are 3 key parts to a Ravelin integration:
We highly recommend completing all three parts to get the best from Ravelin.
Events are sent to Ravelin as JSON objects to a POST endpoint over HTTPS:
https://api.ravelin.com/v2/...
All API endpoints require an Authorization header with the API key.
Ravelin uses API keys to allow access to the API. The API key can be found under the Settings menu in the dashboard. You can register a new Ravelin API key by contacting your account manager. Ravelin expects the API key to be included in the authorization header for all API requests:
# Using curl, pass the authentication header with each request
curl "https://api.ravelin.com/v2/auth/checktoken" \
-H "Authorization: token sk_live_XXXXXXXX"Make sure to replace sk_live_XXXXXXXX with your API key.
When submitting a JSON request, make sure to include the JSON mime-type:
Content-Type: application/json; charset=utf-8
To create or update entities on Ravelin, send a POST request with a JSON body to one of the endpoints described below.
These fields are present the top-level of every event:
| Parameter | Type | Description |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
POST /v2/checkout HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customer": {
"customerId": "61283761287361",
"familyName": "Twain",
"givenName": "Mark",
"email": "marktwain@gmail.com",
"registrationTime": 1429029731
},
"order": {
"orderId": "hXyUc5ef2zhOrdqmRiC",
"price": 4675,
"currency": "GBP",
"creationTime": 1429029735,
"items": [
{
"sku": "3726-8",
"name": "Women's Arch Sweater M 55",
"price": 1990,
"currency": "GBP",
"quantity": 2
},
{
"sku": "3731-4",
"name": "Women's Yellow Tee M 54",
"price": 695,
"currency": "GBP",
"quantity": 1
}
],
"status": {
"stage": "fulfilled"
}
},
"paymentMethod": {
"paymentMethodId": "783917",
"instrumentId": "card_16nWlGHD2LFseSsHaUp9kIW2",
"registrationTime": 1429029735,
"nickName": "MasterCard **** 4242",
"methodType": "card",
"cardBin": "123456",
"cardLastFour": "4242",
"cardType": "mastercard",
"expiryMonth": 6,
"expiryYear": 2019,
"lastVerified": 1444166299,
"successfulRegistration": true,
"prepaidCard": false,
"countryIssued": "GBR"
},
"transaction": {
"transactionId": "f61f8594e06459fa046707c36159bb35",
"email": "james.tate@gmail.com",
"amount": 4675,
"currency": "GBP",
"type": "capture"
}
}The simplest, most reliable way to integrate Ravelin into your checkout flow is using our
checkout event endpoint. A single v2/checkout submission contains all customer, order, payment method and transaction information for a single payment attempt, and should be sent to Ravelin at the exact moment your customer attempts to complete their purchase. Having access to all of this information at once is not always possible in some systems, so we also support sending these entities individually using our other endpoints, but use of the checkout endpoint decreases the likelihood of pesky race-conditions and of overlooking parts of the payment journey.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customer | customer |
The customer performing the checkout. If the information about this
customer was already sent to Ravelin previously, only filling the
customerId field of this object will suffice.
|
| customerId | string |
If this is not a new customer performing the check-out, and the customer
is already known with Ravelin, set the customerId field
instead of the customer object (mutually exclusive).
|
| order | order | The order under checkout. |
| paymentMethod | payment method | Payment method used for this checkout |
| paymentMethodId | string |
If a payment method was already added for this user in a previous event,
it can be referenced here. Mutually exclusive with the
paymentMethod field.
|
| transaction | transaction | (Attempted) transaction associated with this checkout |
| device | device | Information about the device used by this customer |
| voucherRedemption | voucherRedemption | Information about the voucher redeemed with this checkout |
For information about the individual fields required for each of these entities, please refer to the documentation for their individual endpoints; their contents are identical.
POST /v2/chargeback HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429031911,
"chargeback": {
"chargebackId": "dp_15RsQX2eZvKYlo2C0MFNUWJC",
"gateway": "stripe",
"gatewayReference": "ch_15RsQR2eZvKYlo2CA8IfzCX0",
"reason": "general",
"status": "lost",
"amount": 195,
"currency": "USD",
"disputeTime": 1422915137,
"liabilityShifted": true,
"nonFraud": false
}
}| Parameter | Type | Description |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred. |
| chargeback | chargeback | Details of the chargeback. |
A chargeback happens when a customer disputes a payment on their credit card account. Communicate this event to Ravelin using the chargeback endpoint. This is a mandatory component of all integrations; our ability to predict fraud comes from our understanding of previous examples of fraudulent behaviour.
Most PSPs will associate two IDs with every chargeback: a unique identifier for
the chargeback itself, and the identifier for the original transaction that is
being disputed. It is the latter that must be sent in the gatewayReference
field, and it must correspond to a previously sent transaction.
For PSPs that associate chargebacks via the Merchant transaction ID, such as Computop, the transactionId can be specified in lieu of the gatewayReference.
If no transaction with a matching gatewayReference or transactionId is found, this chargeback
is ignored.
| Parameter | Type | Description |
|---|---|---|
| chargebackId | string | A unique identifier for this chargeback. Can be the same as the PSP ID. (required) |
| gateway | string | The name of the payment gateway. (required) |
| gatewayReference | string | Transaction Reference of the original transaction, not the chargeback. Provided by the payment gateway. (required unless providing transactionId) |
| transactionId | string | Transaction Id of the original transaction, not the chargeback. (required unless providing gatewayReference) |
| reason | string | The reason code from the chargeback |
| status | string | Status of the dispute, see the table below |
| amount | integer | The amount that is being disputed, in the lowest denomination of the currency. |
| currency | string | The ISO 4217 currency code. |
| disputeTime | integer | The time the dispute was opened, in unix time. |
| liabilityShifted | boolean | Whether liability for this chargeback has been shifted to a third-party. |
| nonFraud | boolean | Whether this chargeback was claimed for reasons other than fraud. |
| custom | object |
If you have any data about this chargeback that does not fit in one of
the above fields, please specify it in the custom object.
|
Valid chargeback status strings:
| Status | Description |
|---|---|
| OPEN | No action has been taken yet. |
| ACCEPTED | You have opted out of providing evidence for the chargeback or pre-arb. |
| DISPUTED | You have submitted evidence against the claim and are waiting for the decision from the bank. |
| WON | The bank has ruled in your favor, and the funds are scheduled to return to your account. |
| LOST | The bank has not ruled in your favor, and the funds will remain with the cardholder. |
| EXPIRED | The date to submit evidence has passed and you have forfeited your right to dispute the case. |
If your system lends itself more to sending individual entities as they become available, you can use the individual entity endpoints detailed below.
POST /v2/customer HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customer": {
"customerId": "61283761287361",
"registrationTime": 1429029731,
"familyName": "Twain",
"givenName": "Mark",
"email": "marktwain@gmail.com",
"location": {
"street1": "James St",
"city": "Darwen",
"region": "Blackburn with Darwen",
"postalCode": "BB3 1AS",
"country": "GBR",
"latitude": 53.697471,
"longitude": -2.470891
},
"custom": {
"newsletter": false,
"invitedBy": "7198737117"
}
}
}When a customer registers, or changes their profile, send their info to the customer endpoint. Creating a new customer and updating an existing customer is the same operation; a POST to this endpoint is an upsert.
All customer data, except the customerId, is optional.
| Parameter | Type | Description |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred. |
| customer | customer | The customer to create or update. |
| device | device | Information about the device used by this customer (optional). |
| deviceId | string | Previously submitted id for device used by this customer (exclusive with device). |
Customers are your users, the central entity that all Ravelin fraud detection revolves around.
All fields except customerId are optional, but the more information, the
better. If you send the customerId field it will be considered an update.
Therefore a new property will overwrite any previously received property for this customer.
| Parameter | Type | Description |
|---|---|---|
| customerId | string | The unique identifier of this customer in your system. |
| registrationTime | integer | When the customer registered, in unix time (seconds) |
| name | string | The full name of the customer. |
| givenName | string | The given name of the customer - often the first name of a customer. |
| familyName | string | The family name of the customer - often the last name of a customer. |
| string | The primary email of the customer. | |
| emailVerifiedTime | integer | The unix timestamp when the customer's email was verified. |
| telephone | string | The telephone number of the customer, including international code. |
| telephoneVerifiedTime | integer | The unix timestamp when the customer's telephone was verified. |
| telephoneCountry | string | The country this phone number is registered in. |
| location | location | Where this customer was last seen |
| country | country | The home country for this customer; ISO 3166 (2- or 3-letter). This, together with the market and marketCity fields, makes up the full description of the market for the customer. (deprecated - see markets for more information)
|
| market | string |
The logical place in which this customer exists.
The default market is the empty string.
Must be lowercase and alphanumeric (i.e. must match ^[a-z0-9]*$). This, together with the country and marketCity fields, makes up the full description of the market for the customer. (deprecated - see markets for more information)
|
| marketCity | string |
Used in conjunction with market and country to fully describe the market for this customer.
The default marketCity is the empty string.
Must be lowercase and alphanumeric (i.e. must match ^[a-z0-9]*$). (deprecated - see markets for more information)
|
| custom | object |
If you have any data about this customer that does not fit in one of the
above fields, please specify it in the custom object.
|
Data in the custom field is not initially mapped to our internal properties,
but we do periodically check if there are any fraud signals that we can use to
improve the scoring. If so, we retroactively extract the data from all previous
events that specified it, without requiring you to send it again.
Use the custom field for anything you might want to tell us about a customer
which you think could contribute to determining whether or not it’s a fraudulent
account. If you are in any doubt as whether to send a field to Ravelin, you
should send it.
Locations are time-series data: every time you attach a location to a customer, we will record it separately, instead of overwriting the previous location.
You can send Ravelin data with street addresses, and we will reverse geocode to obtain the latitude and longitude, or vice versa. If you have both, then that’s fab.
| Parameter | Type | Description |
|---|---|---|
| street1 | string | First line of the street address. |
| street2 | string | Second line of the street address. |
| neighbourhood | string | The neighbourhood of the location. |
| zone | string | The zone of the location. |
| city | string | The city/village/town of the location. |
| region | string | The state/county of the location. |
| country | string | The ISO 3166 country code (2- or 3-letter). |
| poBoxNumber | string | The PO box number, if applicable. |
| postalCode | string | The postal or zip code, if applicable. |
| latitude | double | The latitude of the location. |
| longitude | double | The longitude of the location. |
| custom | object |
If you have any data about this location that does not fit in one of the
above fields, please specify it in the custom object.
|
POST /v2/order HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"order": {
"orderId": "hXyUc5ef2zhOrdqmRiC",
"price": 4675,
"currency": "GBP",
"market": "europe",
"country": "GBR",
"marketCity": "london",
"items": [
{
"sku": "3726-8",
"name": "Women's Arch Sweater M 55",
"price": 1990,
"currency": "GBP",
"quantity": 2
},
{
"sku": "3731-4",
"name": "Women's Yellow Tee M 54",
"price": 695,
"currency": "GBP",
"quantity": 1
}
],
"from": {
"street1": "19 Gosport Walk",
"postalCode": "N17 9QD",
"region": "London",
"country": "GBR"
},
"to": {
"street1": "73 Braganza St",
"postalCode": "SE17 3RD",
"region": "London",
"country": "GBR"
},
"creationTime": 1429029730,
"executionTime": 1429029732,
"status": {
"stage": "pending",
"actor": "buyer"
}
}
}When an order is started, or new information becomes available (e.g. the price changes), send an order event.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customerId | string | Customer performing this order |
| tempCustomerId | string | A session ID, if the customer has not logged in yet |
| order | order | The order to update. |
| device | device | Information about the device used by this customer (optional) |
| deviceId | string |
If the device used by the customer was already sent in a previous event, its
deviceId can be sent here instead of a full device object. Optional, and
mutually exclusive with the device field.
|
An order is an intent to purchase a good or service from your business by a customer.
| Parameter | Type | Description |
|---|---|---|
| orderId | string | A unique identifier for the order. |
| string | A contact email for the customer placing this order. | |
| price | integer | The price of the purchase in the lowest denomination of the currency. |
| currency | string | The ISO 4217 currency code. |
| sellerId | string | The unique identifier of the seller/counterparty in the transaction, if not your business. E.g. an ID of a driver when a customer is ordering a car, or the ID of a restaurant when a customer is ordering food. |
| from | location | The "start" location of the order |
| to | location | The "end" location of the order |
| country | country | The country for the order; ISO 3166 (2- or 3-letter). This, together with the market and marketCity fields, makes up the full description of the market for the order. See markets for more information.
|
| market | string |
The logical place in which this order occurs.
The default market is the empty string.
Must be lowercase and alphanumeric (i.e. must match ^[a-z0-9]*$). This, together with the country and marketCity fields, makes up the full description of the market for the order. See markets for more information.
|
| marketCity | string |
Used in conjunction with market and country to fully describe the market for this order.
The default marketCity is the empty string.
Must be lowercase and alphanumeric (i.e. must match ^[a-z0-9]*$). See markets for more information.
|
| creationTime | integer | The unix timestamp, in seconds, of when the order was created. |
| executionTime | integer | The unix timestamp, in seconds, of when the order was executed. Specifically; when this order was to be used or obtained by the customer. For example; with taxis, you may prebook - this is the time the prebook is for. With tickets, this may be the time of the event. |
| note | string | Descriptive text relating to the contents or nature of the order being completed. Limited to 4000 characters. |
| items | [item] | Items registered with this order. Set to the empty array to empty the cart, do not specify at all if no information is available. |
| status | status | The most recent status of the order. |
| custom | object |
If you have any data about this order that does not fit in one of the
above fields, please specify it in the custom object.
|
Order statuses specify the current status of the order.
| Parameter | Type | Description |
|---|---|---|
| stage | string |
The most recent status of the order. Valid values:
pending, accepted, failed, cancelled, fulfilled, refunded.
|
| reason | string |
Status reason provides context to the order status. Valid values depend on the stage and are given in the table below.
|
| actor | string |
Status actor is the entity that caused the latest order status. You can use this string to provide additional information to your Ravelin dashboard users e.g. customerId123, order-cancelling-service, customerservice@company.com
|
Valid reasons for different order status stages:
stage |
Valid reason values |
|---|---|
| pending | None – omit reason field. |
| accepted | None – omit reason field. |
| failed |
payment_declined,
seller_rejected,
system_error
|
| cancelled |
buyer,
seller,
merchant,
ravelin
|
| fulfilled | None – omit reason field. |
| refunded |
returned,
complaint
|
Items describe the elements that make up an order, like the different items in a shopping basket, or a single taxi ride. An item is always unique across orders, even if it represents the same underlying thing you can buy. That is inferred through equal SKU’s.
This means two orders can have an item with the same SKU, but different prices or names, without any problems.
Item arrays are atomic blocks: to update one item in the basket, the entire basket must be resubmitted.
To add a new item: send the entire new items array with the extra item. To
remove an item from a basket: resend the new items array, without that item.
| Parameter | Type | Description |
|---|---|---|
| sku | string | A merchant specific identifier for an item or a service. |
| name | string | The name of the product that is being purchased. |
| price | integer | The price of the single item, if many bought, in the lowest denomination of the currency: e.g. cents for US dollars, pence for GB pound. |
| currency | string | The ISO 4217 currency code. |
| brand | string | The name of the brand that the item is from. |
| upc | string | The name of the Universal Item Code. |
| category | string | The highest level category that this item is sold in. |
| quantity | integer | The number of times this item is represented in the basket. 0 to remove. |
| eventTicket | eventTicket | If the item being purchased is a ticket for an event, associate the ticket and event information here.. |
| custom | object |
If you have any data about this item that does not fit in one of the
above fields, please specify it in the custom object.
|
An Event Ticket is an object that can be used to add addition item information for ticketed events such as sporting events, tourist attractions, music concerts or guided tours.
| Parameter | Type | Description |
|---|---|---|
| ticket | ticket | The ticket information for this event. |
| event | event | The event the ticket is granting access to. This could be a access to an event, an attraction, or any other activity the customer is purchasing a ticket to attend. |
| guest | guest | The individual who will be attending the event. |
A ticket refer to the access that has been purchased to attend an event. It includes information about the type of ticket that was sold, the dates the ticket is valid between and whether or not this ticket is refundable or not.
| Parameter | Type | Description |
|---|---|---|
| ticketId | string | A unique identifier for this ticket. |
| ticketType | string | A short human-readable description of the type of ticket. |
| validFromTime | integer | Timestamp at which this ticket is valid from (unix time). |
| validUntilTime | integer | Timestamp at which this ticket is valid until (unix time). |
| refundable | boolean | Whether this ticket is refundable or not. |
An event contains the information about a paid customer experience, such as a one off event like a music concert or tech conference, or it might refer to access to a recurring event such as a theme park or tourist attraction.
| Parameter | Type | Description |
|---|---|---|
| eventId | string | A unique identifier for this event. |
| name | string | The name of the event. |
| description | string | A short description of the event. |
| startTime | integer | Timestamp at which event is scheduled to start (unix time). If the event is ongoing/recurring, you can use the ticket time here. |
| endTime | integer | Timestamp at which event is scheduled to end (unix time). If the event is ongoing/recurring, you can use the ticket time here. |
| category | string | The category that best described the type of event. One of:
adventure
attraction
conference
convention
culinary
business
family
festival
health
live show
music
party
social
sport
other
|
| venue | venue | The location the event will take place. |
A venue is a location at which an event is set to occur at.
| Parameter | Type | Description |
|---|---|---|
| name | string | Name of the venue. |
| location | location | Location of the venue. |
A guest contains information for an individual who may not necessarily be the customer. In a scenario a ticket has been purchased on behalf of another individual, or when a ticket requires the names of those who will be in attendance to be specified, you can use the guest property to send this information to Ravelin.
| Parameter | Type | Description |
|---|---|---|
| givenName | string | The named guest's given name. |
| familyName | string | The named guest's family name. |
| name | string | The named guest's full name. |
| purchaser | boolean | Whether this guest is the individual who is purchasing the tickets. |
POST /v2/paymentmethod HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"paymentMethod": {
"paymentMethodId": "783917",
"instrumentId": "card_16nWlGHD2LFseSsHaUp9kIW2",
"registrationTime": 1429029735,
"methodType": "card",
"cardBin": "123456",
"cardLastFour": "4242",
"cardType": "mastercard",
"expiryMonth": 6,
"expiryYear": 2019,
"lastVerified": 1444166299,
"successfulRegistration": true,
"countryIssued": "GBR",
"billingAddress":{
"street1": "73 Braganza St",
"postalCode": "SE17 3RD",
"region": "London",
"country": "GBR"
}
}
}A customer registers a payment method. Whether successful or not, this information is important.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customerId | string | customer this payment method belongs to |
| tempCustomerId | string | a session ID, if the customer has not logged in yet |
| paymentMethod | payment method | The payment method to create/update |
| device | device | Information about the device used by this customer (optional) |
| deviceId | string |
If the device used by the user was already sent in a previous event, its
deviceId can be sent here instead of a full device object. Optional, and
mutually exclusive with the device field.
|
Most of this information is provided by payment service providers after tokenization of a card.
Note for Stripe customers: after tokenization, Stripe does not provide the BIN number (first six digits). This number contains important information about the bank (not the account), so if there is a way to obtain this directly from the user input, before tokenizing the card, please send it along with the rest of the post-tokenization Stripe response.
PCI certification is not required for handling of the BIN number or the last four digits of a payment card.
A payment method is a way that a customer has registered or used to pay your
business. It could appear in multiple forms: card, cash, bitcoin,
voucher, etc.
Please do not send the the CVV code on the card. The first six digits (the BIN) and the last four are fine. If you wish to send us raw card numbers please use Client-side Card Encryption.
| Parameter | Type | Description |
|---|---|---|
| paymentMethodId | string | A unique identifier for this payment method. (required) |
| methodType | string | The type of payment method. Valid values: card, voucher, bitcoin, cash, transfer, paypal, credit, fromTransaction. (required) |
| billingAddress | location | The billing address for this card |
| registrationTime | integer | When the payment method was added by the customer, in unix time (seconds). Note: this is not the same as the card start date. |
| custom | object |
If you have any data about this payment method that does not fit in one
of the above fields, please specify it in the custom object.
Especially any data received from the PSP is welcome here.
|
These fields exist on the payment method entity only when the methodType is
card.
| Parameter | Type | Description |
|---|---|---|
| instrumentId | string | Unique identifier for this card, consistent across users (e.g. Stripe's fingerprint, or Braintree's unique_number_identifier) |
| nameOnCard | string | Name to which the card is registered (as printed on the card) |
| cardBin | string | The BIN (leading six digits) of the card. Not always available, but strongly recommended when it is. |
| cardLastFour | string | The last four digits of the card |
| cardType | string | The scheme of the card: visa, amex, etc. |
| expiryMonth | integer | The expiry month as MM. |
| expiryYear | integer | The expiry year as YYYY. |
| successfulRegistration | boolean | Whether the payment method was successfully registered with the PSP (e.g. passed verification) |
| issuer | string | The issuer of the payment method: e.g. barclaycard |
| countryIssued | string | The ISO 3166 country code (2- or 3-letter). |
| eWallet | string | The e-Wallet to which the customer associated the card. Valid values: applepay, googlepay, samsungpay |
Most of this information is provided by payment service providers after tokenization of a card.
Note for Stripe customers: after tokenization, Stripe does not provide the BIN number (first six digits). This number contains important information about the bank (not the account), so if there is a way to obtain this directly from the user input, before tokenizing the card, please send it along with the rest of the post-tokenization Stripe response.
PCI certification is not required for handling of the BIN number or the last four digits of a payment card.
These fields exist on the payment method entity only when the methodType is
paypal.
| Parameter | Type | Description |
|---|---|---|
| string | PayPal account ID (required) |
When the payment method details have been encrypted using a Ravelin SDK, the following fields exist on the
payment method, corresponding to the method type paymentMethodCipher. All of these fields are required, and all will be provided by the Ravelin SDK; no modifications are required before submission.
| Parameter | Type | Description |
|---|---|---|
| cardCiphertext | string | Encrypted card details as provided by a Ravelin SDK (required) |
| aesKeyCiphertext | string | Encrypted AES key ciphertext as provided by a Ravelin SDK (required) |
| algorithm | string | Details of the encryption primatives used to encrypt the card details (required) |
| ravelinSDKVersion | string | Details of Ravelin SDK version that was used to encrypt the card details (required) |
| keyIndex | string | Version number of the public RSA key that was used during encryption (required) |
For an example of a complete request containing encrypted card details, please reference our Client-side Encryption example here.
When the paymentMethodId of the payment method you have sent to Ravelin is unknown to your system – perhaps because you omitted the paymentMethodId when using Client-Side Encryption, then you may opt to refer back to a payment method via a transaction which used it.
For example, if a customer has successfully gone through the fraud check:
POST /v2/checkout HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536577389238679409,
"customerId": "cust-123",
"order": {"orderId": "ord-123"},
"transaction": {
"transactionId": "tx-123",
"amount": 123
},
"paymentMethod": {
"methodType": "paymentMethodCipher",
"cardCiphertext": "...",
"aesKeyCiphertext": "...",
"algorithm": "RSA_WITH_AES_256_GCM",
"ravelinjsVersion": "0.0.9"
}
}… and completed their order successfully:
POST /v2/checkout HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536577500948371039,
"customerId": "cust-123",
"order": {"orderId": "ord-123", "status": {"stage": "fulfilled"}},
"transaction": {
"transactionId": "tx-123",
"success": true,
"amount": 123
}
}If the customer thens opts to save the payment method to their account, you can
let Ravelin know its identifier in your system so that you can refer back to it
in future using only, for example, "paymentMethodId": "pm-123" by:
POST /v2/paymentmethod HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536578369411033583,
"customerId": "cust-123",
"paymentMethod": {
"paymentMethodId": "pm-123",
"methodType": "fromTransaction",
"transactionId": "tx-123"
}
}These fields exist on the payment method entity only when the methodType is
fromTransaction. Either transactionId or both gateway and
gatewayReference are required.
| Parameter | Type | Description |
|---|---|---|
| transactionId | string | The ID of the transaction to save the payment method from. |
| gateway | string | The gateway of the transaction to save the payment method from. |
| gatewayReference | string | The gatewayReference transaction to save the payment method from. |
POST /v2/pretransaction HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"paymentMethodId": "783917",
"orderId": "n1QSYK0ceGNZqU28ien3",
"transaction": {
"transactionId": "f61f8594e06459fa046707c36159bb35",
"amount": 4675,
"currency": "GBP",
"type": "auth_capture",
"gateway": "stripe",
"3ds": {
"attempted": true,
"startTime": 1429029735
}
}
}Transactions transfer money from the customer to the vendor, to fulfil an order. One transaction usually fulfils an order, but not always (e.g. outstanding credit, or split payments).
If a transaction event call is intended to get a fraud indication before the transaction is
placed with the PSP, some of the transaction properties won’t be available. In
that case, send us a preTransaction event instead. This event carries all the
information you have available just as a user clicked the “buy” button, but
before you’ve passed it through to the PSP.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customerId | string | customer performing the transaction |
| tempCustomerId | string | a session ID, if the customer has not logged in yet |
| paymentMethod | payment method | Payment method used for this transaction |
| paymentMethodId | string |
If a payment method was already added for this user in a previous event,
it can be referenced here. Mutually exclusive with the
paymentMethod field.
|
| orderId | string | order this transaction is (partially) resolving |
| transaction | pretransaction | The transaction that is about to be committed. |
| device | device | Information about the device used by this customer (optional) |
| deviceId | string |
If the device used by the user was already sent in a previous event, its
deviceId can be sent here instead of a full device object. Optional, and
mutually exclusive with the device field.
|
Pre-transactions are transactions before they have been submitted to a PSP for processing.
| Parameter | Type | Description |
|---|---|---|
| transactionId | string | A unique identifier for the transaction. |
| 3ds | 3ds | Information about any 3D Secure flow the customer was put through. |
| currency | string | The ISO 4217 currency code. (required) |
| debit | integer | The debit amount (money coming from the payment method, i.e. normal charge) of the transaction in the lowest denomination of the currency. (deprecated, see amount) |
| credit | integer | The credit amount (money going to the payment method, i.e. a refund) of the transaction in the lowest denomination of the currency. (deprecated, see amount) |
| amount | integer | The value of the transaction in the lowest denomination of the currency. (required) |
| gateway | string | The name of the payment gateway. (required) |
| type | transaction type | The type of transaction. See the transaction type table for reference. |
| mid | string | The merchant ID that this transaction was processed under. |
| acquirerId | string | The acquirer involved in the transaction. |
| mccCode | string | The merchant category classification code associated with the transaction. |
| time | integer | When this transaction is authed, captured, or otherwise actioned (depending on the type) |
| custom | object |
If you have any data about this transaction that does not fit in one of
the above fields, please specify it in the custom object. Especially
any data received from the PSP is welcome here.
|
POST /v2/transaction HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"paymentMethodId": "783917",
"orderId": "n1QSYK0ceGNZqU28ien3",
"transaction": {
"transactionId": "f61f8594e06459fa046707c36159bb35",
"amount": 4675,
"currency": "GBP",
"success": true,
"authCode": "1000",
"gateway": "stripe",
"gatewayReference": "tr_16oaY72eZvKYlo2CE5ZDq9Vh",
"avsResultCode": {
"street": "A",
"postalCode": "M"
},
"cvvResultCode": "M",
"type": "auth_capture",
"3ds": {
"attempted": true,
"success": true,
"startTime": 1429029705,
"endTime": 1429029734
}
}
}Once the transaction has been placed with the PSP, send the results to Ravelin, regardless of success or failure status.
If this transaction was already submitted as a preTransaction event, make sure
to use the same transactionId.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customerId | string | customer performing the transaction |
| tempCustomerId | string | a session ID, if the customer has not logged in yet |
| paymentMethod | payment method | Payment method used for this transaction |
| paymentMethodId | string |
If a payment method was already added for this user in a previous event,
it can be referenced here. Mutually exclusive with the
paymentMethod field.
|
| orderId | string | order this transaction is (partially) resolving |
| transaction | transaction | The transaction which was committed to the PSP, including the response from the PSP. |
| device | device | Information about the device used by this customer (optional) |
| deviceId | string |
If the device used by the user was already sent in a previous event, its
deviceId can be sent here instead of a full device object. Optional, and
mutually exclusive with the device field.
|
| Parameter | Type | Description |
|---|---|---|
| transactionId | string | A unique identifier for the transaction. |
| success | boolean | Whether the transaction successfully completed with no error. (required) |
| 3ds | 3ds | Information about any 3D Secure flow the customer was put through. |
| currency | string | The ISO 4217 currency code. (required) |
| debit | integer | The debit amount (money coming from the payment method, i.e. normal charge) of the transaction in the lowest denomination of the currency. (deprecated, see amount) |
| credit | integer | The credit amount (money going to the payment method, i.e. a refund) of the transaction in the lowest denomination of the currency. (deprecated, see amount) |
| amount | integer | The value of the transaction in the lowest denomination of the currency. (required) |
| authCode | string | A code returned from the payment gateway after an attempt to charge, if applicable. |
| declineCode | string | The decline code from the payment gateway, if applicable |
| gateway | string | The name of the payment gateway. (required) |
| gatewayReference | string | Transaction Reference provided by the payment gateway. (required) |
| avsResultCode | avsresult | The result code from address verification for both street and postal code verification |
| cvvResultCode | string |
The result code from a CVV verification (M,
N, ...)
|
| type | transaction type | The type of transaction. See the transaction type table for reference. |
| mid | string | The merchant ID that this transaction was processed under. |
| acquirerId | string | The acquirer involved in the transaction. |
| mccCode | string | The merchant category classification code associated with the transaction. |
| time | integer | When this transaction is authed, captured, or otherwise actioned (depending on the type) |
| custom | object |
If you have any data about this transaction that does not fit in one of
the above fields, please specify it in the custom object. Especially
any data received from the PSP is welcome here.
|
If the customer is being through a 3D Secure payment flow, send 3DS properties on the resulting transactions.
| Parameter | Type | Description |
|---|---|---|
| attempted | boolean | Whether the customer was put through the 3DS payment flow. |
| success | boolean | Whether the customer 3DS authentication was successful. |
| startTime | integer | Unix timestamp indicating when the customer was redirected to the 3DS payment flow (seconds or milliseconds). |
| endtime | integer | Unix timestamp indicating when the customer returned from the 3DS payment flow (seconds or milliseconds). |
| timedOut | boolean | Whether you believe the customer to have abandoned your checkout flow during 3DS authentication. |
CVV, ZIP code and street name verification is handled in similar fashion by most
PSPs: a single letter (or short string) per check indicating the result of that
specific check. Ravelin accepts strings as supplied by Braintree, Stripe and
similar PSPs; please ensure you set the correct value in the
transaction.gateway field so we can properly interpret the result code value.
The result code can be one of: M, N, U, I, A, pass, fail,
unavailable, or unchecked.
Address verification is a compound check: both the street name and ZIP code are independently verified, and both get an independent result code from your PSP:
| Parameter | Type | Description |
|---|---|---|
| postalCode | string |
The result code from a postal code verification (M,
N, ...)
|
| street | string |
The result code from a street name verification (M,
N, ...)
|
Card transactions come in various flavours, the most common being auth and
capture. Ravelin supports this model by accepting multiple separate
transactions for each step of the payment, as it happens on your system.
| Type | Description |
|---|---|
| auth | An auth transaction only reserves the funds on the customer's account without deducting them from their account. Useful to verify if the customer has sufficient funds on their account without actually deducting the money, or to reserve a limit amount when the final order price is not known when the customer clicks "order" (e.g. a taxi ride with a pick-up location, but without destination). Sometimes called preauth. |
| capture | A capture transaction deducts funds from the customer's account using auth. The maximum amount that can be captured is what was previously reserved in the auth, but anything lower is OK. |
| auth_capture | A combination of both auth and capture in one transaction. For when there is no need to reserve money without also deducting it from the account. E.g. a straight-forward "buy now" button for a service that is immediately delivered, like food delivery. |
| void | Used for voiding an auth. |
| refund | Credit a customer's account. Will typically with have a new transactionId but the same gateway reference. |
When sending a refund transaction it can be useful to refer back to the payment method by the transaction which originally debited the card. For example, if a customer has successfully gone through the fraud check:
POST /v2/checkout HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536577389238679409,
"customer": {"customerId": "cust-123"},
"order": {"orderId": "ord-123"},
"transaction": {"transactionId": "tx-123", "amount": 123},
"paymentMethod": {
"methodType": "paymentMethodCipher",
"cardCiphertext": "...",
"aesKeyCiphertext": "...",
"algorithm": "RSA_WITH_AES_256_GCM",
"ravelinjsVersion": "0.0.9"
}
}… and completed their order successfully:
POST /v2/checkout HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536577500948371039,
"customerId": "cust-123",
"order": {"orderId": "ord-123", "status": {"stage": "fulfilled"}},
"transaction": {"transactionId": "tx-123", "success": true, "amount": 123}
}We can then create a refund transaction without then knowing the payment method by
instead knowing that the refund was for transaction tx-123:
POST /v2/transaction HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1536578369411033583,
"customerId": "cust-123",
"orderId": "ord-123",
"transaction": {
"transactionId": "refund-123",
"type": "refund",
"gateway": "my-psp",
"gatewayReference": "gw-ref-123",
"success": true,
"amount": 1000,
"currency": "GBP"
},
"paymentMethod": {
"methodType": "fromTransaction",
"transactionId": "tx-123"
}
}POST /v2/login HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029750,
"customerId": "61283761287361",
"tempCustomerId": "89QsaT/H17wnB4vuyRdd",
"device": {
"deviceId": "2b6f0cc904d137be2e1730235f5664094b831186",
"type": "phone",
"manufacturer": "apple",
"model": "iPhone8,1",
"os": "iOS 8",
"ipAddress": "22.231.113.64"
}
}If previous events for this customer were sent as anonymous events (with a
tempCustomerId instead of a customerId), set the tempCustomerId field here
to tie those together.
Optionally, if there is device information available, send Ravelin information about the device the customer is using in this event.
| Parameter | Type | Value |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred |
| customerId | string | customer logging in |
| tempCustomerId | string | a session ID that was previously sent with anonymous events belonging to this user (optional) |
| device | device | Information about the device used by this customer (optional) |
| deviceId | string |
If the device used by the user was already sent in a previous event, its
deviceId can be sent here instead of a full device object. Optional, and
mutually exclusive with the device field.
|
A device is a physical object that a customer uses to interact with your application. Examples include a mobile phone, tablet or laptop.
The deviceId can come directly from the device, or it can be a unique ID your
business defines.
| Parameter | Type | Description |
|---|---|---|
| deviceId | string | A unique identifier for the device - e.g. UUID. |
| type | string | The type of device. e.g. computer, phone, tablet |
| manufacturer | string | The device manufacturer. e.g. apple, samsung. |
| model | string | The model/identifier name of the device. e.g. iPhone8,1, iPad5,4 (for Apple devices), or bullhead, herolte (for Android devices). |
| os | string | The operating system that the device is running. e.g. ios, android. |
| ipAddress | string | The IP address that this device is connecting from. |
| browser | string | The name of the web browser being used, if applicable. E.g. `Chrome 42` |
| userAgent | string | The full `User-Agent` header of the device |
POST /v2/paymentmethod/voucher HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429031911,
"customerId": "cust-123",
"voucherRedemption": {
"paymentMethodId": "cust-123-order-abc-TUBE",
"voucherType": "GENERAL",
"voucherCode": "TUBE",
"redemptionTime": 1429031855,
"value": 1000,
"currency": "GBP",
"success": true
}
}| Parameter | Type | Description |
|---|---|---|
| timestamp | integer | The unix timestamp, in seconds, of when the event occurred (required) |
| customer | customer |
The customer performing the checkout. If the information about this
customer was already sent to Ravelin previously, only filling the
customerId field of this object will suffice. (required)
|
| voucherRedemption | voucherRedemption | The voucher information and details of it's use (required) |
If part an order is being paid for through use of a voucher or of credit associated to a user’s account, you can communicate that to Ravelin with a paymentmethod/voucher event. For these redemptions, you can either provide the voucher details alongside its redemption details, or you can specify a previously registered voucher via the paymentMethodId.
| Parameter | Type | Description |
|---|---|---|
| paymentMethodId | string | A unique identifier for this payment method. (required) |
| voucherCode | string | The string customers actually see in their app (required) |
| redemptionTime | integer | The timestamp of the redemption attempt (required) |
| success | boolean | Bool indicating the success or failure of the redemption attempt (required) |
| value | string | The value of the voucher (required) |
| currency | string | The ISO 4217 currency code |
| voucherType | string | The type of voucher. One of:
REFERRAL
REACTIVATION
GENERAL
|
| expiry | integer | The timestamp after which the voucher can no longer be redeemed |
| failureReason | string | Optional reason why the attempt was not successful. One of:
EXPIRED
NOT_NEW_CUSTOMER
ALREADY_USED
ABUSER
SYSTEM_FAILURE
MAX_ALLOWED_TIMES
|
| failureSource | string | the source of why the voucher failed. One of:
RAVELIN
CLIENT
|
| referrerId | string | The customerId of the customer who created this voucher |
| referralValue | integer | The amount the owner of the voucher gets when the voucher is used |
| custom | object |
If you have any data about this chargeback that does not fit in one of
the above fields, please specify it in the custom object.
|
The market for a customer can be specified using the market, country & marketCity on customer and order events. If any of these three fields is non-empty on the customer, then the effective market for the customer is specified by the values on the customer. If all three fields are empty on the customer, then the effective market for the customer is specified by the fields on their latest order. The inability to ‘forget’ a market on a customer, regardless if any order market information is sent, has lead to confusion in the past: thus we have deprecated them. We recommend you set values for these fields only on order events.
The effective market for a customer is used in reporting, risk thresholds, for model features, and for segmenting customers in the dashboard.
We recommend you use market, country & marketCity in a hierarchical manner, with market specifying the region (e.g. europe, emea, apac, etc).
Events can occur before a customer ID is known. For example: adding items to a
shopping cart, and only being shown a “login or register now” form at check-out
time; the cart events will not have an associated customerId.
For these events, there is the tempCustomerId field: it can occur at the
top-level of most events which accept a customerId. This field should contain
a session ID (or otherwise consistent value that will be used to later tie the
events to a real customer, at log in time).
When a customer logs in (or registers), send a “log in event” (see above) to tie
all previous tempCustomerId events to a real customer.
Except for the log in event, the tempCustomerId and customerId fields are
mutually exclusive.
[DEPRECATION NOTICE] The Ravelin Vault is DEPRECATED. Support will continue to be offered, but for those wishing to securely send card information through to Ravelin, please consult our Client-side Card Encryption documention instead.
The Vault must be used whenever sending raw card numbers to Ravelin.
The Vault is PCI DSS Compliant and is the only Ravelin API that can accept RAW card numbers.
By sending full card numbers to Ravelin we are able to match cards across our entire network and catch more fraudsters before a transaction takes place. Please note the different sub-domain: https://vault.ravelin.com.
There are two ways to send the raw card number (the “PAN”) to the Ravelin Vault: directly from the client, or through your server. Which method is right for you depends on whether or not you already send the raw PAN to your own servers, or if you don’t (e.g. using a “hosted checkout page”).
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"paymentMethod": {
"paymentMethodId": "783917",
"instrumentId": "card_16nWlGHD2LFseSsHaUp9kIW2",
"registrationTime": 1429029735,
"methodType": "card",
"cardBin": "123456",
"cardLastFour": "4242",
"cardType": "mastercard",
"expiryMonth": 6,
"expiryYear": 2019,
"lastVerified": 1444166299,
"successfulRegistration": true,
"countryIssued": "GBR",
"pan": "1234567891234567"
}
}If you already have the PAN available on your own servers (even without storing
it), you can send it directly to Ravelin in any event that would normally accept
a paymentMethod field.
The API for these endpoints are very similar to the regular API, with only a few differences:
cardBin and no cardLastFour on the paymentMethod entity,pan field on the paymentMethod entity,api.ravelin.com but vault.ravelin.comThe full schema for a paymentMethod entity on the Vault:
| Parameter | Type | Description |
|---|---|---|
| instrumentId | string | Unique identifier for this card, consistent across users (e.g. Stripe's `fingerprint`, or Braintree's `unique_number_identifier`). Please use your PSP's unique identifier here, and not the Ravelin Card token from the Vault. If your PSP does not support this feature, Ravelin will create one for you to use in the graph. |
| nameOnCard | string | Name to which the card is registered (as printed on the card) |
| pan | string | The full, raw card number (only on the Vault!) |
| cardType | string | The scheme of the card: visa, amex, etc. |
| expiryMonth | integer | The expiry month as MM. |
| expiryYear | integer | The expiry year as YYYY. |
| successfulRegistration | boolean | Whether the payment method was successfully registered with the PSP (e.g. passed verification) |
| issuer | string | The issuer of the payment method: e.g. barclaycard |
| countryIssued | string | The ISO 3166 country code (2- or 3-letter). |
# Tokenization Request
curl -H 'Authorization: token pk_live_XXXXXXXXX' \
-H 'Content-Type: application/json' \
-d '{"pan":"5105105105105100", "expiryMonth":12, "expiryYear":2020}' \
https://vault.ravelin.com/v2/card
# Tokenization Response{
"cardToken":"tk-8c46447a-fdce-4e48-88aa-234a3c014330",
"cardBin":"510510",
"cardLastFour":"5100",
"expiryMonth":12,
"expiryYear":2020
}If you never send the full card number from the client (browser or app) to your own servers (e.g. by using a hosted payment page), you will need to use the public tokenization API for the Ravelin Vault.
This is a three-step process:
Only use your PUBLISHABLE KEY for the public Vault API (starts with pk_...).
Using your secret key for the Vault will not work. Otherwise, your users would be able to read them, and use them to get full access to the entire Ravelin API. The publishable key only allows write access to the Vault, no read access.
The Vault token you receive from the Ravelin Vault is not under PCI scope, so you don’t need to worry about having credit card numbers on your servers.
{
"status": 200,
"timestamp": 709513200,
"data": {
"customerId": "123456789",
"action": "PREVENT",
"score": 77,
"source": "RAVELIN",
"scoreId": "2bf39d-d1299-31",
"comment": "",
"warnings": [{
"class": "order-absent-currency",
"help": "https://developer.ravelin.com/apis/warnings/#order-absent-currency",
"msg": "Order \"example-order-1\" does not have a currency."
}]
}
}Using the information supplied to Ravelin through the event endpoints, individual customers are categorized in one of three buckets:
ALLOWREVIEWPREVENTThis information is sent:
?score=true), andIn both cases, the score payload is a JSON object with the same schema:
| Parameter | Type | Description |
|---|---|---|
| customerId | string | Identifier for this customer, as supplied by the client |
| action | string | Action to take for this customer, according to Ravelin. One of ALLOW, REVIEW, PREVENT |
| score | int | Ravelin score for this customer as an integer. Debugging purposes only |
| source | string | Source of the score, e.g. RAVELIN or MANUAL_REVIEW |
| scoreId | string | Unique identifier for this score |
| comment | string | In the case of manual review, this is the comment left by the reviewer on this particular review action. E.g.: "Definitely not a fraudster, I know him personally", or "I know this person from another account, infamous fraudster" |
| warnings | array of warnings | Ravelin can return warnings on API responses when malformed or absent data may negative impact fraud-detection, but where we would rather return a best-effort score instead of out-right rejecting the API request. |
Events sent to Ravelin using POST requests get an empty response body by default. The information is stored in our system and no further action is taken during the request.
To force an immediate rescoring based on the information received up to and
including an event: add the ?score=true query parameter. For example, the
/v2/order endpoint becomes:
POST /v2/order?score=true
This will do two things:
The score will be calculated based on the information in this event, and in all
events previously received and met with a 200 OK status.
The ?score=true query parameter is available on every event endpoint. Specify
it when you want to make a decision during an order flow about where to go,
based on the fraud score: allow regular check-out, or send down an extra
validation path?
The most important field in the payload is action:
on this action |
In your system |
|---|---|
ALLOW |
Allow this order to proceed |
REVIEW |
Take extra validation steps for this order (e.g. put the customer through 3D Secure) |
PREVENT |
Prevent this order |
Other fields are provided for analytic and debugging purposes.
Do not implement any logic based upon the source of the action. Furthermore,
do not attempt to deserialise it into an enum, as we reserve the right to add
new sources to our scoring engine without warning.
[DEPRECATION NOTICE] Callbacks are deprecated. You can still review our old callbacks documentation if you use them.
The Label API allows you to change the status of a customer. This can be used to tie your own customer management tools into Ravelin.
Sending this label is the same as pressing the Genuine or Fraudster button in the Ravelin Dashboard.
{
"customerId": "customer1",
"label": "GENUINE",
"comment": "This customer called up and we have determined he is not a fraudster",
"reviewer": {
"name": "Bilbo Baggins",
"email": "bilbo.b@shiremail.com"
}
}This is an optional API integration. You may manage these labels completely within the Ravelin Dashboard. This is simply a helper API so you can integrate labelling in your own tools.
| Parameter | Type | Description |
|---|---|---|
| customerId | string | The unique identifier of this customer in your system. |
| label | string | The label for this customer. Must be one of:
UNREVIEWED, GENUINE, FRAUDSTER
|
| comment | string | The reason for this label. |
| reviewer | reviewer | The individual creating this label |
The reviewer is the person who is doing the review. Their details will appear in the audit log on the dashboard so you are able to see who did this review and why.
| Parameter | Type | Description |
|---|---|---|
| name | string | The name of the person doing the review |
| string | The email of the person doing the review |
The Tags API allows you to change the tags attached to a customer. This can be used to tie your own customer management tools into Ravelin.
Calling this API is the same as setting a tag in the Ravelin Dashboard.
POST /v2/tag/customer HTTP/1.1
Authorization: token ...
Content-Type: application/json
{
"timestamp": 1429029735,
"customerId": "61283761287361",
"tagNames": ["staff", "vip"]
}Example response:
{
"tagNames": ["staff", "vip", "highroller"],
"label": "GENUINE"
}Attaching a tag to a customer is done by posting to this endpoint with the body filled with customerId and an array of tagNames. This will attach the tag and respond with the full list of attached tags and the label for that customer.
| Parameter | Type | Description |
|---|---|---|
| customerId | string | The ID the customer which you would like to set the tags for. |
| tagNames | [string] | An array containing the names of the tags to add to the customer. |
This returns all the tags for a specific customer as well as the label for the customer. This returns the same body as the POST tag endpoint.
To remove a tag, make a DELETE http request on the tag customer endpoint. This will remove the tag from the customer. The tagName field may be a single tag or, to remove multiple tags, a comma separated list of tags. This returns the same body as the POST tag endpoint.
Backfill is the process of sending your historical data to Ravelin. We will use the backfill data to train a model which uniquely identifies the fraud you are experiencing. This model will then be used to evaluate your live data.
However, it is only worth doing backfill if your historical data is representative of your live data. If not, the model which is trained won’t accurately detect fraud in your live data.
If your backfill data is not representative of your live data, or if you don’t have a enough backfill data, and you are receiving enough enough traffic through your platform, it may be preferable to just collect live data and use that to train a model instead. Please speak to our integrations team about whether this is an option for you.
If you choose to proceed with backfill we recommend that you start sending us live data before performing the backfill, but don’t request scoring. This means you will avoid a gap in data during the period between completing your backfill and when we finish preparing your fraud model.
If performing backfill these are the steps you should follow:
score=false.score=true for those you wish to score.Requesting a score only works for known customers, which is why we recommend you complete backfill before enabling scoring.
In order to perform the backfill you should send data to our backfill API endpoints. Every one of our primary API endpoints has an equivalent backfill endpoint. These endpoints receive data in exactly the same format as our primary API endpoints. Fields which are required by the primary API are also required by the backfill API. For details about the format see the documentation for each of the primary API endpoints.
| Backfill Endpoint | Primary Endpoint | Recommended Usage |
|---|---|---|
| /v2/backfill/customer | /v2/customer | Send only if you have registrationTime.
See Timestamps on Backfill Data. |
| /v2/backfill/paymentmethod | /v2/paymentmethod |
Send only if you have registrationTime and
paymentMethodId and, either the instrumentId
or the cardBin and cardLastFour.
|
| /v2/backfill/transaction | /v2/transaction |
Send only if you have sent payment methods and have the
transaction's paymentMethodId.
Make sure you send all transactions, including successful, disputed and failed.
|
| /v2/backfill/order | /v2/order | Send only if you have sent transactions, and you have the order's
transactionId. |
| /v2/backfill/chargeback | /v2/chargeback | Send only if you have sent orders, and you have the chargeback's
orderId. |
Timestamps should be provided for all backfill data. If a timestamp isn’t available for an entity, a timestamp from a related entity can be used instead. For example, if you don’t have the registration time for a customer the time of their first order could be used instead. Regardless of their source, make sure all timestamps for backfill data are in the past so that they don’t conflict with live events.
The rate limits for the backfill endpoints are much higher than the rate limits for the primary endpoints so you needn’t worry about being rate limited during backfill.
Ravelin will avoid rejecting requests with bad data in some cases, with the understanding that our best effort is usually still preferable to nothing at all. Our machine-learning scoring may be impacted by a missing order price, but we can still see when a credit card has sent you chargebacks before.
See API Warnings for full information on handling data warnings, and a breakdown of each warning class and their potential impact.
| Parameter | Type | Description |
|---|---|---|
| class | string | Identifier for this warning. Format is [a-z-]+ so you can safely record it in your metrics system. |
| help | URL | A link to more information about this class of warning and the impact of not resolving. |
| msg | string | A description indicating why this warning has been issued. |
Ravelin uses conventional HTTP response codes to indicate success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that resulted from the provided request and codes in the 5xx range indicate an error with Ravelin’s system.
# Typical Error Response
{
status: 403,
message: "Invalid Request: API Key Incorrect. Please check your credentials and try again"
}| HTTP Code | Meaning |
|---|---|
200 |
OK -- Everything worked as expected. |
400 |
Bad Request -- Often missing a required parameter, e.g. customerId. |
401 |
Unauthorized -- Your API key is wrong. |
403 |
Forbidden -- The resource requested is hidden for administrators only. |
404 |
Not Found -- The specified resource could not be found. |
405 |
Method Not Allowed -- Often you are not POSTing a request. |
406 |
Not Acceptable -- You requested a format that isn't JSON. |
429 |
Too Many Requests -- We're rate limiting your usage of the API. |
500 |
Internal Server Error -- We had a problem with our server. Please try again later. |
503 |
Service Unavailable -- We're temporarily offline for maintenance. Please try again later. |
504 |
Service timeout -- We are temporarily offline or over capacity. Please try again later. |
For our recommendations on how to best respond to these error codes, please consult our Error Handling documentation or contact a Ravelin engineer.