Reasons
TheDetails array in the webhook payload contains every signal that fired for the session. Each entry has a Value (points added to the score) and a Description (the signal name).
Complete signal list
IP Intelligence signals
| Description | Points | Meaning |
|---|---|---|
Is VPN | +10 | IP belongs to a known VPN provider (unconfirmed) |
Is vpn by base ip | +15 | VPN confirmed by IP database |
Is vpn by network & by base ip | +15 | VPN confirmed by both network topology and IP database |
Is proxy | +30 | IP is a proxy server |
Is datacenter | +20 | IP is from a cloud or datacenter ASN |
Is abuser | +20 | IP is in abuse blacklists |
Is tor | +15 | Tor exit node |
Connectivity signals
| Description | Points | Meaning |
|---|---|---|
Stun is not checked | +30 | STUN/ICE did not complete — UDP blocked or WebRTC disabled |
Browser timezone ≠ IP-timezone | +10 | Intl timezone doesn’t match IP geolocation timezone |
OS / Device signals
| Description | Points | Meaning |
|---|---|---|
UA OS is not detected | +30 | Cannot determine OS from User-Agent |
Network OS is not detected | +30 | TCP fingerprint did not identify OS |
Fail by windows os detect | +30 | UA = Windows, TCP fingerprint = not Windows |
Fail by linux os detect | +30 | UA = Linux, TCP fingerprint = not Linux |
Fail by android os detect | +30 | UA = Android, TCP fingerprint = not Android |
Fail by IOS detect | +30 | UA = iOS, TCP fingerprint = not iOS/macOS |
Fail by Mac OS detect | +30 | UA = macOS, TCP fingerprint = not macOS/iOS |
Special signals
| Description | Points | Meaning |
|---|---|---|
JavaScript disabled | 90 | Triggered by noscript beacon — JS was disabled in browser |
User has been banned 1H, to many requests | 999 | Rate limit exceeded — auto-ban for 1 hour |