Authentication overview

Riskified provides fraud prevention and chargeback guarantee services through API integrations, requiring robust authentication to secure data exchange. The authentication process verifies the identity of the client application attempting to communicate with Riskified's systems. This security measure is crucial for protecting sensitive transaction data and ensuring that only authorized entities can submit orders for analysis or receive fraud decisions.

Authentication for Riskified APIs typically involves a combination of unique API keys and, for inbound communications such as webhooks, digital signatures. These methods are designed to prevent unauthorized access and maintain data integrity, aligning with industry security standards such as Transport Layer Security (TLS) encryption for all data in transit. Riskified's approach to authentication is integrated into its custom enterprise solutions, with specific implementation details often refined during the onboarding process to match a merchant's existing infrastructure and security policies.

Ensuring secure communication is a shared responsibility. While Riskified secures its API endpoints and provides authentication mechanisms, developers integrating with Riskified are responsible for securely managing their credentials and implementing best practices within their own systems. This includes protecting API keys, validating webhook payloads, and monitoring for suspicious activity related to API usage.

Supported authentication methods

Riskified primarily supports API Keys for outbound requests from client systems to Riskified and digital signatures for inbound webhook notifications from Riskified to client systems. Each method serves a specific purpose in securing the communication flow.

API Key Authentication

API keys are unique, alphanumeric strings used to identify and authenticate an application or user making a request to the Riskified API. When a client system sends an order for fraud analysis or queries a decision, the API key is included in the request headers.

  • Mechanism: The API key is typically passed in the Authorization header or a custom header as specified in the client's integration guide. Riskified's servers validate this key against registered keys to authorize the request.
  • Purpose: To authenticate the merchant's system when pushing data to Riskified for fraud assessment.
  • Security Considerations: API keys should be treated as sensitive credentials and protected like passwords. They grant access to API resources, and their compromise could lead to unauthorized data submission or manipulation.

Webhook Digital Signatures

Webhooks are automated callbacks or HTTP POST requests sent by Riskified to a merchant's specified URL when an event occurs, such as a fraud decision being made. To ensure the authenticity and integrity of these notifications, Riskified signs each webhook payload.

  • Mechanism: Riskified generates a unique signature for each webhook payload using a shared secret key and a cryptographic hash function. This signature is typically included in an HTTP header (e.g., X-Riskified-Hmac-Sha256). The client's system is responsible for regenerating the signature using the same shared secret and comparing it with the received signature. If they match, the webhook is deemed authentic and untampered. Stripe's documentation provides a general explanation of how to verify webhook signatures, which illustrates a common industry practice.
  • Purpose: To allow the merchant's system to verify that an incoming webhook notification genuinely originated from Riskified and has not been altered in transit.
  • Security Considerations: The shared secret used for webhook signatures must be kept confidential. Failure to verify signatures can expose the merchant's system to spoofed or malicious webhook payloads.

The table below summarizes the key authentication methods:

Method When to Use Security Level
API Key Authenticating requests from your system to Riskified (e.g., submitting orders). High (requires secure key management)
Webhook Digital Signature Verifying authenticity of incoming webhooks from Riskified to your system (e.g., fraud decision notifications). High (requires secure shared secret and validation logic)

Getting your credentials

Access to Riskified's API credentials, including API keys and webhook shared secrets, is typically granted as part of the onboarding process after a merchant has engaged with Riskified's sales and implementation teams. Due to the custom nature of Riskified's enterprise solutions and the sensitive nature of fraud prevention, credentials are not publicly available or self-service via a generic developer portal prior to a formal engagement.

The process generally involves the following steps:

  1. Initial Engagement: After signing an agreement with Riskified, your team will work with a dedicated Riskified account manager or technical consultant.
  2. Technical Onboarding: During technical onboarding, Riskified provides documentation and guidance specific to your integration needs. This includes defining the necessary API endpoints and the authentication credentials required for your particular use case.
  3. Credential Provisioning: API keys and webhook shared secrets are securely provisioned. This may involve Riskified generating and providing them directly, or guiding you through a process within a dedicated Riskified merchant portal to generate and retrieve them securely.
  4. Environment-Specific Credentials: It is common practice for Riskified to provide separate credentials for testing (sandbox) and production environments to facilitate development and prevent accidental live transactions during testing.

For specific instructions on retrieving and managing your credentials, refer to the documentation provided by your Riskified account team or contact their support. Riskified's developer experience notes indicate that documentation for their APIs is typically provided after initial sales engagement due to the custom nature of their solutions.

Authenticated request example

While specific Riskified API endpoints and request bodies vary based on the integration, an authenticated API request typically involves sending an API key in the HTTP headers. Below is a conceptual example using curl for submitting an order for evaluation. This example assumes an API key is provided in a custom header, which is a common pattern.


curl -X POST \
  https://api.riskified.com/api/v2/orders/submit \
  -H "Content-Type: application/json" \
  -H "X-Riskified-API-Key: YOUR_RISKIFIED_API_KEY" \
  -d '{ 
        "id": "ORDER_12345",
        "email": "[email protected]",
        "price": 100.00,
        "currency": "USD",
        "gateway": "Stripe",
        "payment_method": "credit_card",
        "shipping_address": {
          "first_name": "John",
          "last_name": "Doe",
          "address1": "123 Main St",
          "city": "Anytown",
          "province": "CA",
          "zip": "90210",
          "country": "US"
        },
        "line_items": [
          {
            "title": "Example Product",
            "price": 100.00,
            "quantity": 1
          }
        ]
      }'

Explanation:

  • https://api.riskified.com/api/v2/orders/submit: This is a placeholder for a Riskified API endpoint for submitting orders. The actual endpoint may vary.
  • -H "Content-Type: application/json": Specifies that the request body is in JSON format.
  • -H "X-Riskified-API-Key: YOUR_RISKIFIED_API_KEY": This header contains the API key. Replace YOUR_RISKIFIED_API_KEY with your actual, securely obtained API key. The header name (e.g., X-Riskified-API-Key) will be specified in your Riskified integration guide.
  • -d '{...}': The request body contains the order data to be submitted for fraud analysis.

For webhook verification, the process would involve receiving an HTTP POST request from Riskified to your endpoint. Your application would then:

  1. Extract the signature from the webhook header (e.g., X-Riskified-Hmac-Sha256).
  2. Compute a local signature using the raw webhook payload and your shared secret key.
  3. Compare the computed signature with the received signature to verify authenticity.

Always consult your specific Riskified integration documentation for the precise header names, endpoint URLs, and payload structures relevant to your account.

Security best practices

Implementing strong security practices is essential when integrating with Riskified to protect sensitive data and maintain the integrity of your fraud prevention system. Adhering to these guidelines helps mitigate risks associated with API key exposure and unauthorized access.

API Key Management

  • Treat API Keys as Secrets: API keys grant access to your Riskified account and should be treated with the same level of confidentiality as passwords.
  • Avoid Hardcoding: Never hardcode API keys directly into your source code. Instead, use environment variables, secret management services (like AWS Secrets Manager, Google Secret Manager, or Azure Key Vault), or secure configuration files.
  • Restrict Access: Limit who has access to API keys within your organization. Implement role-based access control (RBAC) to ensure only authorized personnel can retrieve or modify them.
  • Rotate Keys Regularly: Periodically rotate your API keys to minimize the impact of a compromised key. The frequency should align with your organization's security policy.
  • Monitor API Usage: Implement logging and monitoring for API key usage to detect and alert on unusual patterns that might indicate compromise or misuse.
  • Use Separate Keys: If possible, use distinct API keys for different applications, environments (development, staging, production), or microservices. This limits the blast radius if one key is compromised.

Webhook Security

  • Verify Signatures: Always verify the digital signature of incoming webhooks to ensure they originate from Riskified and have not been tampered with. This is a critical step to prevent spoofing and malicious payload injection.
  • Use HTTPS: Ensure your webhook endpoint uses HTTPS to encrypt all data in transit, protecting against eavesdropping and man-in-the-middle attacks.
  • Implement Idempotency: Design your webhook handler to be idempotent, meaning it can process the same notification multiple times without causing duplicate actions. This handles potential re-deliveries from Riskified.
  • Secure Endpoint: Protect your webhook endpoint with network-level access controls if feasible, allowing requests only from Riskified's known IP ranges.
  • Log and Monitor: Log incoming webhooks and their verification status. Monitor for failed signature verifications, which could indicate a security issue.
  • Keep Shared Secrets Confidential: The shared secret used for signing webhooks should be managed with the same care as API keys.

General API Security

  • Use TLS/SSL: Ensure all communications with Riskified APIs use Transport Layer Security (TLS 1.2 or higher) to encrypt data in transit. Riskified enforces this for its endpoints.
  • Input Validation: Always validate and sanitize any data you send to Riskified APIs to prevent injection attacks or malformed requests.
  • Error Handling: Implement robust error handling in your API integrations to gracefully manage failed requests and potential security issues. Avoid exposing sensitive information in error messages.
  • Least Privilege: Configure your systems and integrations with the principle of least privilege, granting only the necessary permissions required for their function.
  • Regular Audits: Conduct regular security audits of your integration code and infrastructure to identify and address potential vulnerabilities.

By diligently applying these security best practices, organizations integrating with Riskified can build a more secure and resilient fraud prevention infrastructure. For detailed security recommendations specific to your integration, always consult your official Riskified documentation and support channels.