Get Bot Verdict

cURL

curl --request POST \
  --url https://api.deflect.bot/verify \
  --header 'Content-Type: application/json' \
  --data '
{
  "api_key": "<string>",
  "action_id": "<string>",
  "token": "<string>",
  "id": "<string>",
  "email": "[email protected]",
  "phone_number": "<string>"
}
'

{
  "success": true,
  "user_id": "<string>",
  "score": 123,
  "verdict": {
    "can_pass": true,
    "redeemed": true
  },
  "device": {
    "fingerprint": "<string>",
    "user_agent": "<string>",
    "browser": "<string>",
    "languages": "<string>",
    "timezone": "<string>",
    "os": "<string>",
    "is_mobile": true
  },
  "ip": {
    "address": "<string>",
    "type": "<string>",
    "is_datacenter": true,
    "is_proxy": true,
    "is_tor": true,
    "is_vpn": true,
    "is_threat": true,
    "is_bogon": true,
    "asn": "<string>",
    "asn_number": 123
  },
  "location": {
    "city": "<string>",
    "postal_code": "<string>",
    "country": "<string>",
    "continent": "<string>",
    "latitude": 123,
    "longitude": 123
  },
  "email": {
    "address": "<string>",
    "normalized": "<string>",
    "valid": true,
    "trust_score": 123,
    "domain_name": "<string>",
    "domain_type": "<string>",
    "flags": [
      "<string>"
    ]
  },
  "phone": {
    "valid": true,
    "country_code": "<string>",
    "country_name": "<string>",
    "carrier": "<string>",
    "line_type": "<string>"
  },
  "session": {
    "started_at": "2023-11-07T05:31:56Z",
    "finished_at": "2023-11-07T05:31:56Z"
  },
  "rules": [
    {
      "action": "<string>",
      "name": "<string>",
      "id": "<string>",
      "source": "<string>",
      "shadow": true
    }
  ],
  "multi_accounting": {
    "detected": true,
    "risk": "<string>",
    "score": 123,
    "accounts": [
      {
        "user_id": "<string>",
        "email": "<string>",
        "signals": [
          "<string>"
        ],
        "confidence": 123,
        "session_count": 123,
        "last_activity": "2023-11-07T05:31:56Z"
      }
    ]
  }
}

POST

verify

cURL

curl --request POST \
  --url https://api.deflect.bot/verify \
  --header 'Content-Type: application/json' \
  --data '
{
  "api_key": "<string>",
  "action_id": "<string>",
  "token": "<string>",
  "id": "<string>",
  "email": "[email protected]",
  "phone_number": "<string>"
}
'

{
  "success": true,
  "user_id": "<string>",
  "score": 123,
  "verdict": {
    "can_pass": true,
    "redeemed": true
  },
  "device": {
    "fingerprint": "<string>",
    "user_agent": "<string>",
    "browser": "<string>",
    "languages": "<string>",
    "timezone": "<string>",
    "os": "<string>",
    "is_mobile": true
  },
  "ip": {
    "address": "<string>",
    "type": "<string>",
    "is_datacenter": true,
    "is_proxy": true,
    "is_tor": true,
    "is_vpn": true,
    "is_threat": true,
    "is_bogon": true,
    "asn": "<string>",
    "asn_number": 123
  },
  "location": {
    "city": "<string>",
    "postal_code": "<string>",
    "country": "<string>",
    "continent": "<string>",
    "latitude": 123,
    "longitude": 123
  },
  "email": {
    "address": "<string>",
    "normalized": "<string>",
    "valid": true,
    "trust_score": 123,
    "domain_name": "<string>",
    "domain_type": "<string>",
    "flags": [
      "<string>"
    ]
  },
  "phone": {
    "valid": true,
    "country_code": "<string>",
    "country_name": "<string>",
    "carrier": "<string>",
    "line_type": "<string>"
  },
  "session": {
    "started_at": "2023-11-07T05:31:56Z",
    "finished_at": "2023-11-07T05:31:56Z"
  },
  "rules": [
    {
      "action": "<string>",
      "name": "<string>",
      "id": "<string>",
      "source": "<string>",
      "shadow": true
    }
  ],
  "multi_accounting": {
    "detected": true,
    "risk": "<string>",
    "score": 123,
    "accounts": [
      {
        "user_id": "<string>",
        "email": "<string>",
        "signals": [
          "<string>"
        ],
        "confidence": 123,
        "session_count": 123,
        "last_activity": "2023-11-07T05:31:56Z"
      }
    ]
  }
}

Response Format

The API returns detailed information about the request, including:

Verdict - Whether the request should be allowed (can_pass: true/false) and whether the token had already been redeemed (redeemed: true/false)
Device information - Browser details, fingerprint, user agent
IP analysis - Location, threat indicators, proxy/VPN detection
Session data - Timing and behavioral analysis

Token Redemption

Tokens can be verified more than once — replay does not produce an error. Use verdict.redeemed to detect it:

verdict.redeemed: false — first time this token has been verified
verdict.redeemed: true — this token was already verified by a previous /verify call

If your defense action should treat a token as single-use (e.g. login, signup, payment), reject the request when verdict.redeemed is true.

Testing

For local development, use test action IDs that return predictable results without consuming API credits:

Success: t/FFFFFFFFFFFFF/111111111 (always returns can_pass: true)
Failure: t/FFFFFFFFFFFFF/000000000 (always returns can_pass: false)

See the Defense Actions guide for more details.

Body

application/json

Verdict request with session token and optional user identification

api_key

string

required

Your Deflect API Key

action_id

string

required

Your Deflect Action ID

token

string

required

The user session token from the protected endpoint.

string

Optional user identifier for multi-accounting detection. Highly recommended to include.

string<email>

Optional user email address. Response will include email risk assessment.

phone_number

string

Optional user phone number in E.164 format. Response will include phone validation.

Response

Successful response

success

boolean

user_id

string

Echo of the user identifier passed in the request.

score

integer

Bot detection score from 0 (bot) to 100 (human).

verdict

object

Show child attributes

device

object

Show child attributes

object

Show child attributes

location

object

Show child attributes

object

Included when an email address is passed in the request.

Show child attributes

phone

object

Included when a phone number is passed in the request.

Show child attributes

session

object

Show child attributes

rules

object[]

Bot rules and access rules that matched this request.

Show child attributes

multi_accounting

object

Multi-accounting detection results. Requires a user id in the request.

Show child attributes

Wordpress Plugin Email Intelligence

​Response Format

​Token Redemption

​Testing

Body

Response

Response Format

Token Redemption

Testing