Fraud prevention

Google can provide additional user client information when we send SubmitOrderRequest. You can use this information to help prevent fraudulent transactions in your integration.

How to read fraud prevention signals

When your project is enabled to receive additional fraud prevention signals, the SubmitOrderRequest headers will contain information about the user client instead of Google's servers. The request headers will contain the following information:

  • IP address: The user client's IP address is available as the first IP in the x-forwarded-for field. This address is in either IPV4 or IPV6 format as determined by the user client's configuration.

  • User agent: The user agent string is stored in the user-agent field with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field might not populate depending on the user's device and whether they placed an order by voice.

Below is a snippet of the SubmitOrderRequest HTTP header when fraud prevention is enabled:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36,gzip(gfe),gzip(gfe) Google-ActionsOnGoogle/1.0

If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.

How to handle fraudulent transactions during fulfillment

Based on the user’s IP address and user-agent information provided in the SubmitOrderRequest, use your internal fraud prevention algorithm to determine whether the transaction is legitimate.

If the transaction appears to be fraudulent, respond with an orderState of REJECTED and a rejectionInfo of INELIGIBLE, along with an appropriate error description in the SubmitOrderResponseMessage.

If the transaction appears to be legitimate, process the order as normal.