Fraud prevention

Enable Google to provide user client information with an order request and handle this information to prevent fraudulent transactions.

Reading fraud prevention signals

When your project uses the fraud prevention feature, your users' SubmitOrderRequest headers contain information about their client instead of Google's servers. The request headers contain the following information:

  • IP address: The user client's IP address is available in the x-forwarded-for field. This address is either in IPV4 or IPV6 format depending on the user client's configuration.
  • User agent: The user agent string is stored in the user-agent field with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field may not populate depending on the user's device and whether they placed an order by voice.

If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.


Based on the user client information provided, determine using your internal business logic whether the transaction is legitimate.

If the transaction appears to be legitimate, process the order as normal.

If the transaction appears to be fraudulent, respond with a SubmitOrderResponseMessage that rejects the transaction and denotes it as "INELIGIBLE" with an appropriate error description.