Enable Google to provide user client information with an order request and handle this information to prevent fraudulent transactions.
Reading fraud prevention signals
When your project uses the fraud prevention feature, your users'
SubmitOrderRequest headers contain information about their client instead of
Google's servers. The request headers contain the following information:
- IP address: The user client's IP address is available in the
x-forwarded-forfield. This address is either in IPV4 or IPV6 format depending on the user client's configuration.
- User agent: The user agent string is stored in the
user-agentfield with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field may not populate depending on the user's device and whether they placed an order by voice.
If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.
Based on the user client information provided, determine using your internal business logic whether the transaction is legitimate.
If the transaction appears to be legitimate, process the order as normal.
If the transaction appears to be fraudulent, respond with a
SubmitOrderResponseMessage that rejects the transaction and denotes it as
"INELIGIBLE" with an appropriate error description.