Google can provide additional user client information when we send
SubmitOrderRequest. You can use this information to help prevent fraudulent
transactions in your integration.
How to read fraud prevention signals
When your project is enabled to receive additional fraud prevention signals, the
SubmitOrderRequest headers will contain information about the user client
instead of Google's servers. The request headers will contain the following
information:
IP address: The user client's IP address is available as the first IP in the
x-forwarded-forfield. This address is in either IPV4 or IPV6 format as determined by the user client's configuration.User agent: The user agent string is stored in the
user-agentfield with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field might not populate depending on the user's device and whether they placed an order by voice.
Below is a snippet of the SubmitOrderRequest HTTP header when fraud prevention is enabled:
X-Forwarded-For: 72.00.123.12,66.111.12.123, 169.254.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) Google-ActionsOnGoogle/1.0
If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.
How to handle fraudulent transactions during fulfillment
Based on the user’s IP address and user-agent information provided in the
SubmitOrderRequest, use your internal fraud prevention algorithm to determine
whether the transaction is legitimate.
If the transaction appears to be fraudulent, respond with an orderState of
REJECTED and a rejectionInfo of INELIGIBLE, along with an appropriate
error description in the SubmitOrderResponseMessage.
If the transaction appears to be legitimate, process the order as normal.