Google can provide additional user client information when we send
SubmitOrderRequest. You can use this information to help prevent fraudulent
transactions in your integration.
How to read fraud prevention signals
When your project is enabled to receive additional fraud prevention signals, the
SubmitOrderRequest headers will contain information about the user client
instead of Google's servers. The request headers will contain the following
IP address: The user client's IP address is available as the first IP in the
x-forwarded-forfield. This address is in either IPV4 or IPV6 format as determined by the user client's configuration.
User agent: The user agent string is stored in the
user-agentfield with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field might not populate depending on the user's device and whether they placed an order by voice.
Below is a snippet of the
SubmitOrderRequest HTTP header when fraud prevention is enabled:
X-Forwarded-For: 72.00.123.12,22.214.171.124, 169.254.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.96.36.199 Safari/537.36,gzip(gfe),gzip(gfe) Google-ActionsOnGoogle/1.0
If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.
How to handle fraudulent transactions during fulfillment
Based on the user’s IP address and user-agent information provided in the
SubmitOrderRequest, use your internal fraud prevention algorithm to determine
whether the transaction is legitimate.
If the transaction appears to be fraudulent, respond with an
REJECTED and a
INELIGIBLE, along with an appropriate
error description in the
If the transaction appears to be legitimate, process the order as normal.