Use one API request to detect and prevent account takeover and other malicious authentication attempts.
Send a POST request containing the user's username or email, IP address, user agent, and the host where the log in occurred.
We do not store user ids, only a cryptographic hash - making it impossible to recover the original user id or email.
$ curl https://ocs.ory.am/ato/inspect \
-d user="firstname.lastname@example.org" \
-d ip="127.0.0.1" \
-d ua="Mozilla/5.0 (Windows NT 10.0)" \
-d host="login.ory.am" \
Use this widget to make exemplary requests and receive real scores. After the initial request, for example, update the IP Address and the User Agent and see how the risk value increases. Change the email address to see how the score goes down when an account was used that has not been involved in a data leak.
$ curl https://ocs.ory.am/ato/inspect [...]
"IP origin has bad reputation",
"Credentials found in yahoo.com data breach",
"Traveled from Munich to L.A. in 5 minutes" ]
The API returns a threat score ranging from 0 (no risk) to 1 (high risk), the reasons why we think that the attempt is malicious, an incident id, and a decision which can be one of
deny: high confidence that this login attempt is malicious and should be blocked.
allow: high confidence that login attempt is genuine.
notify: medium confidence that login attempt is malicious and the account owner should be notified.
We train our models specifically for your application and for each user independently.
To improve detection rates, notify us if a user confirmed or rejected suspicious account activity with one simple API request.
$ curl -x POST \
# Confirm threat
$ curl -X POST \
# Reject threat
$ curl -X POST \
We keep track of the devices used by an account and get suspicious when unknown devices are being used.
We detect compromised accounts by keeping track of data breaches and also rely on third-party databases such as Troy Hunt's haveibeenpwned.com.
We locate login attempts and identify suspicious activity when reaching unrealistic travel times or authenticating from previously unknown locations.
We become suspicious when IPs with bad reputation, such as botnets, known hackers, or Tor exit nodes are being used.
Users being online during unusual times makes our algorithm suspicious and increases the risk score.
The Account Takeover Prevention API is part of ORY Cloud Security, a set of products that solve IoT, cloud and API security.
Our open source flagship ORY Hydra secures production stacks facing millions of requests each day. To learn more, click the button below.