Proactively detect and prevent account takeover attempts with one simple and free API call

my-anchor
dark

Instant protection

Use one API request to detect and prevent account takeover and other malicious authentication attempts.

Send a POST request containing the user's username or email, IP address, user agent, and the host where the log in occurred.

We do not store user ids, only a cryptographic hash - making it impossible to recover the original user id or email.

$ curl https://ocs.ory.am/ato/inspect \
-x POST
-d user="[email protected]" \
-d ip="127.0.0.1" \
-d ua="Mozilla/5.0 (Windows NT 10.0)" \
-d host="login.ory.am" \
-d session="session-id"
my-anchor
white

Try now

Use this widget to make exemplary requests and receive real scores. After the initial request, for example, update the IP Address and the User Agent and see how the risk value increases. Change the email address to see how the score goes down when an account was used that has not been involved in a data leak.


my-anchor
$ curl https://ocs.ory.am/ato/inspect [...]

{
"id": "Jk4Fa",
"decision": "deny",
"score": 0.99,
"reasons": [
"IP origin has bad reputation",
"Credentials found in yahoo.com data breach",
"Traveled from Munich to L.A. in 5 minutes" ]
}

Clear response

The API returns a threat score ranging from 0 (no risk) to 1 (high risk), the reasons why we think that the attempt is malicious, an incident id, and a decision which can be one of

  • deny: high confidence that this login attempt is malicious and should be blocked.

  • allow: high confidence that login attempt is genuine.

  • notify: medium confidence that login attempt is malicious and the account owner should be notified.

my-anchor
white

Tailored threat models

We train our models specifically for your application and for each user independently.

To improve detection rates, notify us if a user confirmed or rejected suspicious account activity with one simple API request.

$ curl -x POST \
https://ocs.ory.am/ato/incidents/<id>/reject

# Confirm threat
$ curl -X POST \
https://ocs.ory.am/ato/incidents/Jk4Fa/confirm

# Reject threat
$ curl -X POST \
https://ocs.ory.am/ato/incidents/Jk4Fa/reject
my-anchor
white

Risk assessment

fingerprint
insert_emoticon
24px

Fingerprint

We keep track of the devices used by an account and get suspicious when unknown devices are being used.

error_outline
insert_emoticon
24px

Data breach monitor

We detect compromised accounts by keeping track of data breaches and also rely on third-party databases such as Troy Hunt's haveibeenpwned.com.

place
insert_emoticon
24px

Geolocation

We locate login attempts and identify suspicious activity when reaching unrealistic travel times or authenticating from previously unknown locations.

device_hub
insert_emoticon
24px

IP reputation

We become suspicious when IPs with bad reputation, such as botnets, known hackers, or Tor exit nodes are being used.

insert_chart
insert_emoticon
24px

Activity monitor

Users being online during unusual times makes our algorithm suspicious and increases the risk score.

my-anchor
grey

ORY Cloud Security

The Account Takeover Prevention API is part of ORY Cloud Security, a set of products that solve IoT, cloud and API security.

Our open source flagship ORY Hydra secures production stacks facing millions of requests each day. To learn more, click the button below.

my-anchor
white

The Account Takeover Prevention API is in
early access and free of charge.

Please excuse outages, false positives / negatives.
We are improving the service every day.

Requests are limited to one per second, contact us if you
need more or send us a quick chat message (blue icon bottom left)

my-anchor
grey