Fraud Controls API Behavior
This page documents how ZendFi fraud and sanctions controls appear at the API layer so your integration can handle risk outcomes deterministically. For customer-facing policy and operations, see Fraud and Compliance.Enforcement Stages
ZendFi evaluates risk in multiple request stages:- Payment creation (
POST /api/v1/payments) - Checkout transaction build (
POST /api/v1/payments/{payment_id}/build-transaction) - Transaction submission
POST /api/v1/payments/{payment_id}/submit-transactionPOST /api/v1/payments/{payment_id}/submit-gasless-transaction
Endpoint Response Matrix
Create Payment
- merchant-wallet sanctions screening
- blocked-IP screening
- pre-create fraud scoring
| Status | When it happens | Typical payload shape |
|---|---|---|
200 | Payment created | Payment object |
402 | Blocked by sanctions/blocked-IP/fraud policy | { "error": { "code": "payment_blocked", ... } } |
400 | Validation error | { "error": { "field": "...", ... } } |
429 | Merchant limits/rate controls | Limit/usage error payload |
Build Transaction
- customer-wallet sanctions screening
- fraud check with payer wallet and request IP (when available)
- customer wallet binding to payment (wallet mismatch returns conflict)
| Status | When it happens |
|---|---|
200 | Transaction build succeeds |
403 | Blocked by sanctions or fraud policy |
404 | Payment not found |
409 | Payment no longer eligible for build (state conflict) |
410 | Payment expired |
Submit Transaction (standard)
- stored fraud-score gate
- submit-time fraud re-check when
customer_walletis present
| Status | When it happens |
|---|---|
200 | Submission accepted for verification |
400 | Invalid signature payload |
403 | Blocked by fraud score/re-check policy |
404 | Payment not found |
409 | Signature conflict/replay or invalid payment state |
410 | Payment expired |
Submit Gasless Transaction
| Status | When it happens |
|---|---|
200 | Submission accepted |
400 | Invalid gasless transaction payload |
403 | Blocked by fraud score/re-check policy |
404 | Payment not found |
409 | Signature/state conflict |
410 | Payment expired |
Integration Recommendations
- Treat
payment_blocked,403, and402as security outcomes, not generic failures. - Show user-safe copy and route users to support with payment ID.
- Do not auto-retry blocked requests without additional customer verification.
- Log payment ID, endpoint, status code, and request correlation data for support triage.
- Use idempotency keys on write paths to avoid duplicate operations during retries.
Merchant Fraud Endpoints
ZendFi provides merchant-scoped fraud read APIs under authenticated dashboard/session routes.List Fraud Flags
resolved(true/false) optionalseverity(low,medium,high,critical) optionalresolution_type(safe_false_positive,confirmed_fraud,other) optionalpage(default1)limit(default25, max100)
Merchant Fraud Stats
total_flaggedunresolved_flagsresolved_safe_flagsblocked_paymentsfalse_positive_rateestimated_fraud_prevented_usdhigh_risk_payments_24haverage_fraud_score_24h
false_positive_rate = resolved_safe_flags / total_flaggedestimated_fraud_prevented_usd = sum(amount_usd) of fraud-blocked payments
Webhook Event: FraudFlagRaised
When a payment fraud score is greater than 50, ZendFi emits an additional webhook event:fraud_flag_raised
metadata.fraud_scoremetadata.fraud_flagsmetadata.fraud_review_required
payment_created.
Safe Client Messaging
Recommended customer-safe response copy:“Your payment needs additional security review. Please contact support with your payment ID.”Avoid exposing internal fraud signals or threshold details in user-facing UI.
Notes
- Current sanctions enforcement is at create-payment and build-transaction stages.
- Current submit-stage enforcement is fraud-based.