Trust Verification API
The Trust Verification API validates and analyzes email addresses in real-time based on your project's configured rules.
The response, validations, and internal behavior of this API always depend on the enabled project rules. You can read more about project rules here.
Endpoint
https://api.autheona.com/v1/public/verify
Method
POST
Authentication
All requests must include a Bearer token in the Authorization header:
Authorization: Bearer YOUR_ACCESS_TOKEN
Access tokens are created in your project settings. Each token is unique to a project.
Security Best Practices:
- Never expose tokens in client-side code
- Store tokens securely using environment variables
- Never commit tokens to version control
- Rotate tokens periodically
- Revoke compromised tokens immediately
- Use separate tokens for different environments
Request Headers
Content-Type: application/json
Authorization: Bearer YOUR_ACCESS_TOKEN
Rate Limits
Rate limits are enforced per access token:
- Limit: 10 requests per second
- Window: 1 second
- TTL: 3 seconds
If you exceed the rate limit, implement exponential backoff in your integration.
Request Parameters
Body Parameters (JSON)
| Parameter | Type | Required | Description |
|---|---|---|---|
email_address |
string | Yes | The email address to validate. |
ipv4_address |
string | No | IPv4 address to perform IP-based validation checks |
ipv6_address |
string | No | IPv6 address to perform IP-based validation checks |
soft_check |
boolean | No | Perform validation without storing domain information. Analytics data is still stored. |
show_results |
boolean | No | Include detailed errors, warnings, and analyzed data in response. |
show_steps |
boolean | No | Include the list of validation steps executed. (For debugging) |
Sample Request Body:
{
"email_address": "test@test.com",
"ipv4_address": "192.168.1.1",
"ipv6_address": "2001:db8:3333:4444:5555:6666:7777:8888",
"soft_check": false,
"show_results": true,
"show_steps": false
}
Response
Success Response (HTTP 200)
{
"action": "allow",
"errors": ["error_code"],
"warnings": ["warning_code"],
"risk_score": 15,
"risk_level": "low",
"risk_score_breakdown": {},
"corrected_email": "corrected@example.com",
"punycode_email": "xn--example@domain.com",
"is_free_provider_domain": false,
"is_role_based_domain": false,
"is_disposable_domain": false,
"is_known_abuse_domain": false,
"is_spam_trap_domain": false,
"is_education_domain": false,
"is_government_domain": false,
"has_multiple_emails_in_ip": false,
"steps": ["structure", "mx_record", "..."],
"checked_types": ["mx_record", "disposable_domain"],
"analyzed_data": {}
}
Response Fields
| Field | Type | Description |
|---|---|---|
action |
string | Recommended action based on validation results: allow, allow_with_verification, allow_with_review, warn, challenge, soft_block, quarantine, block, or none. Always returned. |
errors |
array | Error codes for failed validations. Returned when show_results is true. |
warnings |
array | Warning codes for soft failures. Returned when show_results is true. |
risk_score |
integer | Composite risk score from 0 (clean) to 100 (high risk). Returned when risk scoring is enabled. |
risk_level |
string | Risk classification: low, medium, high, or critical. Returned when risk scoring is enabled and risk detected. |
risk_score_breakdown |
object | Per-signal score contributions. Returned when enabled and available. |
corrected_email |
string | Corrected email address if typo detected (e.g., "user@gmail.com"). Returned when applicable and show_results is true. |
punycode_email |
string | Punycode representation of internationalized email address. Returned when applicable and show_results is true. |
is_free_provider_domain |
boolean | Whether the domain is a known free email provider (Gmail, Yahoo, Outlook, etc.). Returned when the Free Provider Domain check is enabled. |
is_role_based_domain |
boolean | Whether the local part is role-based (admin, support, info, etc.). Returned when the Role-based Domain check is enabled. |
is_disposable_domain |
boolean | Whether the domain is a known disposable/temporary email provider. Returned when the Disposable Domain check is enabled. |
is_known_abuse_domain |
boolean | Whether the domain is flagged as a source of abuse or spam. Returned when the Known Abuse Domain check is enabled. |
is_spam_trap_domain |
boolean | Whether the domain is associated with known spam traps. Returned when the Spam Trap Domain check is enabled. |
is_education_domain |
boolean | Whether the domain is a known educational institution. Returned when the Educational Domain check is enabled. |
is_government_domain |
boolean | Whether the domain is a known government domain. Returned when the Government Domain check is enabled. |
has_multiple_emails_in_ip |
boolean | Whether multiple email addresses have been validated from the same IP address. Returned when the Multiple Accounts from Same IP check is enabled. |
steps |
array | List of validation steps executed. Returned when show_steps is true. |
checked_types |
array | List of validation types that were checked. Returned when show_results is true. |
analyzed_data |
object | Detailed analysis results. Returned when show_results is true. |
Validation Steps
When show_steps is true, the response includes which validation steps were executed:
| Step | Description |
|---|---|
structure |
Basic email format validation |
local_plus |
Plus addressing check (user+tag@example.com) |
local_dot |
Dot variations check (u.s.e.r@example.com) |
local_hyphen |
Hyphen in local part |
local_underscore |
Underscore in local part |
local_numeric |
Numeric local part |
local_quoted |
Quoted local part |
local_special_chars |
Special characters in local part |
local_empty |
Empty local part check |
subdomain_wildcard |
Wildcard subdomain check |
subdomain_single |
Single subdomain level |
subdomain_double |
Double subdomain level |
subdomain_triple |
Triple subdomain level |
subdomain_deeply_nested |
Deeply nested subdomains |
subdomain_hyphenated |
Hyphenated subdomain |
subdomain_numeric |
Numeric subdomain |
subdomain_uuid_hash |
UUID/hash subdomain |
uuid_subdomain |
UUID subdomain detection |
random_subdomain |
Random subdomain detection |
deep_nesting |
Deep nesting detection |
domain_ipv4 |
IPv4 address domain |
domain_ipv6 |
IPv6 address domain |
ip_provider |
IP provider identification |
domain_single_label |
Single-label domain |
domain_numeric_only |
Numeric-only domain |
internationalized_email |
Internationalized email check |
punycode_email |
Punycode domain check |
mixed_script_email |
Mixed script check |
catch_all_wildcard |
Catch-all wildcard check |
local_part_max_length |
Local part length validation |
domain_max_length |
Domain length validation |
total_address_length |
Total address length validation |
label_max_length |
DNS label length validation |
tld |
Top-level domain validation |
free_provider_domain |
Free provider check |
role_based_address |
Role-based address check |
disposable_domain |
Disposable domain check |
known_abuse_domain |
Known abuse domain check |
spam_trap_domain |
Spam trap domain check |
education_domain |
Educational domain check |
government_domain |
Government domain check |
specific_domains |
Specific domains allowlist check |
mx_record |
MX record validation |
fallback_a_record |
A record fallback check |
typo_detection |
Domain typo detection |
fraud_pattern_detection |
Fraud pattern detection |
domain_age |
Domain age check |
deliverability_score |
Deliverability score calculation |
domain_health |
Domain health classification |
risk_score |
Risk score calculation |
vpn_ip |
VPN detection for IP addresses |
ip_duplication |
IP address duplication check for velocity tracking |
Error Codes
When show_results is true and validation fails, error codes are returned:
Format Errors:
| Error | Description |
|---|---|
invalid_address_format |
Email format is invalid |
local_is_empty |
Local part is empty |
invalid_tld |
Top-level domain is invalid |
Local Part Errors:
| Error | Description |
|---|---|
local_contains_plus_symbol |
Plus addressing not allowed |
local_contains_dot_variations |
Dot variations not allowed |
local_contains_hyphen |
Hyphen not allowed |
local_contains_underscore |
Underscore not allowed |
local_is_numeric |
Numeric local part not allowed |
local_is_quoted |
Quoted local part not allowed |
local_contains_special_chars |
Special characters not allowed |
local_part_exceeds_max_length |
Local part too long |
Subdomain Errors:
| Error | Description |
|---|---|
subdomain_contains_wildcard |
Wildcard subdomain not allowed |
subdomain_single |
Single subdomain not allowed |
subdomain_double |
Double subdomain not allowed |
subdomain_triple |
Triple subdomain not allowed |
subdomain_deeply_nested |
Too many subdomain levels |
subdomain_contains_hyphen |
Hyphenated subdomain not allowed |
subdomain_is_numeric |
Numeric subdomain not allowed |
subdomain_contains_uuid_hash |
UUID/hash subdomain not allowed |
Domain Errors:
| Error | Description |
|---|---|
domain_is_ipv4_address |
IPv4 domain not allowed |
domain_is_ipv6_address |
IPv6 domain not allowed |
domain_is_single_label |
Single-label domain not allowed |
domain_is_numeric_only |
Numeric-only domain not allowed |
domain_exceeds_max_length |
Domain too long |
total_address_exceeds_max_length |
Total address too long |
label_exceeds_max_length |
DNS label too long |
Provider/Classification Errors:
not_in_specific_domains- Not in allowed domains list
DNS Errors:
| Error | Description |
|---|---|
no_mx_records |
No MX records found |
no_a_record |
No A record found (fallback) |
Detection Errors:
| Error | Description |
|---|---|
domain_typo_detected |
Domain typo detected (hard block) |
fraud_pattern_detected |
Fraud pattern detected (hard block) |
Internationalization Errors:
| Error | Description |
|---|---|
email_is_internationalized |
Internationalized email not allowed |
email_contains_punycode |
Punycode not allowed |
email_is_mixed_script |
Mixed script not allowed |
Other Errors:
| Error | Description |
|---|---|
local_contains_catch_all_wildcard |
Catch-all wildcard not allowed |
Warning Codes
Warnings indicate soft failures that don't block validation:
| Warning | Description |
|---|---|
domain_typo_detected |
Domain typo detected (soft warning) |
fraud_pattern_detected |
Fraud pattern detected (soft warning) |
common_provider_detected |
Common cloud provider detected (informational) |
vpn_detected |
VPN/proxy IP address detected |
Checked Types
When show_results is true, the checked_types array indicates which validation types were performed:
| Type | Description |
|---|---|
address_format |
Email address format validation |
mx_record |
MX record check |
disposable_domain |
Disposable domain check |
role_based_address |
Role-based address check |
free_provider_domain |
Free provider domain check |
known_abuse_domain |
Known abuse domain check |
spam_trap_domain |
Spam trap domain check |
education_domain |
Educational domain check |
government_domain |
Government domain check |
typo_detection |
Domain typo detection |
fraud_pattern_detection |
Fraud pattern detection |
risk_score |
Risk scoring |
multiple_emails_in_ip |
Multiple emails from same IP check |
Analyzed Data Fields
When show_results is true, the analyzed_data object may include:
DNS Information:
| Field | Description |
|---|---|
mx_record_count |
Number of MX records found |
mx_record_status |
MX record status: valid, invalid, not_checked |
a_record_fallback |
A record fallback status: valid, not_needed, invalid |
a_record_count |
Number of A records |
aaaa_record_count |
Number of AAAA records |
Domain Analysis:
| Field | Description |
|---|---|
domain_age_days |
Age of domain in days |
domain_age_signal |
Domain age classification: established, new_domain, unknown |
domain_health |
Health classification: excellent, healthy, risky, suspicious, dead, or unknown |
subdomain_count |
Number of subdomain levels |
nesting_depth |
Subdomain nesting depth |
Deliverability Scores:
| Field | Description |
|---|---|
deliverability_score |
Overall deliverability score (0-100) |
deliverability_mx_score |
MX contribution to deliverability |
deliverability_age_score |
Domain age contribution |
deliverability_subdomain_score |
Subdomain contribution |
deliverability_a_score |
A record contribution |
Risk Detection:
| Field | Description |
|---|---|
risk_score |
Overall risk score (0-100) |
risk_level |
Risk classification: low, medium, high, critical |
random_subdomain_signal |
Random subdomain detected: detected, none |
deep_nesting_risk_signal |
Deep nesting detected: detected, none |
uuid_subdomain_risk_signal |
UUID subdomain detected: detected, none |
subdomain_entropy |
Entropy score for subdomain randomness |
risk_breakdown_signals |
Contributing risk signals (comma-separated): new_domain, random_subdomain, uuid_subdomain, deep_nesting, poor_health, unknown_tld, common_provider, vpn, high_velocity |
risk_breakdown_failures |
Validation failures contributing to risk |
IP Analysis:
| Field | Description |
|---|---|
ipv4_provider |
IPv4 provider identification: aws, gcp_cloud, gcp_all, azure_public, azure_government, azure_china, cloudflare, digitalocean, linode, vultr, hetzner, oracle, ibm, fastly, bunny, zscaler, openai_chatgpt_user, openai_gpt_bot, openai_search_bot, mistral_user, unknown |
ipv6_provider |
IPv6 provider identification (same values as IPv4) |
vpn |
VPN/proxy detection status: detected, none |
Velocity Tracking:
| Field | Description |
|---|---|
emails_in_ip |
Array of email addresses validated from the same IP. Each entry contains email_address (string) and created_time (timestamp) |
total_email_in_ip |
Total count of email validations from this IP address across the entire project |
emails_in_ip_last_5_minutes |
Count of email validations from this IP in the last 5 minutes |
emails_in_ip_last_10_minutes |
Count of email validations from this IP in the last 10 minutes |
emails_in_ip_last_15_minutes |
Count of email validations from this IP in the last 15 minutes |
emails_in_ip_last_30_minutes |
Count of email validations from this IP in the last 30 minutes |
emails_in_ip_last_2_hour |
Count of email validations from this IP in the last 2 hours |
emails_in_ip_last_3_hour |
Count of email validations from this IP in the last 3 hours |
Examples
Basic Validation
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{"email_address": "user@example.com"}'
Response:
{
"action": "allow"
}
Validation with Details
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "user@example.com",
"show_results": true,
"show_steps": true
}'
Response:
{
"action": "allow",
"is_free_provider_domain": false,
"is_role_based_domain": false,
"is_disposable_domain": false,
"is_known_abuse_domain": false,
"is_spam_trap_domain": false,
"is_education_domain": false,
"is_government_domain": false,
"has_multiple_emails_in_ip": false,
"steps": [
"structure",
"local_plus",
"local_dot",
"mx_record",
"disposable_domain",
"deliverability_score",
"domain_health"
],
"checked_types": [
"address_format",
"mx_record",
"disposable_domain"
],
"analyzed_data": {
"mx_record_count": "3",
"mx_record_status": "valid",
"a_record_fallback": "not_needed",
"domain_age_days": "168",
"domain_age_signal": "established",
"domain_health": "excellent",
"deliverability_score": "95",
"deliverability_mx_score": "35",
"deliverability_age_score": "20",
"deliverability_subdomain_score": "10",
"subdomain_count": "0"
}
}
Failed Validation
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "admin@tempmail.com",
"show_results": true
}'
Response:
{
"action": "block",
"errors": [
"invalid_address_format"
],
"checked_types": [
"address_format"
]
}
Typo Detection
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "user@gmial.com",
"show_results": true
}'
Response (with soft warning mode):
{
"action": "allow",
"corrected_email": "user@gmail.com",
"warnings": ["domain_typo_detected"],
"checked_types": ["typo_detection"]
}
Response (with hard block mode):
{
"action": "block",
"corrected_email": "user@gmail.com",
"errors": ["domain_typo_detected"],
"checked_types": ["typo_detection"]
}
Soft Check
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "user@example.com",
"soft_check": true
}'
Performs validation without storing domain information. Analytics data is still stored, but detailed domain data is not saved. Use this for preliminary checks where you don't need full domain tracking.
Risk Scoring
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "user@xk4j2.newdomain.xyz",
"show_results": true
}'
Response:
{
"action": "challenge",
"risk_score": 75,
"risk_level": "high",
"warnings": ["fraud_pattern_detected"],
"is_free_provider_domain": false,
"is_role_based_domain": false,
"is_disposable_domain": false,
"is_known_abuse_domain": false,
"is_spam_trap_domain": false,
"is_education_domain": false,
"is_government_domain": false,
"has_multiple_emails_in_ip": false,
"analyzed_data": {
"domain_age_days": "5",
"domain_age_signal": "new_domain",
"domain_health": "suspicious",
"random_subdomain_signal": "detected",
"subdomain_entropy": "high",
"risk_breakdown_signals": "new_domain,random_subdomain"
}
}
IP-Based Validation
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "user@example.com",
"ipv4_address": "1.2.3.4",
"show_results": true
}'
Response:
{
"action": "allow_with_review",
"warnings": ["vpn_detected"],
"is_free_provider_domain": true,
"is_role_based_domain": false,
"is_disposable_domain": false,
"is_known_abuse_domain": false,
"is_spam_trap_domain": false,
"is_education_domain": false,
"is_government_domain": false,
"has_multiple_emails_in_ip": false,
"analyzed_data": {
"ipv4_provider": "aws",
"vpn": "detected"
}
}
When an IP address is provided, the API performs additional checks:
- VPN/proxy detection
- Cloud provider identification (AWS, GCP, Azure, etc.)
- Bot detection (OpenAI, Mistral, etc.)
These checks contribute to the risk score and can trigger warnings for enhanced fraud prevention.
Velocity Tracking
curl -X POST https://api.autheona.com/v1/public/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-d '{
"email_address": "test@test.com",
"ipv4_address": "203.0.113.42",
"show_results": true
}'
Response:
{
"action": "block",
"has_multiple_emails_in_ip": true,
"risk_score": 85,
"risk_level": "high",
"warnings": ["multiple_accounts_detected"],
"is_free_provider_domain": false,
"is_role_based_domain": false,
"is_disposable_domain": false,
"is_known_abuse_domain": false,
"is_spam_trap_domain": false,
"is_education_domain": false,
"is_government_domain": false,
"checked_types": [
"address_format",
"multiple_emails_in_ip",
"risk_score"
],
"analyzed_data": {
"emails_in_ip": [
{
"email_address": "user1@example.com",
"created_time": "2026-04-29 16:18:42 +0530"
},
{
"email_address": "user2@example.com",
"created_time": "2026-04-29 16:18:51 +0530"
},
{
"email_address": "user3@example.com",
"created_time": "2026-04-29 16:20:10 +0530"
},
{
"email_address": "admin@example.org",
"created_time": "2026-04-29 16:25:16 +0530"
},
{
"email_address": "contact@sample.com",
"created_time": "2026-04-29 16:30:12 +0530"
},
{
"email_address": "info@demo.net",
"created_time": "2026-04-29 16:34:01 +0530"
},
{
"email_address": "hello@placeholder.org",
"created_time": "2026-04-29 16:34:10 +0530"
},
{
"email_address": "support@testmail.com",
"created_time": "2026-04-29 16:34:25 +0530"
},
{
"email_address": "noreply@example.net",
"created_time": "2026-04-29 16:52:12 +0530"
},
{
"email_address": "webmaster@sample.org",
"created_time": "2026-04-29 16:52:19 +0530"
}
],
"total_email_in_ip": "10",
"emails_in_ip_last_5_minutes": "0",
"emails_in_ip_last_10_minutes": "0",
"emails_in_ip_last_15_minutes": "0",
"emails_in_ip_last_30_minutes": "0",
"emails_in_ip_last_2_hour": "10",
"emails_in_ip_last_3_hour": "10"
}
}
When velocity tracking is enabled, the API monitors multiple account attempts from the same IP address. This helps detect:
- Account creation abuse
- Automated bot attacks
- Fraudulent bulk registrations
The emails_in_ip array shows the complete history, while the time-based counters help identify burst patterns.
Error Responses
Bad Request (HTTP 400)
Returned when request parameters are invalid.
Internal Server Error (HTTP 500)
Returned when an unexpected error occurs:
{
"code": 500,
"error": "Error message describing what went wrong",
"id": "a7db4e2b-7bc1-4a82-bc19-4ff6a2e7f778",
"status": false
}
The id field contains a unique identifier for tracking the error.
Best Practices
- Use show_results sparingly - Only enable when you need detailed analysis to reduce response size and improve performance.
- Cache results - Cache validation results for frequently used domains to reduce API calls and stay within rate limits.
- Handle corrected emails - When typo detection returns a
corrected_emailfield, prompt users to correct their email before proceeding. - Use action field - The
actionfield provides recommended actions (allow,challenge,block, etc.) based on validation results and risk levels. Use this to implement appropriate user experiences. - Check classification flags - Use the
is_*boolean fields to understand what type of domain/address was detected. These flags are returned when their corresponding checks are enabled in your project rules. - Monitor velocity patterns - When Multiple Accounts from Same IP is enabled, use the
has_multiple_emails_in_ipflag and time-based counters to detect and prevent account creation abuse. - Interpret risk scores - Use risk scores for additional fraud checks and scoring, not as hard blocks on signups.
- Leverage IP validation - Include IP addresses in requests for enhanced fraud detection through VPN detection and provider identification.
- Test with sandbox - Use sandbox projects to test rule configurations before production. Sandbox calls don't count toward quota.
- Monitor soft checks - Use soft checks for non-critical validations where you don't need full domain tracking.
- Implement rate limit handling - Respect the 10 requests per second limit. Implement exponential backoff if you receive rate limit errors.
- Secure your tokens - Never expose access tokens in frontend code. Always call the API from your backend.
Response Time
Average response time is under 200ms. Response time may vary based on:
- Number of enabled validation rules
- DNS lookup requirements
- Domain age lookup requirements