--- title: "Trust Verification API" description: "Trust Verification API endpoint documentation for real-time email validation. Verify email addresses, detect typos, block disposable domains, check MX records, and calculate risk scores with comprehensive validation rules." keywords: "Trust Verification API, email validation endpoint, verify email api, email verification rest api, disposable email detection api, typo detection api, mx record validation, email risk scoring api, fraud detection api, email deliverability api" robots: index, follow permalink: /docs/api-reference/verification-api/ order: 2 category: API Reference layout: docs.html --- # Trust Verification API The Trust Verification API validates and analyzes email addresses in real-time based on your project's configured rules. > The response, validations, and internal behavior of this API always depend on the enabled project rules. You can read more about [project rules here](/docs/platform/rules/). ## Endpoint ``` https://api.autheona.com/v1/public/verify ``` ## Method ``` POST ``` ## Authentication All requests must include a Bearer token in the Authorization header: ``` Authorization: Bearer YOUR_ACCESS_TOKEN ``` Access tokens are created in your project settings. Each token is unique to a project. **Security Best Practices:** - Never expose tokens in client-side code - Store tokens securely using environment variables - Never commit tokens to version control - Rotate tokens periodically - Revoke compromised tokens immediately - Use separate tokens for different environments ## Request Headers ``` Content-Type: application/json Authorization: Bearer YOUR_ACCESS_TOKEN ``` ## Rate Limits Rate limits are enforced per access token: - **Limit**: 10 requests per second - **Window**: 1 second - **TTL**: 3 seconds If you exceed the rate limit, implement exponential backoff in your integration. ## Request Parameters ### Body Parameters (JSON) | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `email_address` | string | Yes | The email address to validate. | | `ipv4_address` | string | No | IPv4 address to perform IP-based validation checks | | `ipv6_address` | string | No | IPv6 address to perform IP-based validation checks | | `soft_check` | boolean | No | Perform validation without storing domain information. Analytics data is still stored. | | `show_results` | boolean | No | Include detailed errors, warnings, and analyzed data in response. | | `show_steps` | boolean | No | Include the list of validation steps executed. (For debugging) | **Sample Request Body:** ```json { "email_address": "test@test.com", "ipv4_address": "192.168.1.1", "ipv6_address": "2001:db8:3333:4444:5555:6666:7777:8888", "soft_check": false, "show_results": true, "show_steps": false } ``` ## Response ### Success Response (HTTP 200) ```json { "action": "allow", "errors": ["error_code"], "warnings": ["warning_code"], "risk_score": 15, "risk_level": "low", "risk_score_breakdown": {}, "corrected_email": "corrected@example.com", "punycode_email": "xn--example@domain.com", "is_free_provider_domain": false, "is_role_based_domain": false, "is_disposable_domain": false, "is_known_abuse_domain": false, "is_spam_trap_domain": false, "is_education_domain": false, "is_government_domain": false, "has_multiple_emails_in_ip": false, "steps": ["structure", "mx_record", "..."], "checked_types": ["mx_record", "disposable_domain"], "analyzed_data": {} } ``` ### Response Fields | Field | Type | Description | |-------|------|-------------| | `action` | string | Recommended action based on validation results: `allow`, `allow_with_verification`, `allow_with_review`, `warn`, `challenge`, `soft_block`, `quarantine`, `block`, or `none`. Always returned. | | `errors` | array | Error codes for failed validations. Returned when `show_results` is true. | | `warnings` | array | Warning codes for soft failures. Returned when `show_results` is true. | | `risk_score` | integer | Composite risk score from 0 (clean) to 100 (high risk). Returned when risk scoring is enabled. | | `risk_level` | string | Risk classification: `low`, `medium`, `high`, or `critical`. Returned when risk scoring is enabled and risk detected. | | `risk_score_breakdown` | object | Per-signal score contributions. Returned when enabled and available. | | `corrected_email` | string | Corrected email address if typo detected (e.g., `"user@gmail.com"`). Returned when applicable and `show_results` is true. | | `punycode_email` | string | Punycode representation of internationalized email address. Returned when applicable and `show_results` is true. | | `is_free_provider_domain` | boolean | Whether the domain is a known free email provider (Gmail, Yahoo, Outlook, etc.). Returned when the Free Provider Domain check is enabled. | | `is_role_based_domain` | boolean | Whether the local part is role-based (admin, support, info, etc.). Returned when the Role-based Domain check is enabled. | | `is_disposable_domain` | boolean | Whether the domain is a known disposable/temporary email provider. Returned when the Disposable Domain check is enabled. | | `is_known_abuse_domain` | boolean | Whether the domain is flagged as a source of abuse or spam. Returned when the Known Abuse Domain check is enabled. | | `is_spam_trap_domain` | boolean | Whether the domain is associated with known spam traps. Returned when the Spam Trap Domain check is enabled. | | `is_education_domain` | boolean | Whether the domain is a known educational institution. Returned when the Educational Domain check is enabled. | | `is_government_domain` | boolean | Whether the domain is a known government domain. Returned when the Government Domain check is enabled. | | `has_multiple_emails_in_ip` | boolean | Whether multiple email addresses have been validated from the same IP address. Returned when the Multiple Accounts from Same IP check is enabled. | | `steps` | array | List of validation steps executed. Returned when `show_steps` is true. | | `checked_types` | array | List of validation types that were checked. Returned when `show_results` is true. | | `analyzed_data` | object | Detailed analysis results. Returned when `show_results` is true. | ## Validation Steps When `show_steps` is true, the response includes which validation steps were executed: | Step | Description | | -- | -- | | `structure` | Basic email format validation | | `local_plus` | Plus addressing check (user+tag@example.com) | | `local_dot` | Dot variations check (u.s.e.r@example.com) | | `local_hyphen` | Hyphen in local part | | `local_underscore` | Underscore in local part | | `local_numeric` | Numeric local part | | `local_quoted` | Quoted local part | | `local_special_chars` | Special characters in local part | | `local_empty` | Empty local part check | | `subdomain_wildcard` | Wildcard subdomain check | | `subdomain_single` | Single subdomain level | | `subdomain_double` | Double subdomain level | | `subdomain_triple` | Triple subdomain level | | `subdomain_deeply_nested` | Deeply nested subdomains | | `subdomain_hyphenated` | Hyphenated subdomain | | `subdomain_numeric` | Numeric subdomain | | `subdomain_uuid_hash` | UUID/hash subdomain | | `uuid_subdomain` | UUID subdomain detection | | `random_subdomain` | Random subdomain detection | | `deep_nesting` | Deep nesting detection | | `domain_ipv4` | IPv4 address domain | | `domain_ipv6` | IPv6 address domain | | `ip_provider` | IP provider identification | | `domain_single_label` | Single-label domain | | `domain_numeric_only` | Numeric-only domain | | `internationalized_email` | Internationalized email check | | `punycode_email` | Punycode domain check | | `mixed_script_email` | Mixed script check | | `catch_all_wildcard` | Catch-all wildcard check | | `local_part_max_length` | Local part length validation | | `domain_max_length` | Domain length validation | | `total_address_length` | Total address length validation | | `label_max_length` | DNS label length validation | | `tld` | Top-level domain validation | | `free_provider_domain` | Free provider check | | `role_based_address` | Role-based address check | | `disposable_domain` | Disposable domain check | | `known_abuse_domain` | Known abuse domain check | | `spam_trap_domain` | Spam trap domain check | | `education_domain` | Educational domain check | | `government_domain` | Government domain check | | `specific_domains` | Specific domains allowlist check | | `mx_record` | MX record validation | | `fallback_a_record` | A record fallback check | | `typo_detection` | Domain typo detection | | `fraud_pattern_detection` | Fraud pattern detection | | `domain_age` | Domain age check | | `deliverability_score` | Deliverability score calculation | | `domain_health` | Domain health classification | | `risk_score` | Risk score calculation | | `vpn_ip` | VPN detection for IP addresses | | `ip_duplication` | IP address duplication check for velocity tracking | ## Error Codes When `show_results` is true and validation fails, error codes are returned: **Format Errors:** | Error | Description | | -- | -- | | `invalid_address_format` | Email format is invalid | | `local_is_empty` | Local part is empty | | `invalid_tld` | Top-level domain is invalid | **Local Part Errors:** | Error | Description | | -- | -- | | `local_contains_plus_symbol` | Plus addressing not allowed | | `local_contains_dot_variations` | Dot variations not allowed | | `local_contains_hyphen` | Hyphen not allowed | | `local_contains_underscore` | Underscore not allowed | | `local_is_numeric` | Numeric local part not allowed | | `local_is_quoted` | Quoted local part not allowed | | `local_contains_special_chars` | Special characters not allowed | | `local_part_exceeds_max_length` | Local part too long | **Subdomain Errors:** | Error | Description | | -- | -- | | `subdomain_contains_wildcard` | Wildcard subdomain not allowed | | `subdomain_single` | Single subdomain not allowed | | `subdomain_double` | Double subdomain not allowed | | `subdomain_triple` | Triple subdomain not allowed | | `subdomain_deeply_nested` | Too many subdomain levels | | `subdomain_contains_hyphen` | Hyphenated subdomain not allowed | | `subdomain_is_numeric` | Numeric subdomain not allowed | | `subdomain_contains_uuid_hash` | UUID/hash subdomain not allowed | **Domain Errors:** | Error | Description | | -- | -- | | `domain_is_ipv4_address` | IPv4 domain not allowed | | `domain_is_ipv6_address` | IPv6 domain not allowed | | `domain_is_single_label` | Single-label domain not allowed | | `domain_is_numeric_only` | Numeric-only domain not allowed | | `domain_exceeds_max_length` | Domain too long | | `total_address_exceeds_max_length` | Total address too long | | `label_exceeds_max_length` | DNS label too long | **Provider/Classification Errors:** - `not_in_specific_domains` - Not in allowed domains list **DNS Errors:** | Error | Description | | -- | -- | | `no_mx_records` | No MX records found | | `no_a_record` | No A record found (fallback) | **Detection Errors:** | Error | Description | | -- | -- | | `domain_typo_detected` | Domain typo detected (hard block) | | `fraud_pattern_detected` | Fraud pattern detected (hard block) | **Internationalization Errors:** | Error | Description | | -- | -- | | `email_is_internationalized` | Internationalized email not allowed | | `email_contains_punycode` | Punycode not allowed | | `email_is_mixed_script` | Mixed script not allowed | **Other Errors:** | Error | Description | | -- | -- | | `local_contains_catch_all_wildcard` | Catch-all wildcard not allowed | ## Warning Codes Warnings indicate soft failures that don't block validation: | Warning | Description | | -- | -- | | `domain_typo_detected` | Domain typo detected (soft warning) | | `fraud_pattern_detected` | Fraud pattern detected (soft warning) | | `common_provider_detected` | Common cloud provider detected (informational) | | `vpn_detected` | VPN/proxy IP address detected | ## Checked Types When `show_results` is true, the `checked_types` array indicates which validation types were performed: | Type | Description | | -- | -- | | `address_format` | Email address format validation | | `mx_record` | MX record check | | `disposable_domain` | Disposable domain check | | `role_based_address` | Role-based address check | | `free_provider_domain` | Free provider domain check | | `known_abuse_domain` | Known abuse domain check | | `spam_trap_domain` | Spam trap domain check | | `education_domain` | Educational domain check | | `government_domain` | Government domain check | | `typo_detection` | Domain typo detection | | `fraud_pattern_detection` | Fraud pattern detection | | `risk_score` | Risk scoring | | `multiple_emails_in_ip` | Multiple emails from same IP check | ## Analyzed Data Fields When `show_results` is true, the `analyzed_data` object may include: **DNS Information:** | Field | Description | | -- | -- | | `mx_record_count` | Number of MX records found | | `mx_record_status` | MX record status: `valid`, `invalid`, `not_checked` | | `a_record_fallback` | A record fallback status: `valid`, `not_needed`, `invalid` | | `a_record_count` | Number of A records | | `aaaa_record_count` | Number of AAAA records | **Domain Analysis:** | Field | Description | | -- | -- | | `domain_age_days` | Age of domain in days | | `domain_age_signal` | Domain age classification: `established`, `new_domain`, `unknown` | | `domain_health` | Health classification: `excellent`, `healthy`, `risky`, `suspicious`, `dead`, or `unknown` | | `subdomain_count` | Number of subdomain levels | | `nesting_depth` | Subdomain nesting depth | **Deliverability Scores:** | Field | Description | | -- | -- | | `deliverability_score` | Overall deliverability score (0-100) | | `deliverability_mx_score` | MX contribution to deliverability | | `deliverability_age_score` | Domain age contribution | | `deliverability_subdomain_score` | Subdomain contribution | | `deliverability_a_score` | A record contribution | **Risk Detection:** | Field | Description | | -- | -- | | `risk_score` | Overall risk score (0-100) | | `risk_level` | Risk classification: `low`, `medium`, `high`, `critical` | | `random_subdomain_signal` | Random subdomain detected: `detected`, `none` | | `deep_nesting_risk_signal` | Deep nesting detected: `detected`, `none` | | `uuid_subdomain_risk_signal` | UUID subdomain detected: `detected`, `none` | | `subdomain_entropy` | Entropy score for subdomain randomness | | `risk_breakdown_signals` | Contributing risk signals (comma-separated): `new_domain`, `random_subdomain`, `uuid_subdomain`, `deep_nesting`, `poor_health`, `unknown_tld`, `common_provider`, `vpn`, `high_velocity` | | `risk_breakdown_failures` | Validation failures contributing to risk | **IP Analysis:** | Field | Description | | -- | -- | | `ipv4_provider` | IPv4 provider identification: `aws`, `gcp_cloud`, `gcp_all`, `azure_public`, `azure_government`, `azure_china`, `cloudflare`, `digitalocean`, `linode`, `vultr`, `hetzner`, `oracle`, `ibm`, `fastly`, `bunny`, `zscaler`, `openai_chatgpt_user`, `openai_gpt_bot`, `openai_search_bot`, `mistral_user`, `unknown` | | `ipv6_provider` | IPv6 provider identification (same values as IPv4) | | `vpn` | VPN/proxy detection status: `detected`, `none` | **Velocity Tracking:** | Field | Description | | -- | -- | | `emails_in_ip` | Array of email addresses validated from the same IP. Each entry contains `email_address` (string) and `created_time` (timestamp) | | `total_email_in_ip` | Total count of email validations from this IP address across the entire project | | `emails_in_ip_last_5_minutes` | Count of email validations from this IP in the last 5 minutes | | `emails_in_ip_last_10_minutes` | Count of email validations from this IP in the last 10 minutes | | `emails_in_ip_last_15_minutes` | Count of email validations from this IP in the last 15 minutes | | `emails_in_ip_last_30_minutes` | Count of email validations from this IP in the last 30 minutes | | `emails_in_ip_last_2_hour` | Count of email validations from this IP in the last 2 hours | | `emails_in_ip_last_3_hour` | Count of email validations from this IP in the last 3 hours | ## Examples ### Basic Validation ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{"email_address": "user@example.com"}' ``` **Response:** ```json { "action": "allow" } ``` ### Validation with Details ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "user@example.com", "show_results": true, "show_steps": true }' ``` **Response:** ```json { "action": "allow", "is_free_provider_domain": false, "is_role_based_domain": false, "is_disposable_domain": false, "is_known_abuse_domain": false, "is_spam_trap_domain": false, "is_education_domain": false, "is_government_domain": false, "has_multiple_emails_in_ip": false, "steps": [ "structure", "local_plus", "local_dot", "mx_record", "disposable_domain", "deliverability_score", "domain_health" ], "checked_types": [ "address_format", "mx_record", "disposable_domain" ], "analyzed_data": { "mx_record_count": "3", "mx_record_status": "valid", "a_record_fallback": "not_needed", "domain_age_days": "168", "domain_age_signal": "established", "domain_health": "excellent", "deliverability_score": "95", "deliverability_mx_score": "35", "deliverability_age_score": "20", "deliverability_subdomain_score": "10", "subdomain_count": "0" } } ``` ### Failed Validation ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "admin@tempmail.com", "show_results": true }' ``` **Response:** ```json { "action": "block", "errors": [ "invalid_address_format" ], "checked_types": [ "address_format" ] } ``` ### Typo Detection ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "user@gmial.com", "show_results": true }' ``` **Response (with soft warning mode):** ```json { "action": "allow", "corrected_email": "user@gmail.com", "warnings": ["domain_typo_detected"], "checked_types": ["typo_detection"] } ``` **Response (with hard block mode):** ```json { "action": "block", "corrected_email": "user@gmail.com", "errors": ["domain_typo_detected"], "checked_types": ["typo_detection"] } ``` ### Soft Check ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "user@example.com", "soft_check": true }' ``` Performs validation without storing domain information. Analytics data is still stored, but detailed domain data is not saved. Use this for preliminary checks where you don't need full domain tracking. ### Risk Scoring ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "user@xk4j2.newdomain.xyz", "show_results": true }' ``` **Response:** ```json { "action": "challenge", "risk_score": 75, "risk_level": "high", "warnings": ["fraud_pattern_detected"], "is_free_provider_domain": false, "is_role_based_domain": false, "is_disposable_domain": false, "is_known_abuse_domain": false, "is_spam_trap_domain": false, "is_education_domain": false, "is_government_domain": false, "has_multiple_emails_in_ip": false, "analyzed_data": { "domain_age_days": "5", "domain_age_signal": "new_domain", "domain_health": "suspicious", "random_subdomain_signal": "detected", "subdomain_entropy": "high", "risk_breakdown_signals": "new_domain,random_subdomain" } } ``` ### IP-Based Validation ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "user@example.com", "ipv4_address": "1.2.3.4", "show_results": true }' ``` **Response:** ```json { "action": "allow_with_review", "warnings": ["vpn_detected"], "is_free_provider_domain": true, "is_role_based_domain": false, "is_disposable_domain": false, "is_known_abuse_domain": false, "is_spam_trap_domain": false, "is_education_domain": false, "is_government_domain": false, "has_multiple_emails_in_ip": false, "analyzed_data": { "ipv4_provider": "aws", "vpn": "detected" } } ``` When an IP address is provided, the API performs additional checks: - VPN/proxy detection - Cloud provider identification (AWS, GCP, Azure, etc.) - Bot detection (OpenAI, Mistral, etc.) These checks contribute to the risk score and can trigger warnings for enhanced fraud prevention. ### Velocity Tracking ```bash curl -X POST https://api.autheona.com/v1/public/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{ "email_address": "test@test.com", "ipv4_address": "203.0.113.42", "show_results": true }' ``` **Response:** ```json { "action": "block", "has_multiple_emails_in_ip": true, "risk_score": 85, "risk_level": "high", "warnings": ["multiple_accounts_detected"], "is_free_provider_domain": false, "is_role_based_domain": false, "is_disposable_domain": false, "is_known_abuse_domain": false, "is_spam_trap_domain": false, "is_education_domain": false, "is_government_domain": false, "checked_types": [ "address_format", "multiple_emails_in_ip", "risk_score" ], "analyzed_data": { "emails_in_ip": [ { "email_address": "user1@example.com", "created_time": "2026-04-29 16:18:42 +0530" }, { "email_address": "user2@example.com", "created_time": "2026-04-29 16:18:51 +0530" }, { "email_address": "user3@example.com", "created_time": "2026-04-29 16:20:10 +0530" }, { "email_address": "admin@example.org", "created_time": "2026-04-29 16:25:16 +0530" }, { "email_address": "contact@sample.com", "created_time": "2026-04-29 16:30:12 +0530" }, { "email_address": "info@demo.net", "created_time": "2026-04-29 16:34:01 +0530" }, { "email_address": "hello@placeholder.org", "created_time": "2026-04-29 16:34:10 +0530" }, { "email_address": "support@testmail.com", "created_time": "2026-04-29 16:34:25 +0530" }, { "email_address": "noreply@example.net", "created_time": "2026-04-29 16:52:12 +0530" }, { "email_address": "webmaster@sample.org", "created_time": "2026-04-29 16:52:19 +0530" } ], "total_email_in_ip": "10", "emails_in_ip_last_5_minutes": "0", "emails_in_ip_last_10_minutes": "0", "emails_in_ip_last_15_minutes": "0", "emails_in_ip_last_30_minutes": "0", "emails_in_ip_last_2_hour": "10", "emails_in_ip_last_3_hour": "10" } } ``` When velocity tracking is enabled, the API monitors multiple account attempts from the same IP address. This helps detect: - Account creation abuse - Automated bot attacks - Fraudulent bulk registrations The `emails_in_ip` array shows the complete history, while the time-based counters help identify burst patterns. ## Error Responses ### Bad Request (HTTP 400) Returned when request parameters are invalid. ### Internal Server Error (HTTP 500) Returned when an unexpected error occurs: ```json { "code": 500, "error": "Error message describing what went wrong", "id": "a7db4e2b-7bc1-4a82-bc19-4ff6a2e7f778", "status": false } ``` The `id` field contains a unique identifier for tracking the error. ## Best Practices - **Use show_results sparingly** - Only enable when you need detailed analysis to reduce response size and improve performance. - **Cache results** - Cache validation results for frequently used domains to reduce API calls and stay within rate limits. - **Handle corrected emails** - When typo detection returns a `corrected_email` field, prompt users to correct their email before proceeding. - **Use action field** - The `action` field provides recommended actions (`allow`, `challenge`, `block`, etc.) based on validation results and risk levels. Use this to implement appropriate user experiences. - **Check classification flags** - Use the `is_*` boolean fields to understand what type of domain/address was detected. These flags are returned when their corresponding checks are enabled in your project rules. - **Monitor velocity patterns** - When Multiple Accounts from Same IP is enabled, use the `has_multiple_emails_in_ip` flag and time-based counters to detect and prevent account creation abuse. - **Interpret risk scores** - Use risk scores for additional fraud checks and scoring, not as hard blocks on signups. - **Leverage IP validation** - Include IP addresses in requests for enhanced fraud detection through VPN detection and provider identification. - **Test with sandbox** - Use sandbox projects to test rule configurations before production. Sandbox calls don't count toward quota. - **Monitor soft checks** - Use soft checks for non-critical validations where you don't need full domain tracking. - **Implement rate limit handling** - Respect the 10 requests per second limit. Implement exponential backoff if you receive rate limit errors. - **Secure your tokens** - Never expose access tokens in frontend code. Always call the API from your backend. ## Response Time Average response time is under 200ms. Response time may vary based on: - Number of enabled validation rules - DNS lookup requirements - Domain age lookup requirements