Fraud Prevention Data API
The Data API is the server-side counterpart to the Web SDK. Use it to pull verdicts, aggregate statistics, and export data for billing, settlement, and reconciliation — the numbers advertisers and traffic providers agree on.
Base URL
https://apiv1.captcha.laAuthentication
All Data API requests are authenticated with your Fraud Prevention application credentials, sent as headers:
X-App-Key: YOUR_AD_APP_KEY
X-App-Secret: YOUR_AD_APP_SECRETWARNING
X-App-Secret is server-side only. Never expose it to browsers, mobile apps, or public repositories. The landing-page SDK only ever uses the public appKey.
Endpoints
Fetch a verdict
Retrieve the verdict for a single visit (e.g. to reconcile a specific click).
GET /v1/bot/verdict?click_token=ct_xxx
X-App-Key: YOUR_AD_APP_KEY
X-App-Secret: YOUR_AD_APP_SECRETThe response data is a BotVerdict object:
{
"code": 0,
"data": {
"is_bot": true,
"score": 87,
"level": "high",
"action": "flag",
"consistency": { "ok": false },
"degraded": false
}
}Aggregated stats
Pull bucketed counts over a time range — totals, bot share, and the breakdown by action/level — for dashboards and quality reports.
GET /v1/bot/stats?from=2026-06-01&to=2026-06-30
X-App-Key: YOUR_AD_APP_KEY
X-App-Secret: YOUR_AD_APP_SECRET{
"code": 0,
"data": {
"from": "2026-06-01",
"to": "2026-06-30",
"total": 124500,
"bots": 18230,
"bot_rate": 0.146,
"by_action": { "record_only": 102100, "flag": 19800, "challenge": 2600 },
"by_level": { "low": 100300, "medium": 16900, "high": 6200, "critical": 1100 }
}
}Export
Export per-visit verdict rows for a time range, for offline reconciliation and settlement. Suitable for feeding into your billing pipeline.
GET /v1/bot/export?from=2026-06-01&to=2026-06-30&format=csv
X-App-Key: YOUR_AD_APP_KEY
X-App-Secret: YOUR_AD_APP_SECRETEach row carries the visit's click_token (when present), timestamp, and verdict fields (is_bot, score, level, action), so you can join it back to your own click logs.
Click tokens
A click token ties a traffic provider's delivered click to the verdict the visit ultimately receives. This is what lets advertisers and providers settle on an independent, per-click human/bot conclusion.
The flow:
Issue — the traffic provider obtains a signed click token (one per click) when it routes a visitor toward the advertiser's landing page.
Carry it on the destination URL — append the issued token to the landing URL as a query parameter:
https://advertiser.example/lp?click_token=ct_xxxxxxxxRead it on the page — the Web SDK reads the token from the URL automatically. If you use a different parameter name, set
tokenParam:jsBotSignal.init({ appKey: 'YOUR_AD_APP_KEY', tokenParam: 'click_token' });Reconcile — look the click up later via
GET /v1/bot/verdict?click_token=…or in theexport, and join it back to the provider's delivery report.
INFO
The token is already signed when it is issued to you — you only need to carry it through to the landing URL. There is nothing to sign or compute on your side.
Next steps
- Verdict Reference — the fields returned by these endpoints
- Web SDK — collect verdicts on the landing page