---
title: Fraud Prevention — Data API
---

# Fraud Prevention Data API

The Data API is the server-side counterpart to the [Web SDK](./web-sdk). Use it to
pull verdicts, aggregate statistics, and export data for **reporting and
reconciliation** — pulling the numbers your own systems agree on.

## Base URL

```
https://apiv1.captcha.la
```

## Authentication

All Data API requests are authenticated with your Fraud Prevention application
credentials, sent as headers:

```
X-App-Key:    YOUR_APP_KEY
X-App-Secret: YOUR_APP_SECRET
```

::: warning
`X-App-Secret` is **server-side only**. Never expose it to browsers, mobile apps,
or public repositories. The page SDK only ever uses the public `appKey`.
:::

## Endpoints

### Fetch a verdict

Retrieve the verdict for a single visit (e.g. to reconcile a specific visit).

```bash
GET /v1/bot/verdict?cid=CID_OF_THE_VISIT
X-App-Key: YOUR_APP_KEY
X-App-Secret: YOUR_APP_SECRET
```

The response `data` is a [`BotVerdict`](./verdict-reference) object:

```json
{
  "code": 0,
  "data": {
    "is_bot": true,
    "score": 87,
    "level": "high",
    "action": "flag",
    "consistency": { "ok": false },
    "degraded": false
  }
}
```

### Aggregated stats

Pull bucketed counts over a time range — totals, bot share, and the breakdown by
`action`/`level` — for dashboards and quality reports.

```bash
GET /v1/bot/stats?from=2026-06-01&to=2026-06-30
X-App-Key: YOUR_APP_KEY
X-App-Secret: YOUR_APP_SECRET
```

```json
{
  "code": 0,
  "data": {
    "from": "2026-06-01",
    "to": "2026-06-30",
    "total": 124500,
    "bots": 18230,
    "bot_rate": 0.146,
    "by_action": { "record_only": 102100, "flag": 19800, "challenge": 2600 },
    "by_level":  { "low": 100300, "medium": 16900, "high": 6200, "critical": 1100 }
  }
}
```

### Export

Export per-visit verdict rows for a time range, for offline reconciliation.

```bash
GET /v1/bot/export?from=2026-06-01&to=2026-06-30&format=csv
X-App-Key: YOUR_APP_KEY
X-App-Secret: YOUR_APP_SECRET
```

Each row carries the visit's identifier, timestamp, and verdict fields
(`is_bot`, `score`, `level`, `action`), so you can join it back to your own logs.

::: tip Per-click reconciliation
For paid-traffic scenarios, a single visit can be tied back to a specific delivered
click so two parties can settle on it. That uses a click token and is covered in the
[Ad fraud](./scenarios/ad-fraud) guide.
:::

## Next steps

- [Verdict Reference](./verdict-reference) — the fields returned by these endpoints
- [Web SDK](./web-sdk) — collect verdicts on your page