API Documentation

Quick Start

Base URL: https://api.blackicehq.com
Authentication: X-API-Key header
curl -X POST https://api.blackicehq.com/analyze \ -H "Content-Type: application/json" \ -H "X-API-Key: your_api_key" \ -d '{"events":[{"user_id":"usr-001","timestamp":"2026-03-19T01:30:00Z","ip_address":"185.220.101.5","action":"login"}]}'

Endpoints

POST /analyze

Main fraud detection endpoint
{ "events": [EventObject] }
EventObject fields:
Response: summary, results[], usage

POST /access/request

Request API key
{ "email": "...", "first_name": "...", "last_name": "...", "company": "...", "job_title": "...", "company_size": "...", "industry": "...", "use_case": "..." }

POST /api/verify-token

Verify sandbox token
{ "token": "your_token" }

Detection Rules

RuleWeightDescription
session_hijack0.85IP or device changed mid-session
impossible_travel0.80Geographically impossible location change
tor_exit0.75Connection via TOR anonymous network
ip_reuse0.70One IP used by multiple accounts
device_reuse0.70One device used by multiple accounts
repeated_failure0.65Multiple failed login attempts
login_payment_pattern0.65Login immediately followed by payment
velocity_spike0.55Unusually high action frequency
multiple_ips0.45Multiple IPs for single user
low_and_slow0.45Rare distributed actions over time
geo_ip_mismatch0.50IP country ≠ profile country
suspicious_hour0.25Activity between 1AM-5AM UTC
new_device0.20Unrecognized device

Response Format

{ "verdict": "block", "risk_score": 0.94, "rules_fired": ["session_hijack", "tor_exit"], "evidence_list": [ "IP changed mid-session", "Connection via TOR exit node" ], "narrative": "Session hijack detected: user logged in from a new device and TOR network." }

Verdict Thresholds

Trial Limits

Real-time Event API

For real-time per-event detection use POST /event instead of batch /analyze.

POST /event

curl -X POST https://api.blackicehq.com/event \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your_api_key" \
  -d '{
    "user_id": "usr-001",
    "timestamp": "2026-03-19T01:30:00Z",
    "ip_address": "185.220.101.5",
    "action": "login",
    "device_id": "dev-abc",
    "session_id": "sess-xyz"
  }'

Response:

{
  "user_id": "usr-001",
  "verdict": "block",
  "risk_score": 0.94,
  "rules_fired": ["tor_exit", "suspicious_hour"],
  "action": "block",
  "narrative": { "conclusion": "Account likely compromised" }
}

Verdict → Action mapping: allow → allow, stepup → challenge, block → block

Webhooks

Register a URL to receive push notifications when fraud is detected.

POST /webhooks

curl -X POST https://api.blackicehq.com/webhooks \
  -H "X-API-Key: your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://yourapp.com/webhook","secret":"your_secret","events":"block,stepup"}'

GET /webhooks

curl https://api.blackicehq.com/webhooks -H "X-API-Key: your_api_key"

DELETE /webhooks/{id}

curl -X DELETE https://api.blackicehq.com/webhooks/1 -H "X-API-Key: your_api_key"

Webhook payload

{"event":"fraud_detected","verdict":"block","user_id":"usr-001","risk_score":0.94,"rules_fired":["impossible_travel","tor_exit"],"timestamp":"2026-03-19T01:30:00Z"}

Signature verification

If you set a secret, each request includes X-BlackIce-Signature: sha256=...

Contact: blackicehq@proton.me