10001 with a message that the PIN doesn't match. You may also see flow activity related to AuthFinishStep, such as ProveAuth.builder().withAuthFinishStep(...), that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep.execute to pass the error in otpException. The SDK invokes OtpFinishStep.execute when a retry or error UI is needed.
Your app should implement the required step interfaces, but the Prove client SDK orchestrates when each step runs. Don't duplicate that orchestration in application code.
10001 with a message that the PIN does not match). You may also see flow activity related to AuthFinishStep (the handler you pass to ProveAuth.builder(authFinish:)) that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep to pass the validation error in otpError. The SDK invokes OtpFinishStep.execute(otpError:callback:) when a retry or error UI is needed.
Your app should implement the required step protocols, but the Prove client SDK orchestrates when each step runs. Do not duplicate that orchestration in application code.
AuthFinishStep that looks unexpected. This behavior is **expected**.
Do **not** add your own extra invocation of the OTP finish step to pass the error in otpError. The SDK runs your OtpFinishStep when retry or error UI is needed.
Implement the required step functions, but let the Prove client SDK orchestrate when each step runs.
10001 with a message that the PIN doesn't match. You may also see flow activity related to AuthFinishStep, such as ProveAuth.builder().withAuthFinishStep(...), that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep.execute to pass the error in otpException. The SDK invokes OtpFinishStep.execute when a retry or error UI is needed.
Your app should implement the required step interfaces, but the Prove client SDK orchestrates when each step runs. Don't duplicate that orchestration in application code.
10001 with a message that the PIN does not match). You may also see flow activity related to AuthFinishStep (the handler you pass to ProveAuth.builder(authFinish:)) that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep to pass the validation error in otpError. The SDK invokes OtpFinishStep.execute(otpError:callback:) when a retry or error UI is needed.
Your app should implement the required step protocols, but the Prove client SDK orchestrates when each step runs. Do not duplicate that orchestration in application code.
AuthFinishStep that looks unexpected. This behavior is **expected**.
Do **not** add your own extra invocation of the OTP finish step to pass the error in otpError. The SDK runs your OtpFinishStep when retry or error UI is needed.
Implement the required step functions, but let the Prove client SDK orchestrate when each step runs.
10001 with a message that the PIN doesn't match. You may also see flow activity related to AuthFinishStep, such as ProveAuth.builder().withAuthFinishStep(...), that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep.execute to pass the error in otpException. The SDK invokes OtpFinishStep.execute when a retry or error UI is needed.
Your app should implement the required step interfaces, but the Prove client SDK orchestrates when each step runs. Don't duplicate that orchestration in application code.
10001 with a message that the PIN does not match). You may also see flow activity related to AuthFinishStep (the handler you pass to ProveAuth.builder(authFinish:)) that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep to pass the validation error in otpError. The SDK invokes OtpFinishStep.execute(otpError:callback:) when a retry or error UI is needed.
Your app should implement the required step protocols, but the Prove client SDK orchestrates when each step runs. Do not duplicate that orchestration in application code.
AuthFinishStep that looks unexpected. This behavior is **expected**.
Do **not** add your own extra invocation of the OTP finish step to pass the error in otpError. The SDK runs your OtpFinishStep when retry or error UI is needed.
Implement the required step functions, but let the Prove client SDK orchestrate when each step runs.
10001 with a message that the PIN doesn't match. You may also see flow activity related to AuthFinishStep, such as ProveAuth.builder().withAuthFinishStep(...), that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep.execute to pass the error in otpException. The SDK invokes OtpFinishStep.execute when a retry or error UI is needed.
Your app should implement the required step interfaces, but the Prove client SDK orchestrates when each step runs. Don't duplicate that orchestration in application code.
10001 with a message that the PIN does not match). You may also see flow activity related to AuthFinishStep (the handler you pass to ProveAuth.builder(authFinish:)) that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep to pass the validation error in otpError. The SDK invokes OtpFinishStep.execute(otpError:callback:) when a retry or error UI is needed.
Your app should implement the required step protocols, but the Prove client SDK orchestrates when each step runs. Do not duplicate that orchestration in application code.
AuthFinishStep that looks unexpected. This behavior is **expected**.
Do **not** add your own extra invocation of the OTP finish step to pass the error in otpError. The SDK runs your OtpFinishStep when retry or error UI is needed.
Implement the required step functions, but let the Prove client SDK orchestrate when each step runs.
10001 with a message that the PIN doesn't match. You may also see flow activity related to AuthFinishStep, such as ProveAuth.builder().withAuthFinishStep(...), that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep.execute to pass the error in otpException. The SDK invokes OtpFinishStep.execute when a retry or error UI is needed.
Your app should implement the required step interfaces, but the Prove client SDK orchestrates when each step runs. Don't duplicate that orchestration in application code.
10001 with a message that the PIN does not match). You may also see flow activity related to AuthFinishStep (the handler you pass to ProveAuth.builder(authFinish:)) that looks like an unexpected redirect.
This behavior is **expected**. Do **not** add your own follow-up call to OtpFinishStep to pass the validation error in otpError. The SDK invokes OtpFinishStep.execute(otpError:callback:) when a retry or error UI is needed.
Your app should implement the required step protocols, but the Prove client SDK orchestrates when each step runs. Do not duplicate that orchestration in application code.
AuthFinishStep that looks unexpected. This behavior is **expected**.
Do **not** add your own extra invocation of the OTP finish step to pass the error in otpError. The SDK runs your OtpFinishStep when retry or error UI is needed.
Implement the required step functions, but let the Prove client SDK orchestrate when each step runs.
Documentation
Explore our guides and examples to integrate Prove.
Explore Our Solutions
"Last 4 SSN/ITIN"
"SSN/ITIN"
"MM/DD/YYYY"
"MM/YYYY"
"MM/DD" | Last 4 SSN/ITIN
Full SSN\*
Full DOB
DOB - Month and Year
DOB - Month and Day
**If the customer is applying to open a demand deposit account (DDA), the customer must enter their full social security number (SSN) for the challenge.** | | Prove Pre-Fill with KYC | "Full SSN/ITIN" | Full SSN | # Challenge page requirements - when Mobile Auth℠ fails Source: https://developer.prove.com/reference/challenge-page-requirements-when-mobile-authsm-fails Required page summary copy and challenge-field options for the Challenge step when Mobile Auth℠ does not succeed or when using the Desktop authentication flow (Pre-Fill for Consumers). ## Scope Required UI copy and challenge-field rules for the **Challenge** screen when the customer does not complete **Mobile Auth℠** successfully or uses the **Desktop** authentication flow in Pre-Fill for Consumers.
"Last 4 SSN/ITIN"
"SSN/ITIN"
"MM/DD/YYYY"
"MM/YYYY"
"MM/DD" | Last 4 SSN/ITIN
Full SSN\*
Full DOB
DOB - Month and Year
DOB - Month and Day
**If the customer is applying to open a demand deposit account (DDA), the customer must enter their full social security number (SSN) for the challenge.** | | Prove Pre-Fill with KYC | "Full SSN/ITIN" | Full SSN | # Discover Identity Attributes Source: https://developer.prove.com/reference/discover-request openapi-discover-fetch.yaml get /v3/discover Discover which identity attributes (e.g., walletID, email) are available for a given ProveID. This endpoint returns a list of attribute IDs and their corresponding issuer IDs, which can then be used to fetch actual attribute values in the /v3/fetch endpoint. # Fetch Identity Attributes Source: https://developer.prove.com/reference/fetch-request openapi-discover-fetch.yaml get /v3/fetch Fetch actual identity attribute values (e.g., walletID) based on the customer ProveID and attribute UUID. # Global fraud policy Source: https://developer.prove.com/reference/global-fraud-policy Evaluation categories and failure reason codes in the evaluation object on Prove Platform API responses. ## Definition The **Global Fraud Policy (GFP)** drives pass/fail outcomes and machine-readable failure reasons in the **`evaluation`** object returned by Prove Platform APIs (for example [`POST /v3/complete`](/reference/complete-request)). GFP classifies each transaction into one or more of the following categories: | Category | Evaluates | | :------------- | :----------------------------------------------------------------------------------------------------- | | Identification | Consistency of personal details (for example name, address, date of birth, national identifier). | | Authentication | Whether the claimant matches the identity and phone possession signals. | | Compliance | Regulatory and program requirements for the industry and use case. | | Risk | Factors outside identification and authentication (for example behavioral or carrier-related signals). | ## Response examples Representative **`evaluation`** payloads from **`POST /v3/complete`**. **Pass** ```json theme={"dark"} { "success": true, "next": { "done": "done" }, "evaluation": { "authentication": { "result": "pass" }, "identification": { "result": "pass" } } } ``` **Fail** (with `failureReasons`) ```json theme={"dark"} { "success": false, "next": { "done": "done" }, "evaluation": { "authentication": { "result": "fail", "failureReasons": { "9161": "Very short tenure association between phone number and identity.", "9171": "Potential injection attack due to 2 identities both with short tenure association to the phone number.", "9180": "No phone ownership confirmed using 4 elements." } }, "identification": { "result": "fail", "failureReasons": { "9001": "Identification isn't confirmed using 4 elements." } } } } ``` ## Failure reason codes | Code | Category | Description | | :--- | :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 9001 | Identification | Identification isn't confirmed using 4 elements. | | 9003 | Identification | Identity isn't found | | 9004 | Identification | Identification isn't confirmed using 4 elements with secondary source. | | 9005 | Identification | Identification isn't confirmed using 4 elements with more than 1 source. | | 9011 | Identification | Identification isn't confirmed using less than 4 elements. | | 9012 | Identification | SSN doesn't match. | | 9013 | Identification | Birth Date doesn't match. | | 9014 | Identification | Name doesn't match. | | 9015 | Identification | Address doesn't match. | | 9081 | Identification | SSN is issued before the birth date. | | 9082 | Identification | Address is a correctional facility. | | 9083 | Identification | Deceased indicator is present for individual. | | 9100 | Authentication | Phone possession incomplete. Occurs when `/validate` is called before the Mobile Auth or OTP possession flow completes. | | 9101 | Authentication | Phone number doesn't match Prove Key. Rebind required. | | 9131 | Authentication | Indicates the phone number is at a higher risk for fraud due to being listed as a non-mobile line on the Override Services Registry (OSR). | | 9132 | Authentication | This phone number is listed on a public website with the contents of its text messages posted publicly to allow a user to bypass phone possession check controls. | | 9133 | Authentication | The phone isn't trusted based on the SIM Key Trust Score. | | 9134 | Authentication | The phone isn't trusted because it's a non-fixed VoIP number. | | 9135 | Authentication | Potential account takeover (ATO) due to recent SIM Swap under 24 hours. | | 9136 | Authentication | Potential ATO due to recent Port under 24 hours. | | 9137 | Authentication | Potential ATO due to call forwarding enabled for phone number. | | 9161 | Authentication | Short tenure association between phone number and identity. | | 9162 | Authentication | Short tenure association between phone number and identity. | | 9163 | Authentication | Potential recycled phone fraud due to a high number of identities associated to phone number with a newer owner present. | | 9164 | Authentication | Potential recycled phone fraud due to identity having no recent association to phone number and a phone disconnect event is observed after the phone association. | | 9165 | Authentication | Potential recycled phone fraud due to a newer owner observed and a phone disconnect event is observed after the phone association. | | 9166 | Authentication | Address is a correctional facility. | | 9167 | Authentication | Deceased indicator is present for individual. | | 9168 | Authentication | Person verification was performed indicating phone ownership isn't verified | | 9171 | Authentication | Potential injection attack due to 2 identities both with short tenure association to the phone number. | | 9172 | Authentication | Potential injection attack due to 3 identities all with short tenure association to the phone number. | | 9173 | Authentication | Potential injection attack due to 4 identities all with short tenure association to the phone number. | | 9174 | Authentication | Potential injection attack due to 5 or more identities all with short tenure association to the phone number. | | 9175 | Authentication | No active identity can be associated with the phone number. | | 9176 | Authentication | The phone number and identity is strongly associated negative bot activity. | | 9177 | Authentication | No information can be found for the identity or phone number. | | 9180 | Authentication | No phone ownership confirmed using 4 elements. | | 9181 | Authentication | No phone ownership confirmed using less than 4 elements | | 9201 | Compliance | Anti-Money Laundering (AML) alerts are present for this identity. | | 9301 | Risk | No historical behavioral activity. | | 9302 | Risk | Suspicious large amount recent of activity. | | 9303 | Risk | Unusual amount of recent carrier phone number change events. | | 9304 | Risk | Suspicious large amount recent of activity across different identity attributes. | # Human Assurance Connect Source: https://developer.prove.com/reference/human-assurance-connect Learn how to use Prove Connect for secure batch identity verification via SFTP Connect is the Prove Platform **batch verification** interface. Customers upload CSV files over **SFTP**; each valid row is verified with **[`POST /v3/verify`](/reference/verify)**. Rows that pass the **Global Fraud Policy** are enrolled in **Identity Manager**. Responses match the same fields as synchronous [`POST /v3/verify`](/reference/verify) calls.
"Last 4 SSN/ITIN"
"SSN/ITIN"
"MM/DD/YYYY"
"MM/YYYY"
"MM/DD" | Last 4 SSN/ITIN
Full SSN\*
Full DOB
DOB - Month and Year
DOB - Month and Day
**If the customer is applying to open a demand deposit account (DDA), the customer must enter their full social security number (SSN) for the challenge.** | | Prove Pre-Fill with KYC | "Full SSN/ITIN" | Full SSN | ### Phone number field
`, ``) and scripts that waste tokens. |
| **Data Extraction** | **Direct.** Content is ready to be parsed as-is without extra processing. | **Complex.** Requires a browser engine to execute JS before content is visible. |
| **Content Visibility** | **Complete.** Includes all text, including content hidden in UI tabs or toggles. | **Partial.** Hidden or "lazy-loaded" content is often missing from the initial scrape. |
| **Contextual Hierarchy** | **Explicit.** Headers (`#`, `##`) signal the importance and relationship of data. | **Inferred.** AI must guess hierarchy based on nested tags or CSS classes. |
| **Formatting Noise** | **Minimal.** Focuses on the data, reducing the risk of the AI getting distracted. | **Significant.** Inline styles and attributes add "noise" to the signal. |
Prove hosts /llms.txt and /llms-full.txt files which instruct AI tools and agents how to retrieve the plain text versions of Prove pages. The /llms.txt file is an [emerging standard for making websites and content more accessible to LLMs](https://llmstxt.org/).
## Contextual menu
Plain Markdown and `/llms.txt` help tools *find* content. The harder part is getting the **page you are reading** into an assistant or agent **without fragile copy-paste**. The **contextual menu** at the top of each page is where you turn the current doc into **grounding context**: copy text, open Markdown, or connect to assistants and editor tooling.
## Model Context Protocol (MCP)
The Prove [Model Context Protocol (MCP)](https://developer.prove.com/explanation/model-context-protocol) exposes tools that AI agents can use to search Prove’s documentation and read full pages from a virtual documentation filesystem.
# Model Context Protocol (MCP)
Source: https://developer.prove.com/explanation/model-context-protocol
What Prove’s hosted Model Context Protocol server is—how assistants search documentation and read pages—and how to connect using your own MCP-capable client.
## Prove MCP overview
The Prove **Model Context Protocol (MCP)** server exposes tools to connected AI clients so assistants can **search** Prove documentation and **read** full pages from a virtual documentation filesystem. It complements other doc access patterns such as [plain Markdown and `llms.txt`](https://developer.prove.com/explanation/build-with-llm).
If your team uses AI-powered editors, you can point your client at Prove’s **hosted** MCP endpoint—no separate Prove package to run on your infrastructure for this service.
## Hosted endpoint
Prove hosts an [MCP server](https://developer.prove.com/mcp). Register this URL in your MCP client using that product’s workflow for **HTTP** MCP servers. Exact steps depend on the vendor; follow their documentation for adding or enabling MCP servers, ensure your network allows HTTPS to `developer.prove.com`, then confirm the **prove** (or equivalent) server appears connected in the client’s MCP or tools UI.
## MCP resources (`skill.md`)
The MCP server exposes **[`skill.md` files](https://mintlify.com/docs/ai/skillmd) as MCP resources** so agents discover capability descriptions without installing those files separately. Resources appear in the MCP resource list alongside the tools below.
## Tools available to assistants
Tools are exposed to connected AI clients as follows.
### `search_prove`
Search across the Prove knowledge base to find relevant information, code examples, API references, and guides. Use this tool when you need to answer questions about Prove, find specific documentation, understand how features work, or locate implementation details. The search returns contextual content with titles and direct links to the documentation pages.
If you need the full content of a specific page, use the `query_docs_filesystem_prove` tool to `head` or `cat` the page path (append `.mdx` to the path returned from search — for example, `head -200 /api-reference/create-customer.mdx`).
Optional parameters for `search_prove` (when the client passes them through) include:
* **`pageSize`** — Number of results to return, between **1** and **50**; defaults to **10**.
* **`scoreThreshold`** — Minimum relevance score between **0** and **1**; filters out lower-confidence matches.
* **`version`** — Restrict results to a documentation version tag.
### `query_docs_filesystem_prove`
Run a read-only shell-like query against a virtualized, in-memory filesystem rooted at `/` that contains **only** the Prove documentation pages and OpenAPI specs. This is **not** a shell on any real machine — nothing runs on the user's computer, the server host, or any network. The filesystem is a sandbox backed by documentation chunks.
This is how you read documentation pages: there is no separate “get page” tool. To read a page, pass its `.mdx` path (for example, `/quickstart.mdx`, `/api-reference/create-customer.mdx`) to `head` or `cat`. To search the docs with exact keyword or regex matches, use `rg`. To understand the docs structure, use `tree` or `ls`.
**Workflow:** Start with the search tool for broad or conceptual queries like “how to authenticate” or “rate limiting”. Use `query_docs_filesystem_prove` when you need exact keyword or regex matching, structural exploration, or to read the full content of a specific page by path.
**Supported commands:** `rg` (ripgrep), `grep`, `find`, `tree`, `ls`, `cat`, `head`, `tail`, `stat`, `wc`, `sort`, `uniq`, `cut`, `sed`, `awk`, `jq`, plus basic text utilities. No writes, no network, no process control. Run `--help` on any command for usage.
**Stateless calls:** Each call is stateless: the working directory always resets to `/` and no shell variables, aliases, or history carry over between calls. If you need to operate in a subdirectory, chain commands in one call with `&&` or pass absolute paths (for example, `cd /api-reference && ls` or `ls /api-reference`). Do **not** assume that `cd` in one call affects the next call.
**Examples**
* `tree / -L 2` — see the top-level directory layout
* `rg -il "rate limit" /` — find all files mentioning “rate limit”
* `rg -C 3 "apiKey" /api-reference/` — show matches with three lines of context around each hit
* `head -80 /quickstart.mdx` — read the top 80 lines of a specific page
* `head -80 /quickstart.mdx /installation.mdx /guides/first-deploy.mdx` — read multiple pages in one call
* `cat /api-reference/create-customer.mdx` — read a full page when you need everything
* `cat /openapi/spec.json | jq '.paths | keys'` — list OpenAPI endpoints
Output is truncated to 30KB per call. Prefer targeted `rg -C` or `head -N` over broad `cat` on large files. To read only the relevant sections of a large file, use `rg -C 3 "pattern" /path/file.mdx`. Batch multiple file reads into a single `head` or `cat` call whenever possible.
## Rate limits
The following **hourly rate limits** are used so the service stays available:
* **Per user (IP address)** — **5,000** requests per hour for **MCP server configuration** queries.
* **Search** — **10,000** search tool calls per hour for the public MCP path; **5,000** per hour when using **authenticated** search quotas.
* **Query docs filesystem** — **10,000** filesystem tool calls per hour for the public MCP path.
These limits are **in addition** to the **\~30 KB per-call** response truncation for `query_docs_filesystem_prove` described above. If you hit throttling, narrow queries, batch reads, and space out tool calls.
# Secure API credentials
Source: https://developer.prove.com/how-to/secure-api-credentials
How to store, rotate, and govern Prove client IDs, client secrets, and bearer tokens in development and production.
Secret API keys and client credentials behave like account passwords. If they are exposed, they can be abused against your integration and data.
You are responsible for protecting Prove credentials in your environments. Use this guide as a baseline; align it with your security program and any obligations in your agreement with Prove.
## Protect against compromised credentials
* **Use a key management system (KMS) or secrets manager for production secrets.** When you create or rotate a production client secret, store it only in a system designed for secrets (encryption at rest, access control, audit). Avoid leaving copies in local files or shared drives.
* **Limit who can create, read, or rotate keys.** Define ownership, use least privilege, and review access periodically.
* **Do not share secrets in email, chat, or support tickets.** Use approved secret-handling channels only.
* **Do not commit secrets to source control.** Public repositories are actively scanned; private repos still leak through clones and tooling. Use environment variables or your CI/CD secret store, never literals in code.
* **Do not embed client secrets or long-lived tokens in client-side apps.** Mobile binaries and front-end JavaScript can be reverse-engineered; anything shipped to the device should be treated as public.
* **Monitor API usage.** Review logs for unusual patterns and ensure Sandbox credentials are not used against Production endpoints (and vice versa).
* **Train your team and document your process.** Keep internal runbooks current for onboarding, incident response, and rotation.
* **Rotate credentials on a schedule and after suspected exposure.** Rotating client secrets and invalidating old values limits blast radius if a secret was leaked without your knowledge.
For HTTP errors when calling Platform APIs, see [Errors and status codes](/reference/status-and-error-codes).
# Assurance Levels
Source: https://developer.prove.com/reference/assurance-levels
Understand Prove's Assurance Levels (AL) and how they indicate the confidence in a verified identity.
## Definition
In [`POST /v3/verify`](/reference/verify) responses, the **identity** object includes:
| Field | Role |
| :--------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `assuranceLevel` | Tier such as `AL-1`, `AL0`, `AL1`, `AL2`, or `AL3`. Higher tiers indicate stronger confidence in the association between the phone number and the identity. |
| `reasons` | One or more reason codes from the tables below (for example `-1A`, `1B`). |
Tiers are ordered from lowest (AL-1) to highest (AL3).
## Reason codes
### AL-1
| Reason code | Description |
| :---------- | :----------------------------------------------------------------------------------------------------- |
| -1A | Too many identities bound to a single phone number. |
| -1F | Premium rate number globally or listed on the US Override Services Registry (OSR) registry. |
| -1G | Online rentable temporary eSIM or VoIP number. |
| -1H | Online rentable temporary eSIM or VoIP number, with high activity. This indicates fraudulent activity. |
### AL0
| Reason code | Description |
| :---------- | :------------------------------------------------------------------------------------------------------------ |
| 0B | Country doesn't give behavioral data. |
| 0C | Assigned number with no behavioral activity. |
| 0D | Short tenure, no activity. Reclassifies to AL0E if activity appears. |
| 0E | Short tenure with behavioral activity present. |
| 0F | Activity volume exceeds normal human thresholds. |
| 0G | Pagers or other non-standard line types. Behavioral signals incompatible with standard identity verification. |
### AL1
| Reason code | Description |
| :---------- | :-------------------------------------------------------------------------------------------------------- |
| 1A | Enough ownership tenure and longitudinal human behavior. |
| 1B | Tenure and longitudinal human behavior with Prove binding phone to a specific identity, superseding AL1A. |
| 1D | Low longitudinal behavior but human signals such as ports, calls, or logins indicate not an eSIM bot. |
### AL2
| Reason code | Description |
| :---------- | :---------------------------------------------------------------------------- |
| 2A | Prove has seen this phone and identity before at moderate-to-high confidence. |
| 2B | Prove corroborated data across more than one identity data source. |
### AL3
| Reason code | Description |
| :---------- | :------------------------------------------------------------------------------------------------------ |
| 3A | Prove has seen this phone and identity before at high confidence, this is this person's primary number. |
# Global fraud policy
Source: https://developer.prove.com/reference/global-fraud-policy
Evaluation categories and failure reason codes in the evaluation object on Prove Platform API responses.
## Definition
The **Global Fraud Policy (GFP)** drives pass/fail outcomes and machine-readable failure reasons in the **`evaluation`** object returned by Prove Platform APIs (for example [`POST /v3/complete`](/reference/complete-request)).
GFP classifies each transaction into one or more of the following categories:
| Category | Evaluates |
| :------------- | :----------------------------------------------------------------------------------------------------- |
| Identification | Consistency of personal details (for example name, address, date of birth, national identifier). |
| Authentication | Whether the claimant matches the identity and phone possession signals. |
| Compliance | Regulatory and program requirements for the industry and use case. |
| Risk | Factors outside identification and authentication (for example behavioral or carrier-related signals). |
## Response examples
Representative **`evaluation`** payloads from **`POST /v3/complete`**.
**Pass**
```json theme={"dark"}
{
"success": true,
"next": {
"done": "done"
},
"evaluation": {
"authentication": {
"result": "pass"
},
"identification": {
"result": "pass"
}
}
}
```
**Fail** (with `failureReasons`)
```json theme={"dark"}
{
"success": false,
"next": {
"done": "done"
},
"evaluation": {
"authentication": {
"result": "fail",
"failureReasons": {
"9161": "Very short tenure association between phone number and identity.",
"9171": "Potential injection attack due to 2 identities both with short tenure association to the phone number.",
"9180": "No phone ownership confirmed using 4 elements."
}
},
"identification": {
"result": "fail",
"failureReasons": {
"9001": "Identification isn't confirmed using 4 elements."
}
}
}
}
```
## Failure reason codes
| Code | Category | Description |
| :--- | :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 9001 | Identification | Identification isn't confirmed using 4 elements. |
| 9003 | Identification | Identity isn't found |
| 9004 | Identification | Identification isn't confirmed using 4 elements with secondary source. |
| 9005 | Identification | Identification isn't confirmed using 4 elements with more than 1 source. |
| 9011 | Identification | Identification isn't confirmed using less than 4 elements. |
| 9012 | Identification | SSN doesn't match. |
| 9013 | Identification | Birth Date doesn't match. |
| 9014 | Identification | Name doesn't match. |
| 9015 | Identification | Address doesn't match. |
| 9081 | Identification | SSN is issued before the birth date. |
| 9082 | Identification | Address is a correctional facility. |
| 9083 | Identification | Deceased indicator is present for individual. |
| 9100 | Authentication | Phone possession incomplete. Occurs when `/validate` is called before the Mobile Auth or OTP possession flow completes. |
| 9101 | Authentication | Phone number doesn't match Prove Key. Rebind required. |
| 9131 | Authentication | Indicates the phone number is at a higher risk for fraud due to being listed as a non-mobile line on the Override Services Registry (OSR). |
| 9132 | Authentication | This phone number is listed on a public website with the contents of its text messages posted publicly to allow a user to bypass phone possession check controls. |
| 9133 | Authentication | The phone isn't trusted based on the SIM Key Trust Score. |
| 9134 | Authentication | The phone isn't trusted because it's a non-fixed VoIP number. |
| 9135 | Authentication | Potential account takeover (ATO) due to recent SIM Swap under 24 hours. |
| 9136 | Authentication | Potential ATO due to recent Port under 24 hours. |
| 9137 | Authentication | Potential ATO due to call forwarding enabled for phone number. |
| 9161 | Authentication | Short tenure association between phone number and identity. |
| 9162 | Authentication | Short tenure association between phone number and identity. |
| 9163 | Authentication | Potential recycled phone fraud due to a high number of identities associated to phone number with a newer owner present. |
| 9164 | Authentication | Potential recycled phone fraud due to identity having no recent association to phone number and a phone disconnect event is observed after the phone association. |
| 9165 | Authentication | Potential recycled phone fraud due to a newer owner observed and a phone disconnect event is observed after the phone association. |
| 9166 | Authentication | Address is a correctional facility. |
| 9167 | Authentication | Deceased indicator is present for individual. |
| 9168 | Authentication | Person verification was performed indicating phone ownership isn't verified |
| 9171 | Authentication | Potential injection attack due to 2 identities both with short tenure association to the phone number. |
| 9172 | Authentication | Potential injection attack due to 3 identities all with short tenure association to the phone number. |
| 9173 | Authentication | Potential injection attack due to 4 identities all with short tenure association to the phone number. |
| 9174 | Authentication | Potential injection attack due to 5 or more identities all with short tenure association to the phone number. |
| 9175 | Authentication | No active identity can be associated with the phone number. |
| 9176 | Authentication | The phone number and identity is strongly associated negative bot activity. |
| 9177 | Authentication | No information can be found for the identity or phone number. |
| 9180 | Authentication | No phone ownership confirmed using 4 elements. |
| 9181 | Authentication | No phone ownership confirmed using less than 4 elements |
| 9201 | Compliance | Anti-Money Laundering (AML) alerts are present for this identity. |
| 9301 | Risk | No historical behavioral activity. |
| 9302 | Risk | Suspicious large amount recent of activity. |
| 9303 | Risk | Unusual amount of recent carrier phone number change events. |
| 9304 | Risk | Suspicious large amount recent of activity across different identity attributes. |
# Revoke Device
Source: https://developer.prove.com/reference/revoke-request
post /v3/device/revoke
This endpoint allows you to revoke a Prove Key device, marking it as inactive
so it can no longer be used in an auth flow.
# Request OAuth Token
Source: https://developer.prove.com/reference/token-request
openapi-token.yaml post /token
This endpoint allows you to request an OAuth token.
# Bind Prove Key
Source: https://developer.prove.com/reference/unify-bind-request
openapi-unify.yaml post /v3/unify-bind
This endpoint allows you to bind a Prove Key to a phone number of a Unify session and get the possession result.
# Initiate Possession Check
Source: https://developer.prove.com/reference/unify-request
openapi-unify.yaml post /v3/unify
This endpoint allows you to initiate the possession check.
# Check Status
Source: https://developer.prove.com/reference/unify-status-request
openapi-unify.yaml post /v3/unify-status
This endpoint allows you to check the status of a Unify session and get the possession result.
# Verify
Source: https://developer.prove.com/reference/verify
openapi.yaml POST /v3/verify
Runs Prove verification flows in one endpoint. Set `verificationType` in the request body to select the flow.
For **`/v3/verify`**, request and response fields depend on the **`verificationType`** and product flow. See the verify guides for flow-specific request and response details:
* [Human Assurance](https://developer.prove.com/how-to/human-assurance-verify)
* [Verified User](https://developer.prove.com/how-to/verified-users-verify)
* [Account Opening](https://developer.prove.com/how-to/account-opening-verify)
* [Pre-Fill for Consumers](https://developer.prove.com/how-to/pre-fill-for-consumers-verify)
* [Pre-Fill for Business](https://developer.prove.com/how-to/pre-fill-for-business-verify)