Risk.js SDK
Last updated: July 23, 2025
Version 2.3
The Risk.js SDK supports th Fraud Detection solution by capturing advanced fraud signals that are leveraged in Checkout.com's machine learning model for risk scores.
Information
To enable access to the SDK, contact your account manager or request support.
For more information, see Integrate with Risk SDK.
Generate a public API key from your Dashboard.
- Import the SDK.
- Initialize the SDK.
- Publish the device data.
- Allow Content Security Policies.
- Attach the
risk.js
script tag to your Checkout.com page:
1<script2id="risk-js" defer3src="https://risk.sandbox.checkout.com/cdn/risk/2.3/risk.js"4integrity="sha384-ZGdiIppkJzwran7Bjk0sUZy5z1mZGpR/MJx7LC0xCTyFE2sBpPFeLu4r15yGVei6"5crossorigin="anonymous"6></script>
- Wait for the script to load and then use Risk.js:
1const script = document.getElementById('risk-js');23script.addEventListener('load', () => {4// Use Risk.js here5});
Before the customer selects Pay, initialize Risk.js using your public API key:
1const risk = await window.Risk.create("pk_XXXX");
- Publish the device data and retrieve the
deviceSessionId
:
1const deviceSessionId = await risk.publishRiskData(); // dsid_XXXX
Note
The data collection session expires if you do not perform a payment request within 20 minutes after the deviceSessionId
is issued.
Forward the
deviceSessionId
to your back-end server.When you call the Request a payment or payout endpoint, include the
deviceSessionId
in therisk
object:
1{2"source": {3"type": "card",4"number": "4242424242424242",5"expiry_month": "6",6"expiry_year": "2024",7"name": "John Smith"8},9"amount": "100",10"currency": "USD",11"risk": {12"device_session_id": "dsid_ipsmclhxwq72phhr32iwfvrflm"13},14"customer": {15"email": "[email protected]"16},17"reference": "order_1234",18"shipping": {19"address": {20"address_line1": "123 Anywhere St.",21"city": "Anytown",22"zip": "123456",23"country": "US"24}25},26"payment_ip": "10.3.1.1",27"metadata": {28"coupon_code": 123429}30}
If your website has Content Security Policy (CSP) headers set up, allow the following directives:
1script-src [...] https://risk.sandbox.checkout.com;2connect-src [...] https://fpjs.sandbox.checkout.com https://fpjscache.sandbox.checkout.com;3frame-src [...] https://risk.sandbox.checkout.com;