Risk.js SDK

Last updated: July 23, 2025

Version 2.3

The Risk.js SDK captures advanced fraud signals that are leveraged in our fraud-scoring machine-learning model for Fraud Detection.

Information

To enable access to the SDK, contact your account manager or request support.

For more information, see Integrate with Risk SDK.

Generate a public API key from your Dashboard.

Import the SDK.
Initialize the SDK.
Publish the device data.
Allow Content Security Policies.

Attach the risk.js script tag to your Checkout.com page:


1<script
2  id="risk-js" defer
3  src="https://risk.sandbox.checkout.com/cdn/risk/2.3/risk.js"
4  integrity="sha384-ZGdiIppkJzwran7Bjk0sUZy5z1mZGpR/MJx7LC0xCTyFE2sBpPFeLu4r15yGVei6"
5  crossorigin="anonymous"
6></script>


1<script
2  id="risk-js" defer
3  src="https://risk.checkout.com/cdn/risk/2.3/risk.js"
4  integrity="sha384-5MxwBLDYNCSe1Hu+REgSSz12/VIydFkxhDdiodk/dc+QMD3hr1dmn+fbHOZ4g9cB"
5  crossorigin="anonymous"
6></script>

Wait for the script to load and then use Risk.js:


1const script = document.getElementById('risk-js');
2
3script.addEventListener('load', () => {
4  // Use Risk.js here
5});

Before the customer selects Pay, initialize Risk.js using your public API key:


1const risk = await window.Risk.create("pk_XXXX");

Publish the device data and retrieve the deviceSessionId:


1const deviceSessionId = await risk.publishRiskData(); // dsid_XXXX

Note

The data collection session expires if you do not perform a payment request within 20 minutes after the deviceSessionId is issued.

Forward the deviceSessionId to your back-end server.
When you call the Request a payment or payout endpoint, include the deviceSessionId in the risk object:


1{
2  "source": {
3    "type": "card",
4    "number": "4242424242424242",
5    "expiry_month": "6",
6    "expiry_year": "2024",
7    "name": "John Smith"
8  },
9  "amount": "100",
10  "currency": "USD",
11  "risk": {
12    "device_session_id": "dsid_ipsmclhxwq72phhr32iwfvrflm"
13  },
14  "customer": {
15    "email": "[email protected]"
16  },
17  "reference": "order_1234",
18  "shipping": {
19    "address": {
20      "address_line1": "123 Anywhere St.",
21      "city": "Anytown",
22      "zip": "123456",
23      "country": "US"
24    }
25  },
26  "payment_ip": "10.3.1.1",
27  "metadata": {
28    "coupon_code": 1234
29  }
30}

If your website has Content Security Policy (CSP) headers set up, allow the following directives:


1script-src [...] https://risk.sandbox.checkout.com;
2connect-src [...] https://fpjs.sandbox.checkout.com https://fpjscache.sandbox.checkout.com;
3frame-src [...] https://risk.sandbox.checkout.com;


1script-src [...] https://risk.checkout.com;
2connect-src [...] https://fpjs.checkout.com https://fpjscache.checkout.com;
3frame-src [...] https://risk.checkout.com;

Risk.js SDK

Information

Before you begin

How it works

Import the SDK

Initialize the SDK

Publish the device data

Note

Request example

Allow Content Security Policies