Deployment
Server API
Server-side interface for querying device fingerprint recognition results
Purpose
fp_query is used to query device fingerprint identification results.
The caller must first obtain the server-returned gee_token through client_report, then pass that gee_token to fp_query to obtain the final:
fpfingerprint valuerisk_coderisk codesrisk_labelrisk labelsclient_ipclient IPclient_typeclient typeaccess_listaccess list hit information
Integration Flow
The standard call sequence is as follows:
- The client collects fingerprint data and calls
client_report. - The server returns a new
gee_token. - The caller passes the
gee_token,private_key, andtstofp_query. - The server returns the final query result.
Notes:
fp_queryonly accepts thegee_tokenreturned byclient_report.- Do not pass the original client token directly to
fp_query.
Request Information
Request Method
POST
Request URL
/api/v1/fp_query/{app_id}Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
app_id | string | Yes | Application ID |
Request Body
{
"gee_token": "string",
"private_key": "string",
"ts": 1712345678
}Field description:
| Field | Type | Required | Description |
|---|---|---|---|
gee_token | string | Yes | Token returned by client_report |
private_key | string | Yes | Application secret key, which must correspond to app_id |
ts | integer | Yes | Current request timestamp. A Unix timestamp in seconds is recommended |
Successful Response
Response Format
{
"status": "success",
"code": 0,
"data": {
"fp": "fp-value",
"risk_code": [20400, 20606],
"risk_label": ["BEING_DEBUGGED", "BROWSER_INCOGNITO_MODE"],
"client_ip": "1.1.1.1",
"client_type": "Web/H5",
"access_list": {
"hit": false,
"list_type": "none",
"identity_type": ""
}
}
}Field Description
| Field | Type | Description |
|---|---|---|
status | string | Fixed as success when the request succeeds |
code | integer | Fixed as 0 when the request succeeds |
data.fp | string | Fingerprint value |
data.risk_code | integer[] | Risk code list |
data.risk_label | string[] | Risk label list, corresponding one-to-one with risk_code |
data.client_ip | string | Client IP |
data.client_type | string | Client type |
data.access_list | object | Access list hit result |
access_list Field Description
The access_list structure is as follows:
{
"hit": false,
"list_type": "none",
"identity_type": ""
}Field description:
| Field | Type | Description |
|---|---|---|
hit | boolean | Whether an access list was hit |
list_type | string | Access list type. Usually none when no list is hit |
identity_type | string | Hit identity type. Usually an empty string when no list is hit |
Common examples:
- No hit:
{"hit": false, "list_type": "none", "identity_type": ""} - Blacklist hit:
{"hit": true, "list_type": "black", "identity_type": "fingerprint"}
client_type Return Values
The current API converts internal client type codes into readable text:
| Code | Return Value |
|---|---|
1 | Android |
3 | Web/H5 |
4 | iOS |
Call Examples
Request Example
curl -X POST 'https://your-domain/api/v1/fp_query/test-app' \
-H 'Content-Type: application/json' \
-d '{
"gee_token": "output-gee-token-from-client-report",
"private_key": "private-key",
"ts": 1712345678
}'Response Example
{
"status": "success",
"code": 0,
"data": {
"fp": "GEE3-01-xxxxxxxx",
"risk_code": [20400, 20606],
"risk_label": ["BEING_DEBUGGED", "BROWSER_INCOGNITO_MODE"],
"client_ip": "1.1.1.1",
"client_type": "Web/H5",
"access_list": {
"hit": false,
"list_type": "none",
"identity_type": ""
}
}
}risk_code Description
risk_code indicates the risk items detected for the device or environment. Multiple values may be returned at the same time.
Return rules:
risk_codeis an integer array.risk_labelcorresponds one-to-one withrisk_codein order.- A single query may hit multiple risk codes.
- If no risk is hit,
risk_codemay be an empty array[].
Example:
{
"risk_code": [20400, 20606],
"risk_label": ["BEING_DEBUGGED", "BROWSER_INCOGNITO_MODE"]
}The risk_code list below helps you understand common risk labels and their typical scenarios, making it easier to connect query results to allow, step-up verification, rate limiting, or review strategies.
The current risk codes are described below.
Basic
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
10001 | INVALID_PACKAGE | Application package information validation exception | Some abusive actors may tamper with the application package, add ads, or modify business logic, then repackage and distribute it. | Android, iOS |
10002 | TOKEN_EXPIRED | Token has expired | Abusive actors may cache and accumulate tokens, then use cached tokens to send large volumes of business requests shortly after a campaign starts. | Android, iOS, Web |
Device / Runtime Environment
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20100 | EMULATOR | Emulator environment | Abusive actors can use traditional emulators to perform black-market operations at scale, such as large-scale registration and credential stuffing. | Android, iOS, Web |
20101 | CLOUD_PHONE | Cloud phone environment | Abusive actors can use cloud phones or ARM servers to conduct black-market operations more efficiently and automatically than with previous techniques, such as large-scale registration and credential stuffing. | Android |
20103 | RUNNING_ON_MACOS | Running in a macOS environment | Abusive actors may use M-series Macs to run apps because they are easier to automate and tamper with, enabling profit-seeking abuse. | iOS |
20207 | RUNNING_IN_VIRTUAL_MACHINE | Running in a virtual machine environment | Abusive actors can virtualize a new environment on the device to perform most automated attacks, such as automatic ordering, leveling, and adding friends. | Android, iOS, Web |
20220 | RUNNING_IN_SYSTEM_CLONED | Running in a system clone environment | Abusive actors may use system-level multi-instance technology to run multiple app instances on one device for bulk registration and frequent credential stuffing, bypassing platform risk controls for illicit gain. | Android |
21000 | DEVICE_WITHOUT_SIM | Device has no SIM card | Normal user devices typically use carrier SIM cards. SIM-free device access often comes from device farms operated by abusive actors. | Android, iOS |
Tampering / Automation / Reverse Engineering
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20200 | APP_CLONE_TOOL_INSTALLED | App clone tool installed | For example, reward abusers may create multiple app clones on the same device during referral campaigns, log in with multiple accounts, and coordinate invitation flows. | Android, Web |
20201 | TAMPERING_TOOL_INSTALLED | Tampering tool installed | To evade risk-control detection, abusive actors may modify some device information and attributes, such as changing device identifiers like IMEI to evade device fingerprint tagging. | Android, iOS |
20202 | AUTOMATION_TOOL_INSTALLED | Automation tool installed | Used to control many devices efficiently and perform large-scale operations, such as likes, reposts, and mass advertising. | Android, iOS |
20203 | REVERSE_ENGINEERING_TOOL_INSTALLED | Reverse engineering tool installed | Abusive actors may use reverse engineering tools to analyze application business logic and then tamper with code. | Android, iOS, Web |
20204 | NETWORK_TAMPER_TOOL_INSTALLED | Network tampering tool installed | Abusive actors often use these tools to tamper with networks for attacks, such as evading risk-control tracking and detection at the network identifier layer. | Android, iOS |
20205 | GAME_TAMPER_TOOL_INSTALLED | Game tampering tool installed | Game farming groups or cheating players may use these tools to cheat in games. | Android, iOS |
20206 | VIRTUAL_LOCATION_TOOL_INSTALLED | Virtual location tool installed | Abusive actors often tamper with location information to bypass business location restrictions or forge trajectories that mimic real user movement. | Android, iOS |
20210 | RUNNING_IN_CLONED_APP | Running in an app clone environment | Abusive actors can use device-provided app cloning to create multiple app instances for multi-account login and coordination. | Android, iOS |
20211 | USING_DEVICE_TAMPERING_TOOL | Device tampering tool is being used | To evade risk-control detection, abusive actors may modify some device information and attributes, such as changing device identifiers like IMEI to evade device fingerprint tagging. | Android |
20212 | USING_AUTOMATION_TOOL | Automation tool is being used | Used to control many devices efficiently and perform large-scale operations, such as likes, reposts, and mass advertising. | Android, iOS |
20213 | USING_REVERSE_ENGINEERING_TOOL | Reverse engineering tool is being used | Abusive actors may use reverse engineering tools to analyze application business logic and then tamper with code. | Android |
20216 | USING_VIRTUAL_LOCATION | Virtual location is being used | Abusive actors often tamper with location information to bypass business location restrictions or forge trajectories that mimic real user movement. | Android, iOS |
Hook / Information Tampering
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20300 | HOOK_TAMPERING_LOW | Low-risk Hook tampering | There is suspected code tampering. It may be abusive tampering, or it may be legitimate hook usage during development. | iOS, Web |
20301 | HOOK_TAMPERING_MEDIUM | Medium-risk Hook tampering | Code tampering exists. Abusive actors may tamper with code logic and attack business APIs for profit. | Android, iOS, Web |
20302 | HOOK_TAMPERING_HIGH | High-risk Hook tampering | High-risk code tampering exists, involving more dangerous tampering techniques. | Android, iOS |
20303 | SUSPICIOUS_DEVICE_INFO_TAMPERED | Device information is suspected to have been tampered with | Abusive actors may forge device information to disguise the current device as a new one, bypassing business restrictions for abusive activity. | Android, iOS |
Debugging / Interaction Risks
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20400 | BEING_DEBUGGED | Device or page is being debugged | Abusive actors often use debugging techniques for reverse engineering analysis, API cracking, and similar scenarios. | Android, iOS, Web |
20401 | DEBUG_MODE_OR_TEST_APP | Debug mode or test application environment | Debugging, device-control tools, or cracked packages usually have this characteristic. Some normal users may also hit this risk by unintentionally enabling developer mode. | Android, iOS |
20402 | SCREEN_SHARING | Screen casting or screen sharing behavior exists | Fraudsters may trick users into enabling screen sharing, exposing personal information and eventually causing financial loss. | Android, iOS |
20403 | VOICE_CONNECTED | Voice connection behavior exists | Fraudsters may conduct scams through voice calls, causing financial loss. | Android, iOS |
Network Environment
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20500 | VPN_ENABLED | VPN is enabled | VPN is enabled on the device, indicating a network-layer tampering risk. VPNs can evade network identifier tracking and may even tamper with the network. | Android, iOS |
20501 | NETWORK_PROXY | Proxy network exists | The device uses a network proxy and accesses services through a specified exit node, evading risk-control detection and restrictions. | Android, iOS |
Root / Jailbreak / System Risks
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20600 | DEVICE_JAILBREAK | Device is jailbroken | A jailbroken iOS device can obtain higher privileges, enabling further business tampering. | iOS |
20601 | DEVICE_ROOTED | Device is rooted | Abusive actors often root Android devices to obtain higher privileges and further tamper with business logic. | Android |
20602 | SUSPICIOUS_CUSTOM_ROM | Suspicious custom ROM | Some abusive devices use ROMs customized from Android open-source projects. They have strong disguise capabilities, can severely affect business, and make the device system untrustworthy. | Android |
20603 | SUSPICIOUS_OPEN_SOURCE_ROM | Suspicious open-source ROM | Normal Android devices use vendor-provided native systems. Some abusive devices use Android open-source systems, which may affect business and indicate suspicious system risk. | Android |
20607 | DEVICE_BOOTLOADER_UNLOCKED | Bootloader is unlocked | After abusive actors unlock the bootloader, protection mechanisms are easier to bypass, and malware or attackers can more easily gain device control. | Android |
20608 | SUSPICIOUS_DEVICE_RESET | Suspicious device reset behavior | Suspected abusive activity performed through device reset. | Android, iOS |
20610 | SYSTEM_VERSION_TOO_LOW | System version is too low | Most phones used for abusive activity are relatively old, with low device performance and low system versions, such as below Android 9 or iOS 11. | Android, iOS |
Browser Environment
| risk_code | risk_label | Description | Scenario Risk Description | Applicable Client Types |
|---|---|---|---|---|
20604 | BROWSER_COOKIE_FEATURE_DISABLED | Browser Cookie feature is disabled | Browser cookies are disabled. | Web |
20605 | PSEUDO_BROWSER_ENV | Suspected fake browser environment | Abusive actors often break away from the browser container and forge an environment consistent with a normal browser for protocol cracking. | Web |
20606 | BROWSER_INCOGNITO_MODE | Browser is in incognito mode | The page is running in a browser incognito/private mode environment. | Web |
Notes:
- In the official admin console, it is recommended to display both
risk_codeandrisk_label. - The meaning of risk codes may expand as rules are added. Callers should handle them as values that may return multiple entries.
- For unknown risk codes,
risk_labelmay be an empty string.
Error Description
Business Error Response Format
For business errors, the HTTP status code is usually still 200, and the response format is as follows:
{
"status": "error",
"code": -40000,
"msg": "param error",
"desc": {}
}Common Error Codes
private_key Mismatch
{
"status": "error",
"code": -40003,
"msg": "private_key mismatch",
"desc": {
"app_id": "test-app"
}
}Troubleshooting:
- Check whether
private_keycorresponds to the currentapp_id. - Check whether the wrong application configuration was used.
Application Does Not Exist or Is Not Visible in the Current Environment
{
"status": "error",
"code": -40004,
"msg": "app not found",
"desc": {
"app_id": "test-app"
}
}Troubleshooting:
- Check whether
app_idis correct. - Check whether the application has been deleted.
- Check whether the current deployment environment allows access to this application.
The Input Is Not the Server-Returned gee_token
{
"status": "error",
"code": -40000,
"msg": "param error",
"desc": {
"field": "token",
"reason": "geetoken required",
"crypt_type": 10
}
}Troubleshooting:
- Check whether the original client token was passed directly to
fp_query. - Confirm that the input is the
gee_tokenreturned byclient_report.
Internal System Exception
{
"status": "error",
"code": -50000,
"msg": "runtime error",
"desc": {
"type": "异常类型文本"
}
}Parameter Validation Errors
If the request body is missing fields or contains fields with incorrect types, the API directly returns 422 and does not use the business error wrapper.
Common scenarios:
- Missing
gee_token - Missing
private_key tsis not an integer
Integration Recommendations
It is recommended to integrate as follows:
- Use
client_reportandfp_queryas a pair of APIs. - Only pass the
gee_tokenreturned byclient_reporttofp_query. - Ensure that
app_idandprivate_keycome from the same application. - Use a current timestamp generated by the server for
tsto avoid obviously stale data. - Use
risk_code + risk_labelas business decision inputs. It is not recommended to rely on a single field only.