Fields
Signals
Observable properties of the URL. The shape is consistent on every request. Fields that aren’t applicable or weren’t checked come back asnull.
Not every URL is analyzed in full depth. URLs that are clearly clean or clearly malicious from the string alone get a fast verdict, and the network-level signals (
domain_age_days, has_email_setup, redirect_count, final_url, bot_protection) come back null. Treat null as “not checked,” not “not present.”How signals describe redirect chains
When a URL redirects across domains (e.g. a shortener resolving to a landing page), signals are assembled from both the submitted URL and the final URL:- Describe the destination (where the user ends up):
brand_impersonation,domain_age_days,has_email_setup,bot_protection - Describe the submitted URL (what was sent):
redirect_count,final_url,is_reported - Either URL exhibiting the trait:
is_link_shortener,has_suspicious_characters
http:// → https://, trailing-slash canonicalization) don’t trigger re-analysis.
Reason codes
reasons is an ordered list of stable codes explaining why the URL looks risky. Codes only appear when a signal or rule actually attributed risk to this URL. A field being present is not enough; it has to have driven the score. Benign URLs return reasons: [].
Reasons only describe what increased risk. You will not see
has_email_setup as a reason. It’s the absence of email setup that’s concerning, and that surfaces as missing_email_setup.
Allowlists and blocklists
You can configure per-tenant allowlists and blocklists in the dashboard. These are applied before the risk model runs:- A blocklist hit returns
risk_score: 1andreasons: ["blocklisted"]. Nosignalsare returned. The verdict comes from your configuration, not from analysis of the URL. - An allowlist hit returns
risk_score: 0andreasons: ["allowlisted"]. Also nosignals. - Everything else flows through the risk model.
Domain-level matching
Entries match at the registered domain level. Subdomains are not matched automatically. To allow every subdomain of your service, add each one explicitly. Given an allowlist entry ofexample.com:
Matching is case-insensitive. Enter plain domain strings: no scheme, no path, no wildcards. Internationalized domains should be entered in their punycode form (
xn--...).
FAQ
Why does the score for the same URL change over time?
Why does the score for the same URL change over time?
Risk is a moving target. Several inputs change between requests:
- Domains age. A freshly registered domain looks risky today and less risky in six months.
domain_age_daysgrows naturally. - Email infrastructure gets added. Legitimate businesses set up MX, SPF, and DMARC records as they grow up; throwaway domains rarely do.
has_email_setupcan flip fromfalsetotrueas a domain matures. - Threat-intelligence feeds update constantly. A URL not on any feed today may be reported tomorrow.
- Redirect destinations change. Shorteners and redirectors can be repointed at any time. The destination is re-resolved on every request.
- The model is updated as the threat landscape shifts.
What threshold should I use?
What threshold should I use?
risk_score >= 0.5 is the default cutoff for “treat as malicious,” and it’s tuned so the rate of false positives at that threshold is low across typical user-generated content. Tighten it (e.g. 0.7) if your audience is unusually tolerant of risky links, or loosen it (e.g. 0.3) if you’d rather over-block. The reasons array gives you the why in either direction.A legitimate URL of mine is being flagged. What do I do?
A legitimate URL of mine is being flagged. What do I do?
Add it to your allowlist. Allowlist entries override the risk model. This is the right tool for your own product domains, trusted partners, and URLs you’ve manually verified as safe.If you think the score is wrong in a way that would also affect other customers (for example, a brand-impersonation false positive on a legitimate brand variant), let us know and we’ll look at the model.