Evaluates a login event against the ATO heuristic engine. The platform tracks failed logins per subject in a rolling one-hour window and derives a risk level from the current count. When a threshold is crossed, an alert is created and a risk signal is automatically ingested into the risk signal pipeline. See the account takeover detection guide for the full workflow, threshold reference, and integration patterns.Documentation Index
Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
Use this file to discover all available pages before exploring further.
Threshold rules
| Failed logins (1 h window) | Risk level | Auto-alert |
|---|---|---|
| 0–4 | normal | No |
| 5–9 | elevated | Yes — velocity_exceeded |
| 10–19 | high | Yes — velocity_exceeded |
| 20+ | critical | Yes — credential_stuffing |
Request
User identifier (user ID, email, or external ID).
Login event type:
login.failed, login.failed.repeated, login.success, login.new_deviceType of subject. Defaults to
user.Source IP address for the login attempt.
Response
The subject that was evaluated.
Type of subject (
user).Current ATO risk level:
normal | elevated | high | criticalNumeric risk score: 10 (normal), 50 (elevated), 70 (high), 90 (critical).
Number of failed logins in the current one-hour window.
true if a new alert was triggered by this evaluation.Alert category when triggered:
velocity_exceeded or credential_stuffing.UUID of the auto-ingested risk signal (only present when an alert fired).
The event type that was evaluated.