Calling a fraud provider hook

When calling the URL found on the “hook” property I receive from the “/transactions” call (Documentation) -
I am getting a - 401 Unauthorized response - the documentation does not say anything on how to call this webhook.

I really appreciate any help you can provide.

1 Like

Hi @jamesblack, did you have the chance to take a look at this guide?

Looks like we can improve its clarity, but it seems to me that the /transactions endpoint should actually be provided by the Anti-Fraud Provider, not VTEX.

When it is set up, our payments gateway will try to use credentials provided by the Anti-Fraud Provider to call their endpoint and check which transactions are approved.

So my question to you is:

  • Could you share the complete URI you are sending your API requests to?

  • Are you including the X-PROVIDER-API-AppKey e X-PROVIDER-API-AppToken credentials provided by the Anti-Fraud Provider in your request headers?

Thank you very much, George, for your quick reply.
I apologize I wasn’t clearer in my question.

We are developing an anti-fraud provider integration for VTEX and have implemented the required endpoints including /transactions.
When our /transactions endpoint is getting called by VTEX we receive a hook property on the request and we would like to use it to asynchronously return our analysis to VTEX (or notify VTEX that the analysis is ready for querying - which is how we think it works).

The question is: What should be passed to this hook in order for it to work, what the body should include, and what headers should be sent?

Thank you again for your help!

Best regards.

1 Like

Hey, @jamesblack, how are you?

As we’re talking about the hook property, some concepts need to be understood beforehand.

Firstly, we send the Antifraud data through the /transaction route which contains a URL to be called when the payment has its status changed (hook). Hence, you must send a new request to this endpoint when your analysis is ready, so, at this point, you must call us by passing your VTEX credentials in the headers as well as you received X-PROVIDER-API-AppKey/AppToken when we called you.

The meaning of 401 Unauthorized is that your credentials are missing or invalid.

Regarding the content of the request body, you can use the same template when responding to the Send Antifraud Data request. It can be found at the bottom of our documentation page in the example response. However, as you’re calling our hook, it’s presumed you have approved or denied that payment operation. e.g.

  "id": "D3AA1FC8372E430E8236649DB5EBD08E",
  "tid": "4692c1f54d514fe69da0b472a3b2a770",
  "code": "customCode",
  "message": "customMessage",
  "status": "approved" or "denied",
  "score": 5.01,
  "analysisType": "automatic",
  "responses": {
    "foo": "anyFoo",
    "custom": "customAnyValue"

1 Like

Thank @wando777 for your detailed response! Much appreciated.
I am not sure what you mean by:

you must call us by passing your VTEX credentials

As an anti fraud provider I don’t have my own credentials to use. Also, you’ve said:

as well as you received X-PROVIDER-API-AppKey /AppToken when we called you

The AppKey and AppToken in the headers when VTEX calls my /transactions route are the ones provided by me to my customers as a way for me to identify the customer and validate the call and not something received by VTEX.

I have tried calling the webhook with the X-PROVIDER-API-* headers as well as with an Application Key I have generated from the store. Both approaches did not work (getting the same authorization error).

Thank you for your support, and hopefully we can figure it out soon.


Alright, when I say “VTEX credentials” I mean the credentials you have access to through the VTEX account. Please, check how to create and manage your credentials right here.

The AppKey and AppToken in the headers when VTEX calls my /transactions route are the ones provided by me to my customers as a way for me to identify the customer and validate the call and not something received by VTEX.

Yes, that’s it! I just wanted to say that you should send your VTEX credentials (X-VTEX-API-AppKey/AppToken) just like we do.
We send your credentials in the headers as a way to identify our call to validate it, so you must do the same as a way to identify yourself as an authorized user to call our hook. Sorry if this wasn’t clear enough.

Currently, we’re working on improving our docs, so thank you for the feedback by the way.

Hi @wando777, I am still struggling with this issue.
I have tried sending the VTEX credentials as they are configured in our Fraud Provider configuration (see image here), I have also tried sending credentials that were generated for Application Key in the store.
We are always getting 401 Unauthorized.
Can you please explain again what are the correct VTEX credentials this webhook expects?

Thanks again for your help.

Hello, @jamesblack ,

To ensure successful authentication, please make sure to use the credentials generated in your VTEX account in the headers. I have shared an informative article on the generating process of these credentials, which can be found at this link. It is also important to verify that you have set the correct permissions.

Please refer to the image below for an example of what your auth header variables should look like.

If you still have any questions, please don’t hesitate to reach out to us through our support help desk at this link. Additionally, please provide as much evidence as possible, such as your curl, but do not share your credentials directly.

1 Like