Authorized Payment Protection Integration Guide

June 04, 2026 20:56

Authorized Push Payment fraud happens when a fraudster tricks someone into sending a payment to an account outside of their control. Banking associations and issuing banks can use Authorized Payment Protection to slow down, investigate, and stop payment transfers to fraudulent destination accounts in real-time, without investing the time and resources required to build and maintain a fraud management system. Financial Institutions can configure risk-decisions with rules (policies) and decision flows (segments), perform manual reviews, adjust transfer approvals in real time, and spot and report fraud — all from the Kount 360 platform.

Financial Institutions also have the option to introduce Origin Account Fraud Detection to catch impersonations and account takeover. By integrating the Device Data Collector on their Payment Transfer page, they are able to detect suspicious locations, devices, IP addresses, countries, and more.

Go to Authorized Payment Protection API Reference for the full endpoint documentation.

Authorized Payment Protection Workflow

The basic steps to integrate Authorized Payment Protection are:

Integrate the real-time API to send data about the Origin and Destination bank accounts to receive a response with our decision (Approve, Decline, or Review).
Submit Fraudulent Transaction information, including investigations and outcomes, to train our AI models by using Kount 360 or the Outcomes API.

Generate an API Key

In Kount 360, after you have activated your organization, you can generate API keys to send data securely to Equifax. Only users with the Owner role permissions can generate, delete, or edit API keys.

Caution

You must have an initialized client before you can create an API key.

Sign in to Kount 360.

There are two integration environments: sandbox and production. Only integrate into our sandbox environment if you are integrating a pre-production environment without production data for testing.
Select Admin, and then Product Configuration.
In System Settings, select API Keys.

All initialized clients display.
For the client you want to create an API key, select Generate API Key.

The new API key is generated. A prompt displays with the ability to copy the API key and add a description.
Copy the API key, and then store it in a secure location.

Note

The API key is not provided again. You must store it in a secure location for future reference. If the API key is compromised or lost, create a new API key and delete the compromised one.
Enter a description detailing the store used for the API key, and then select Confirm.

API keys are organized under each client on the API Keys page. Expand the client to view your API keys, the descriptions, and when client details were created.

Create a Bearer Token

After you have provisioned your API credentials in the portal, retrieve a temporary bearer token to authenticate calls to the Kount 360 API. Provide the API key in an HTTP POST to a specific login.equifax.com URL.

With a successful exchange, the returned JSON provides a special bearer token, which is the access_token property. The exchange also provides an expiration date, the expires_in property, provided in seconds until expiration. The API to retrieve the bearer token depends on if you are calling the sandbox or production environment.

The values are:

Sandbox

Auth Server URL:

https://login-uat.equifax.com/as/token

API Service Host:

https://api-sandbox.kount.com

Production

Auth Server URL:

https://login.equifax.com/as/token

API Service Host:

https://api.kount.com

After obtaining the bearer token, use it to authenticate requests to the Kount 360 API. Include the token in the Authorization header of your HTTP API request, prefixed with Bearer {bearer token}.

To prevent authentication issues, refresh the token before it expires. Tokens issued by login.equifax.com expire after 20 minutes, but client credentials remain valid unless revoked. Minimize calls to the /token endpoint by implementing token expiration handling in your customer applications. Always check if a token has expired before requesting a new one, as excessive calls to the /token endpoint could result in rate limiting.

Python

sidebar. Python Code Example

"""sandbox"""
import requests
AUTH_SERVER_URL = "https://login-uat.equifax.com/as/token"
API_URL = "https://api-sandbox.kount.com"
API_KEY = "YOUR API KEY HERE"
CLIENT_ID = "YOUR CLIENT_ID HERE"

r = requests.post(AUTH_SERVER_URL,
                  params={"grant_type": "client_credentials",
                          "scope": "k1_integration_api"},
                  headers={"Authorization": "Basic" + API_KEY,
                           "Content-Type":
                           "application/x-www-form-urlencoded"})

t = r.json()["access_token"]

r = requests.post(API_URL + "/login",
                  headers={'Authorization': "Bearer " + t},
                  json={
                    "clientId": "900900",
                    "sessionId": "d121ea2210434ffc8a90daff9cc97e76",
                    "userId": "meoyyd8za8jdmwfm",
                    "username": "meoyyd8za8jdmwfm",
                    "userPassword": "38401eb46f8fbb74c1846a5f47f68d83a9bef126b1d4143f886cd464323cdaab",
                    "userIp": "192.168.0.1",
                    "loginUrl": "http://www.example.com/login",
                    "userAuthenticationStatus": "true",
                    "userCreationDate": "2019-08-24T14:15:22Z",
                    "userType": "VIP",
                    "mfaPhone": "+12081234567",
                    "mfaEmail": "username@example.com",
                    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
                    "context": "LOGIN"
                })
print("Response:", r.json())

Bash

sidebar. Bash Code Example

#!/usr/bin/env bash

API='https://api-sandbox.kount.com'
ISSUER='https://login-uat.equifax.com/as/token'
CLIENT_ID= "YOUR CLIENT_ID HERE"
API_KEY= "YOUR API KEY HERE"''

# Get our token (it is valid for 20 minutes)
RESPONSE=$(curl -s -X POST "${ISSUER}/v1/token?grant_type=client_credentials&scope=k1_integration_api" -H "Authorization: Basic ${API_KEY}" -H "Content-Type: application/x-www-form-urlencoded")
TOKEN=$(echo $RESPONSE | jq -r .access_token)

# Make our evaluation request
REQUEST_DATA='{
                "clientId": "900900",
                "sessionId": "d121ea2210434ffc8a90daff9cc97e76",
                "userId": "meoyyd8za8jdmwfm",
                "username": "meoyyd8za8jdmwfm",
                "userPassword": "38401eb46f8fbb74c1846a5f47f68d83a9bef126b1d4143f886cd464323cdaab",
                "userIp": "192.168.0.1",
                "loginUrl": "http://www.example.com/login",
                "userAuthenticationStatus": "true",
                "userCreationDate": "2019-08-24T14:15:22Z",
                "userType": "VIP",
                "mfaPhone": "+12081234567",
                "mfaEmail": "username@example.com",
                "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
                "context": "LOGIN"
              }'
RESPONSE=$(curl -s -X POST ${API}/login -H "Authorization: Bearer ${TOKEN}" -d "$REQUEST_DATA")
echo "$RESPONSE" | jq

TypeScript

sidebar. TypeScript Code Example

const axios = require('axios')

const API = 'https://api-sandbox.kount.com'
const ISSUER = 'https://login-uat.equifax.com/as/token'
const CLIENT_ID = 'YOUR CLIENT ID HERE'
const API_KEY = 'YOUR API KEY HERE'

async function getBearerToken() {

    const auth = await axios({
        url: `${ISSUER}/v1/token`,
        method: 'post',
        headers: {
            authorization: `Basic ${API_KEY}`
        },
        params: {
            grant_type: 'client_credentials',
            scope: 'k1_integration_api'
        }
    })

    return auth.data.access_token
}

async function evaluateLogin(token: string) {

    const resp = await axios({
        url: `${API}/login`,
        method: 'post',
        headers: {
            authorization: `Bearer ${token}`,
        },
        data: {
            clientId: "900900",
            sessionId: "d121ea2210434ffc8a90daff9cc97e76",
            userId: "meoyyd8za8jdmwfm",
            username: "meoyyd8za8jdmwfm",
            userPassword: "38401eb46f8fbb74c1846a5f47f68d83a9bef126b1d4143f886cd464323cdaab",
            userIp: "192.168.0.1",
            loginUrl: "http://www.example.com/login",
            userAuthenticationStatus: "true",
            userCreationDate: "2019-08-24T14:15:22Z",
            userType: "VIP",
            mfaPhone: "+12081234567",
            mfaEmail: "username@example.com",
            userAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
            context: "LOGIN"
        }
    })

    return resp.data
}
const main = async () = {
    const token = await getBearerToken();
    const resp = await evaluateLogin(token);
    console.log(JSON.stringify(resp, null, 4))
}

main()

Go

sidebar. Go Code Example

package main

import (
        "bytes"
        "encoding/json"
        "fmt"
        "io"
        "net/http"
)

type config struct {
        API      string
        Issuer   string
        ClientId string
        APIKey   string
}

func getToken(c *http.Client, issuer, creds string) string {

        req, _ := http.NewRequest(http.MethodPost, issuer+"/v1/token", nil)

        req.Header.Add("Authorization", "Basic "+creds)

        req.Header.Add("Content-Type", "application/x-www-form-urlencoded")

        q := req.URL.Query()
        q.Add("grant_type", "client_credentials")
        q.Add("scope", "k1_integration_api")
        req.URL.RawQuery = q.Encode()

        resp, _ := c.Do(req)
        defer resp.Body.Close()

        t := struct {
                TokenType   string `json:"token_type"`
                ExpiresIn   int    `json:"expires_in"`
                AccessToken string `json:"access_token"`
        }{}

        json.NewDecoder(resp.Body).Decode(&t)
        return t.AccessToken
}

func evaluate(c *http.Client, api string, payload LoginRequest, token string) string {

        j, _ := json.Marshal(payload)

        req, _ := http.NewRequest(http.MethodPost, api+"/login", bytes.NewBuffer(j))

        req.Header.Add("Authorization", "Bearer "+token)

        resp, _ := c.Do(req)
        defer resp.Body.Close()

        b, _ := io.ReadAll(resp.Body)
        s := string(b)
        return s
}

type LoginRequest struct {
        ClientID                 string `json:"clientId"`
        SessionID                string `json:"sessionId"`
        UserID                   string `json:"userId"`
        Username                 string `json:"username"`
        UserPassword             string `json:"userPassword"`
        UserIP                   string `json:"userIp"`
        LoginURL                 string `json:"loginUrl"`
        UserAuthenticationStatus string `json:"userAuthenticationStatus"`
        UserCreationDate         string `json:"userCreationDate"`
        UserType                 string `json:"userType"`
        MFAPhone                 string `json:"mfaPhone"`
        MFAEmail                 string `json:"mfaEmail"`
        UserAgent                string `json:"userAgent"`
        Context                  string `json:"context"`
}

func main() {
        config := config{
                API:      "https://api-sandbox.kount.com",
                Issuer:   "https://login-uat.equifax.com/as/token",
                ClientId: "",
                APIKey:   "",
        }
        client := &http.Client{}
        token := getToken(client, config.Issuer, config.APIKey)

        payload := LoginRequest{
                ClientID:                 config.ClientId,
                SessionID:                "d121ea2210434ffc8a90daff9cc97e76",
                UserID:                   "meoyyd8za8jdmwfm",
                Username:                 "meoyyd8za8jdmwfm",
                UserPassword:             "38401eb46f8fbb74c1846a5f47f68d83a9bef126b1d4143f886cd464323cdaab",
                UserIP:                   "192.168.0.1",
                LoginURL:                 "http://www.example.com/login",
                UserAuthenticationStatus: "true",
                UserCreationDate:         "2019-08-24T14:15:22Z",
                UserType:                 "VIP",
                MFAPhone:                 "+12081234567",
                MFAEmail:                 "username@example.com",
                UserAgent:                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
                Context:                  "LOGIN",
        }

        resp := evaluate(client, config.API, payload, token)
        fmt.Printf("%s\n", resp)
}

Point of Payment

Authorized Payment Protection needs an API integration at the point of payment during an account-to-account transfer journey. The solution happens at the point of payment during a bank transfer with a real-time API. The API sends Kount 360 information about the origin and destination bank account. We use this information to calculate the network-based risk of the destination bank account with a machine learning model.

Sandbox Endpoint:

https://api-sandbox.kount.com/app/v1/transactions

Production Endpoint:

https://api.kount.com/app/v1/transactions

Method: POST

Header Authorization: OAuth2

Header Content Type: application/JSON

Body: Refer to the Authorized Payment Protection API Specifications.