To integrate the Risk Application SDK, your organization must be configured on Highnote's systems. Please contact your Highnote representative for support.
The Highnote Risk Application SDK strengthens your ability to mitigate fraud when onboarding users.
The SDK is meant to be used when an applicant enters their personal information in the process of creating a Highnote account holder. To measure a user's fraud risk level, the SDK analyzes their device, biometric, and behavioral data, plus the validity of their identity information.
You can install the Risk Application SDK using JavaScript package managers or CDN. Refer to the SDK Installation guide.
To set up and use the Risk Application SDK:
Step 1: Generate a server-side session token with your Highnote API key.
Step 2: Prepare your HTML to automatically extract account holder application data.
Step 3: Initialize the SDK by passing the session token in the HTML payload.
Step 4: Create an account holder with the returned SDK client token.
To generate a session token, your organization must be configured on Highnote's systems. Please contact your Highnote representative for support.
Using your Highnote API key, generate a session token on the application's backend server. Your application extracts the session token value from the response, then passes it in the HTML payload to the client-side environment. This token authorizes the client-side SDK to communicate with Highnote's systems for a specific application session.
On your server, call the following mutation to return a sessionToken
:
The Risk Application SDK relies on specific conventions within the HTML form to automatically extract account holder application data. The SDK leverages standard DOM attributes, particularly name
and id
, on input elements to identify and collect the relevant data points. For a smooth integration, it is important that you adhere to established HTML practices.
Highnote requires that you use the HTML autocomplete
attribute for the following fields:
If your application enforces a Content Security Policy (CSP), you must set the frame-src
directive header to enable iFrames from the Sardine domain:
The following example demonstrates the required HTML setup:
To initialize the SDK, import the initializeRiskApplicationSdk
library and pass the session token value. The SDK returns a client token which you can use to create an account holder in Step 4.
To create a Person or Business account holder, refer to the Highnote Quick Start Templates.
Use the client token returned by the RiskApplicationSdkReturn
object in Step 3. The client token must be in your Authorization header with the value as Bearer token, and it is active for 30 minutes (rather than the typical 10).
The following error types are supported for the Risk Application SDK:
Error Name | Trigger |
---|---|
AccountHolderFormMissingRequiredField | Required field for autocomplete is missing during init |
AccessDeniedError | Response is of type AccessDeniedError |
UserError | Response is of type UserError |
In the test environment, you can trigger varying fraud risk levels using the Person Account Holder’s email.
Highnote defines an application as APPROVED
, IN_REVIEW
, or DENIED
based on the assessed fraud risk level and the applicant’s identity verification. Identity checks are not performed on the application if the risk score results in a DENIED
decision.
EMAIL VALUE | RISK LEVEL | APPLICATION STATUS |
---|---|---|
low-risk@test.com | LOW | APPROVED |
medium-risk@test.com | MEDIUM | IN_REVIEW |
high-risk@test.com | HIGH | IN_REVIEW |
very-high-risk@test.com | VERY HIGH | IN_REVIEW |
Using simulated values on the Account Holder’s information may result in a different application outcomes based on verification of the applicant’s identity. For more, see the Simulate Application Review guide.
By default, the SDK makes requests against the test environment. When you are ready to switch to live, set the environment configuration option:
You can look up the features on your Organization to see if the Risk Application SDK has been enabled.