# Request ID Security

Request IDs are temporary tokens that carry fraud assessment data. If attackers steal and reuse them, they can completely bypass your fraud detection.

***

### How Request ID Attacks Work

<figure><img src="/files/anBE4Rc5mm3zB9S2Bi6l" alt=""><figcaption></figcaption></figure>

**The Problem**: Your server sees a valid request ID with good fraud scores, but it's being used by an attacker.

{% hint style="warning" %}
💡 Want early access to Guardian? We're currently onboarding select partners for our closed beta program. [Request Beta Access →](mailto:piero.bassa@mugshotlabs.co)
{% endhint %}

***

### Essential Security Measures

#### 1. Request ID Expiration

```javascript
// Check if request ID is too old
const eventTime = new Date(event.identification.timestamp);
const ageHours = (Date.now() - eventTime.getTime()) / (1000 * 60 * 60);

if (ageHours > 24) {
  return res.status(400).json({ error: 'Fraud check expired' });
}
```

#### 2. Usage Frequency Tracking

```javascript
// Track how many times request ID has been used
const usageCount = await getRequestIdUsage(requestId);

if (usageCount > 3) {
  return res.status(429).json({ error: 'Request ID overused' });
}
```

#### 3. Action-Specific Limits

**Risk-based expiration times:**

* **Profile updates**: 24 hours (low risk)
* **Account changes**: 6 hours (medium risk)
* **Payments**: 1 hour (high risk)
* **Password changes**: 15 minutes (critical)

{% hint style="danger" %}
**Never cache request IDs for more than 24 hours.** \
\
Request IDs contain time-sensitive fraud assessments that lose accuracy over time. Longer caching periods create security vulnerabilities and reduce fraud detection effectiveness.
{% endhint %}

***

### Real-World Impact

#### Attack Examples

* **E-commerce**: Fraudster uses intercepted request ID to validate stolen credit card purchases
* **Banking**: Attacker replays request ID to authorize unauthorized transfers
* **SaaS**: Bulk account creation using harvested "legitimate" fraud assessments

#### Detection Patterns

Watch for these attack indicators:

* Same request ID used from multiple IP addresses
* High frequency of expired request ID attempts
* Geographic inconsistencies (ID generated in US, used in Russia)
* Burst patterns of request ID usage

***

### Implementation Recommendations

#### Security Levels by Action

| Action Type         | Max Age    | Max Usage | Why                                |
| ------------------- | ---------- | --------- | ---------------------------------- |
| **View Profile**    | 24 hours   | 10 uses   | Low risk, user convenience         |
| **Update Account**  | 6 hours    | 3 uses    | Medium risk, reasonable reuse      |
| **Process Payment** | 1 hour     | 2 uses    | High risk, fresh validation needed |
| **Change Password** | 15 minutes | 1 use     | Critical, single-use only          |

#### Response Strategy

* **Low violations**: Log and monitor patterns
* **Medium violations**: Require fresh fraud check
* **High violations**: Block transaction and alert security team
* **Critical violations**: Consider temporary IP restrictions

***

### Key Takeaways

**Request IDs are security tokens** - treat them like temporary API keys:

* ✅ Set expiration based on action risk level
* ✅ Limit usage frequency to prevent replay attacks
* ✅ Monitor patterns and alert on suspicious activity
* ❌ Don't ignore age or usage validation

**Balance security with user experience** - start strict and adjust based on user feedback and attack patterns.

***

**Questions about implementing request ID security for your risk tolerance?** Our team helps customers find the right balance between protection and user experience.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.guardianstack.ai/documentation/protect-your-implementation/request-id-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.