Fraud Detection
How apikee.dev detects and blocks abusive API usage.
Fraud Detection
Fraud detection runs server-side on every validated request in server mode. It requires no configuration — it works automatically once you connect to apikee.dev.
What gets checked
IP whitelisting — if a client has ipWhitelist configured, requests from unlisted IPs are rejected with 403. The IP is read from x-forwarded-for, x-real-ip, or the connection remote address in that order.
Velocity checks — the platform tracks request rates per key, per client, and per IP. Sudden spikes (e.g. 100× normal rate in 60 seconds) trigger a fraud signal.
Rate limit enforcement — if a client has a template assigned, requests over the limit bucket return a 429 from the validation endpoint.
Anomaly signals — the platform builds a baseline of normal behaviour per client (request timing, user-agent patterns, geographic distribution). Significant deviations are flagged.
Response on rejection
When a server-side check fails, the validation endpoint returns:
{ "success": false }The SDK then raises an error (or allows through if fail_open: true). Your middleware returns:
{
"error": "SERVER_REJECTED",
"message": "Server validation failed"
}HTTP status: 401 Unauthorized.
IP whitelisting per client
Set IP restrictions when creating or updating a client:
curl -X POST "https://apikee.dev/api/v1/client?project_env=my-api-production" \
-H "x-api-key: sk_live_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Acme Corp Backend",
"type": "service",
"ipWhitelist": [
"203.0.113.1",
"198.51.100.0/24",
"2001:db8::/48"
]
}'IP whitelisting is most useful for service-to-service API keys where the caller IP is known and stable. For end-user keys issued to mobile or browser clients, leave ipWhitelist empty.
Viewing signals in logs
Fraud signals and rate limit hits appear in the logs as error status entries. Query them:
curl "https://apikee.dev/api/v1/project/my-api-production/logs?status=error&limit=50" \
-H "x-api-key: sk_live_..."