The two-call model: browser collects, backend decides
by AbuseGraph Engineering
The problem with single-call fraud SDKs
Many fraud products ask the browser to talk to a third party and then trust whatever comes back. That is simple — and usually the wrong shape for account protection.
Typical problems:
- More personal data than necessary leaves your environment early
- The browser can tamper with a verdict before your backend sees it
- Your critical signup path depends on a black-box third party
- Server-side context you already have never informs the decision
The two-call model
AbuseGraph separates the work into two steps:
text
Call 1 — Browser → AbuseGraph
Collect limited device and session context
Return a short-lived, integrity-protected token + preliminary view
Call 2 — Your backend → AbuseGraph
Attach the identifiers and event context you already hold
Receive the authoritative score, verdict, and reasonsCall 1: collect in the browser
Your frontend gathers the context needed for a first look — without treating the browser as the source of truth for the final decision.
Call 2: decide on your backend
Your server completes the check with the email, event type, and other context you already process for signup or login. That is where the authoritative result belongs.
Why this is better
| Concern | Single-call | Two-call |
|---|---|---|
| Personal data | Third party often sees everything up front | Sensitive identifiers stay on the path you control |
| Integrity | Browser can rewrite the outcome | Integrity-protected handoff between steps |
| Enrichment | Limited to what the browser knows | Your backend context can inform the final result |
| Ownership | Vendor owns the moment of truth | You enforce policy in your app |
What we keep private
We publish the contract: what you send, what you get back, and how to enforce it. We do not publish how tokens are formed, which enrichments run, or how scores are composed. Customers need a trustworthy decision path. Attackers do not need a map.
Trade-offs
The two-call model adds a small amount of coordination between browser and backend. In return you get stronger integrity, cleaner data boundaries, and enforcement that stays in your product.
For account protection, that tradeoff is usually the right one.