Discussing APIs and development related to customers, discounts, and order management.
Hello,
Would anyone be able to supply some information regarding how long it takes the order risk information to be available via the API endpoint once an order is placed? Currently we are dealing with a customer placing multiple orders with fraudulent/stolen CC's and are trying to implement a solution to flag the order for review within our internal processes. We've got some logic in place and are analyzing what we can do if the risks data isn't immediately available at the time the webhook is called, but I figured I'd start here.
Quick rundown of our current order process:
Thanks for any info that anyone can provide.
Hello,
I have the same question, and I see it was not answered here, but I am wondering if you have any more information about this. In your experience, does the order risk API ever come back "pending?" Or does it always (or 99% of the time) instantly have the order risk data?
Thanks,
Eric
When we were looking at using the Order Risk API, it would be anywhere between 2-30 minutes before risk data would be present in the response. I've seen a few places where people have stated that risk data should be present as soon as the order is paid for. That could be when the order is created via the storefront checkout (instant) or a draft order is technically "paid for" after the completed, rather than at creation time, so the flow differs a bit depending on how the order was placed.
We ultimately decided on a solution that goes like this:
Order webhook -> Check for Risk -> import to business system
Recurring process that does the following:
Get open orders in business system -> Check for risk/Cancellation (Update Bus. Sys.) -> Check for tracking info -> Create Fulfillment if necessary
Also, there is a filter available in the Orders screen in the shopify admin where you can build and save a filter that just shows you orders with risks associated to help you keep an eye on issues that might come up.
Ultimately it would be nice to have a Webhook when a risk is created at a certain level, but for now it looks like Risk-related events are only available in Shopify Workflows if you have a Shopify Plus subscription.
Hope the info helps.
Interesting. 2-30 minutes? So far, I have seen it be immediate.
But you did put an Order Risk check in your webhook process... I assume that that is checking for Order Risk immediately after the order is created. Do you have any rough idea of how often the Order Risk data is available for the webhook process, i.e. immediately?
Thanks,
Eric
Yes our endpoint that receives the webhook immediately queries for risks for that order id and takes action if necessary.
They may have improved their processing time since we implemented the Risk check. We don't receive many at-risk orders (maybe 0-2 a month) so I don't have any useful analytics to share, unfortunately.
Thanks for the useful info.
I've done some load testing with webhook order creation, and can't get the Order Risk endpoint to *not* return the risk level immediately.
If this were to happen, do you know what the API response would look like?
Perhaps:
{
"risks": []
}
???
Need to be able to handle this case without being able to generate or test for it!
Thanks.
We drive all of our logic on certain attribute values of the risk data.
Not sure what language you are using to handle your webhooks, but ours is written in C#
Here's a snippet of our code to handle risks:
if (riskJson.Risks?.Any(x => x.Recommendation == "cancel" || x.Recommendation == "investigate") ?? false) { //send an email here }
But the gist is, Check if Risks is null -> and see if any of them have a Recommendation of "cancel", then do something.
Given your snippet below, I would just check for null and length of 0. I would not rely on the data being empty or null, since there can be multiple risk entries for a single order, just look for any of them to match a certain condition and then take action.
If they've improved their risk analysis to be instant every time, then that's fantastic and you should at the minimum get an "accept" if everything checks out out. I'm not sure if there's a case for this, but if a risk were to be added some time after the webhook was sent, you may want to check for risks at multiple points throughout your fulfillment process. Hypothetically, if a stolen credit card or a suspicious IP was used to place multiple orders on your website, the system may create Risks for the orders placed using the same card or from the same IP. You would then need to check again at some point.