Verdicts
In one sentence
A verdict is a country, a confidence, an alarm level, and a coarse location region — Octet's answer, not a decision; what you do with it is your policy.
The fields
Your backend reads a small, fixed set of fields — the stable, supported surface.
| Field | Type | Meaning |
|---|---|---|
country | ISO 3166-1 alpha-2 string (e.g. "DE") | Octet's estimate of the browser's country of origin for this session. |
confidence | number, 0–1 | How confident Octet is in that estimate. Higher is more confident. |
alarm | "none" | "low" | "medium" | "high" | An escalation indicator for this session. Higher means more reason to treat the session cautiously. |
| location region | estimatedLocation + confidenceRadiusKm / feasibleRegion | A coarse "where" — an estimated point and its uncertainty area (a circle, or a polygon when one was computed). Approximate, never a pinpoint. |
{
"country": "DE",
"confidence": 0.91,
"alarm": "none",
"estimatedLocation": { "lat": 52.52, "lon": 13.40 },
"confidenceRadiusKm": 35
}
Full field reference (types, the polygon, optionality): Verdict Schema.
How to read it
confidencetells you how much weight to put oncountry. Pick a threshold that fits your risk tolerance; treat low-confidence verdicts as "not enough signal", not as a negative result.alarmis a separate axis from confidence. Use it to decide how cautious to be with a session — for example, allow onnone, log onlow, step up to a challenge onmedium/high. The exact mapping is yours.
The browser result is advisory; your backend is the source of truth
The verify() call in the browser resolves when collection finishes, and behind the edge it may carry a coarse result. Do not build policy on it — anything in the browser is client-controlled and can be tampered with. Always read the authoritative verdict on your backend, server-to-server, keyed by sessionRef.
What a verdict does NOT tell you
- It does not tell you why. You get
country,confidence, andalarm— never the signals or reasoning behind them. That reasoning runs on Octet's servers and is never returned. This is deliberate: exposing it would let it be tuned around. - It is not a decision. Octet never blocks, challenges, or allows anyone. It reports; you decide.
- It is not a precise location. You get a coarse estimate — a country, and an approximate location region (a point with an uncertainty radius or polygon) — not a street address or an exact pinpoint.
Where to go next
- Verdict Schema. Field types and ranges.
- Fetch the Verdict. How your backend reads it.
- Trust & Privacy. What is and isn't returned.