Skip to main content

Verdicts

In one sentence

A verdict is { country, confidence, alarm } — Octet's answer, not a decision; what you do with it is your policy.

The fields

Your backend reads three fields. These are the stable, supported surface.

FieldTypeMeaning
countryISO 3166-1 alpha-2 string (e.g. "DE")Octet's estimate of the browser's country of origin for this session.
confidencenumber, 01How confident Octet is in that estimate. Higher is more confident.
alarm"none" | "low" | "medium" | "high"An escalation indicator for this session. Higher means more reason to treat the session cautiously.
{ "country": "DE", "confidence": 0.91, "alarm": "none" }

Full field reference: Verdict Schema.

How to read it

  • confidence tells you how much weight to put on country. Pick a threshold that fits your risk tolerance; treat low-confidence verdicts as "not enough signal", not as a negative result.
  • alarm is a separate axis from confidence. Use it to decide how cautious to be with a session — for example, allow on none, log on low, step up to a challenge on medium/high. The exact mapping is yours.

The browser result is advisory; your backend is the source of truth

The verify() call in the browser resolves when collection finishes, and behind the edge it may carry a coarse result. Do not build policy on it — anything in the browser is client-controlled and can be tampered with. Always read the authoritative verdict on your backend, server-to-server, keyed by sessionRef.

What a verdict does NOT tell you

  • It does not tell you why. You get country, confidence, and alarm — never the signals or reasoning behind them. That reasoning runs on Octet's servers and is never returned. This is deliberate: exposing it would let it be tuned around.
  • It is not a decision. Octet never blocks, challenges, or allows anyone. It reports; you decide.
  • It is not a precise location. The answer is a country of origin and a confidence — not coordinates, not an address.

Where to go next