Overview
Device & IP analysis emits warning tags onip_analyses[].warnings[] whenever it detects suspicious device, network, or location behavior. Six tags have a configurable action (Decline / Review / No action) per workflow node; the two blocklist tags always force Declined, and the two allowlist tags are always informational. Each warning’s log_type mirrors the action that applied: error (Decline), warning (Review), or information (No action). Each risk fires at most once per session.
Every risk below is verified against the live decision pipeline; warnings carry the feature tag LOCATION and the standard warning object shape.
The device fingerprint warnings are intentionally split into exact and recovered signals:
DUPLICATED_DEVICE_FINGERPRINTmeans the same deterministic device identity (match_sourcepersistent_idorlegacy_fp) was reused across sessions with differentvendor_datavalues.DEVICE_RECOVERED_HIGH_CONFIDENCEmeans v2 fingerprint recovery matched the session to a previously seen device after the persistent ID changed (storage cleared, incognito mode, app reinstall). The warning only appears when the match passes the high-confidence similarity threshold and hard gates.

Warnings produced
| Risk | Cause | log_type | Affects status | Recommended remediation |
|---|---|---|---|---|
PRIVATE_NETWORK_DETECTED | is_vpn_or_tor was true — the session was opened via VPN, proxy, or Tor exit node. additional_data is null. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Decide whether your risk tolerance allows masked traffic. If you accept it, leave on No action. |
COUNTRY_FROM_DOCUMENT_DOES_NOT_MATCH_COUNTRY_FROM_IP | The ISO country of the ID document differs from the country derived from the IP address. additional_data carries both ISO-3 codes: document_country_code, ip_country_code. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Review when the user travels legitimately. Decline when paired with VPN or duplicate-device signals. |
EXPECTED_IP_ADDRESS_MISMATCH | The session was created with an expected IP address, and the live IP differs. additional_data carries expected_ip_address and actual_ip_address. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Use when you pre-pin the IP at session creation. Refuse the session or step up auth on mismatch. |
IP_ADDRESS_IN_BLOCKLIST | The session’s IP address matches an entry in the application’s IP blocklist. additional_data: ip_address. | always error | Forces Declined. | Reject the session. Audit the blocklist source for false positives if needed. |
DEVICE_FINGERPRINT_IN_BLOCKLIST | The session’s device fingerprint matches an entry in the device blocklist. additional_data: device_fingerprint. | always error | Forces Declined. | Reject the session. |
IP_ADDRESS_IN_ALLOWLIST | The session’s IP had duplicate matches but is on the application’s IP allowlist, so the duplicate-IP warning was skipped. additional_data: ip_address. | always information | None. | Use for trusted corporate NATs, QA networks, or known shared access points. |
DEVICE_FINGERPRINT_IN_ALLOWLIST | The session’s device fingerprint had deterministic duplicate matches but is on the device allowlist, so the duplicate-device warning was skipped. additional_data: device_fingerprint. | always information | None. | Use only for trusted shared devices. Blocklists still take priority. |
DUPLICATED_IP_ADDRESS | The same IP was used in another session with a different vendor_data. additional_data: duplicated_session_id, duplicated_session_number, api_service. Skipped when the IP is allowlisted. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Common on corporate or shared NAT. Pair with other signals (duplicate device, country mismatch) before declining. |
DUPLICATED_DEVICE_FINGERPRINT | The same deterministic device identity was reused across sessions with different vendor_data. additional_data: duplicated_session_id, duplicated_session_number, api_service, match_source (persistent_id or legacy_fp). Skipped when the fingerprint is allowlisted. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Strong evidence of multi-account abuse. Review or decline depending on fraud tolerance. |
DEVICE_RECOVERED_HIGH_CONFIDENCE | The v2 device recovery model matched the session to a previously seen device with high confidence, even after the persistent ID changed. additional_data: duplicated_session_id, duplicated_session_number, api_service, match_source (recovered_high), recovery_similarity, recovery_match_device_uuid. Not suppressed by the device allowlist. | mirrors configured action | Configurable: Decline / Review / No action (default: No action). | Start with Review, measure your false-positive rate, then tighten the action. Strong signal for storage-reset or incognito attempts. |
matches[]), DEVICE_RECOVERED_HIGH_CONFIDENCE still fires with a fallback additional_data shape: recovery_match_device_uuid, recovery_match_similarity, recovery_match_band, recovery_gate_reason.
Configurable settings
Per-node workflow controls (also configurable globally on the application’s verification settings; every action defaults to No action):| Setting | Drives | Default |
|---|---|---|
vpn_detection_action | PRIVATE_NETWORK_DETECTED | No action |
ip_mismatch_action | COUNTRY_FROM_DOCUMENT_DOES_NOT_MATCH_COUNTRY_FROM_IP | No action |
expected_ip_mismatch_action | EXPECTED_IP_ADDRESS_MISMATCH | No action |
duplicated_ip_action | DUPLICATED_IP_ADDRESS | No action |
duplicated_device_action | DUPLICATED_DEVICE_FINGERPRINT | No action |
recovered_device_action | DEVICE_RECOVERED_HIGH_CONFIDENCE | No action |
Duplicate device vs. recovered device
Treat the two warnings differently — they trigger on different evidence:| Warning | Trigger | Typical meaning | Recommended first action |
|---|---|---|---|
DUPLICATED_DEVICE_FINGERPRINT | Exact persistent device identity (persistent_id) or legacy fingerprint hash (legacy_fp) match. | Strong evidence that the same device appears across different users. | Review or Decline, depending on your fraud tolerance. |
DEVICE_RECOVERED_HIGH_CONFIDENCE | High-confidence v2 recovery (recovered_high) after storage, session, or app identity changed. | Strong signal for incognito / storage-reset / app-reinstall attempts. Intentionally separated so you can monitor it independently. | Review first, then tighten after measuring your false-positive rate. |
Cross-session matches
When the same IP address, exact device identity, or recovered device is detected across sessions belonging to different users, Didit records these asmatches[] on ip_analyses[]. Sessions are grouped by vendor_data: sessions with the same vendor_data are treated as the same user and excluded from matches. Without vendor_data, every session is treated as a unique user and all potential duplicates are surfaced — we strongly recommend always providing vendor_data to reduce noise.
Each match includes:
session_id,session_number,vendor_data, andverification_dateof the matching session, plus its lifecyclestatusandapi_service(nullfor workflow sessions);sourceis alwayssessionmatch_type—ip_addressordevice_fingerprintmatch_source—ip_address,persistent_id,legacy_fp, orrecovered_highmatched_value— the shared IP, the device identifier, or (for recovered matches) the recovered device UUIDconfidence(0–1,1 - P(false positive)) andmatch_mode(deterministic/probabilistic/co_occurrence)device_info—device_brand,device_model,browser_family,os_family,platform,device_fingerprintlocation_info—ip_address,ip_country,ip_country_code,ip_state,ip_city,is_vpn_or_tor,is_data_center- Recovered-device extras when
match_sourceisrecovered_high:recovery_similarity,tls_ja4_corroborated,recovery_gate_reason
Examples
VPN + country mismatch (configured to Review)
Blocklist hit (forces decline)
Recovered-device high confidence (configured to Review)
Related
- Device & IP analysis report — full response shape and status semantics
- Device & IP analysis overview — what each block measures
- Data models — IP analysis — canonical schema
- Webhooks —
status.updatedcarries IP analysis warnings