ONCE Fraud API
Fraud scoring for music releases, in one API call
The ONCE Fraud API takes an email address and returns a weighted risk score and the exact flags behind it. It is powered by ONCE Fraud Detection, the same system that protects the ONCE catalog, and it hands back only scores and flags, never sensitive data.
What it does
One endpoint, one clear answer
Ask the Fraud API about an email and it tells you how risky the account looks and why. No pipelines to build, no sensitive data to handle.
Email in, score and flags out
POST a single email address and get back one weighted risk score from 0 to maxScore, a severity band, and the exact flags that fired. Nothing else to wire up.
Secure by design
The response carries only scores and flags. Never IPs, personal data, account details, or any internal detection method. Safe to store and act on in your own systems.
Seven signal categories
Every flag is tagged with a category and a severity, so you can route decisions by what actually fired instead of trusting one opaque number.
Simple REST plus an API key
One POST endpoint, bearer auth with a ONCE API key, JSON in and JSON out. No SDK required, no separate signup, no webhooks to manage.
Request and response
A single POST, JSON back
Send an email to the scoring endpoint with your API key. The score is a weighted total out of maxScore, and every flag explains itself.
Request
curl -X POST https://once.app/v1/fraud/score \
-H "Authorization: Bearer once_pat_xxx" \
-H "Content-Type: application/json" \
-d '{"email":"artist@example.com"}'Response 200 · application/json
{
"email": "artist@example.com",
"score": 145,
"maxScore": 300,
"severity": "high",
"computedAt": "2026-07-05T07:30:00Z",
"flags": [
{
"code": "banned_account_metadata_match",
"label": "Release metadata matches a banned account",
"category": "account_integrity",
"severity": "high",
"triggered": true,
"points": 60
},
{
"code": "audio_match_multiple",
"label": "Audio fingerprint matches on multiple tracks",
"category": "rights",
"severity": "high",
"triggered": false,
"points": 0
}
]
}Authenticate with a ONCE API key
Create a personal access token in the ONCE dev center under Settings, then Developer, with the once:fraud scope enabled. Send it as Authorization: Bearer once_pat_xxx. Auth is your ONCE account plus the key, so there is no separate signup for the API.
Predictable limits and errors
The free tier allows 60 requests per minute and 1,000 per day per account, and the limits are tunable. Expect 403 when the key is missing the once:fraud scope, 404 when there is no ONCE account for that email, and 429 when you hit the rate limit or daily quota.
What you get back
Seven signal categories
Every flag in the response is tagged with one of these categories, a severity of low, medium, high, or critical, and the points it contributed to the score.
Rights
Rights and audio conflicts, like a fingerprint that matches existing tracks.
Account integrity
Signals that a release ties back to a banned or duplicated account.
Content
Problems in the release itself: metadata, artwork, and title issues.
Distribution
Patterns in how and where a release is being pushed out.
Streaming
Streaming and playback signals associated with manipulation.
Behavior
Account and release behavior seen over time.
Abuse
Direct abuse signals that put a catalog at risk.
Security promise
Scores and flags. Nothing sensitive.
The ONCE Fraud API returns only scores and flags. It never returns IPs, personal data, account details, or any internal detection method. That means the response is safe to log, store, and act on inside your own systems without carrying any sensitive data about the account you scored.
Free while the beta is open
The ONCE Fraud API is free for a limited time during the public beta. This free period is temporary and will end. When the beta closes, the API moves to usage-based pricing.
We announce pricing and give notice before anything changes, so nothing starts billing silently. Start now while it is free, on 60 requests per minute and 1,000 per day.