--- title: "Step 2: Create a risk evaluation" component: pingone-api page_id: pingone-api:workflow-library:pingone-protect/create-a-risk-evaluation/step-2-create-a-risk-evaluation canonical_url: https://developer.pingidentity.com/pingone-api/workflow-library/pingone-protect/create-a-risk-evaluation/step-2-create-a-risk-evaluation.html section_ids: headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Step 2: Create a risk evaluation ##   ```none POST {{apiPath}}/v1/environments/{{envID}}/riskEvaluations ``` The `POST {{apiPath}}/v1/environments/{{envID}}/riskEvaluations` operation creates a new risk evaluation resource associated with the environment specified in the request URL. The request body defines the event that is processed for risk evaluation. The request body specifies the `riskPolicySet.id` property value created in the [Create a risk policy set](../create-a-risk-policy-set.html) use case. Note that if a risk policy set ID is not specified, the operation uses the environment's default risk policy set. ### Headers Authorization      Bearer {{accessToken}} Content-Type      application/json ### Body raw ( application/json ) ```json { "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } } ``` ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{apiPath}}/v1/environments/{{envID}}/riskEvaluations' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer {{accessToken}}' \ --data '{ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }' ``` ```csharp var options = new RestClientOptions("{{apiPath}}/v1/environments/{{envID}}/riskEvaluations") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/json"); request.AddHeader("Authorization", "Bearer {{accessToken}}"); var body = @"{" + "\n" + @" ""riskPolicySet.id"": ""{{riskPolicySetID}}""," + "\n" + @" ""event"": {" + "\n" + @" ""ip"": ""156.35.85.124""," + "\n" + @" ""user"": {" + "\n" + @" ""id"": ""{{userID}}""," + "\n" + @" ""type"": ""EXTERNAL""" + "\n" + @" }" + "\n" + @" }" + "\n" + @"}"; request.AddStringBody(body, DataFormat.Json); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{apiPath}}/v1/environments/{{envID}}/riskEvaluations" method := "POST" payload := strings.NewReader(`{ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }`) client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/json") req.Header.Add("Authorization", "Bearer {{accessToken}}") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /v1/environments/{{envID}}/riskEvaluations HTTP/1.1 Host: {{apiPath}} Content-Type: application/json Authorization: Bearer {{accessToken}} { "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } } ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/json"); RequestBody body = RequestBody.create(mediaType, "{\n \"riskPolicySet.id\": \"{{riskPolicySetID}}\",\n \"event\": {\n \"ip\": \"156.35.85.124\",\n \"user\": {\n \"id\": \"{{userID}}\",\n \"type\": \"EXTERNAL\"\n }\n }\n}"); Request request = new Request.Builder() .url("{{apiPath}}/v1/environments/{{envID}}/riskEvaluations") .method("POST", body) .addHeader("Content-Type", "application/json") .addHeader("Authorization", "Bearer {{accessToken}}") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{apiPath}}/v1/environments/{{envID}}/riskEvaluations", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/json", "Authorization": "Bearer {{accessToken}}" }, "data": JSON.stringify({ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }), }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{apiPath}}/v1/environments/{{envID}}/riskEvaluations', 'headers': { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' }, body: JSON.stringify({ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }) }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests import json url = "{{apiPath}}/v1/environments/{{envID}}/riskEvaluations" payload = json.dumps({ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }) headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{apiPath}}/v1/environments/{{envID}}/riskEvaluations'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/json', 'Authorization' => 'Bearer {{accessToken}}' )); $request->setBody('{\n "riskPolicySet.id": "{{riskPolicySetID}}",\n "event": {\n "ip": "156.35.85.124",\n "user": {\n "id": "{{userID}}",\n "type": "EXTERNAL"\n }\n }\n}'); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "json" require "net/http" url = URI("{{apiPath}}/v1/environments/{{envID}}/riskEvaluations") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/json" request["Authorization"] = "Bearer {{accessToken}}" request.body = JSON.dump({ "riskPolicySet.id": "{{riskPolicySetID}}", "event": { "ip": "156.35.85.124", "user": { "id": "{{userID}}", "type": "EXTERNAL" } } }) response = http.request(request) puts response.read_body ``` ```swift let parameters = "{\n \"riskPolicySet.id\": \"{{riskPolicySetID}}\",\n \"event\": {\n \"ip\": \"156.35.85.124\",\n \"user\": {\n \"id\": \"{{userID}}\",\n \"type\": \"EXTERNAL\"\n }\n }\n}" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{apiPath}}/v1/environments/{{envID}}/riskEvaluations")!,timeoutInterval: Double.infinity) request.addValue("application/json", forHTTPHeaderField: "Content-Type") request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 201 Created ```json { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/riskEvaluations/df73c23c-71f7-44c7-b9d0-57ae92f20206" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "event": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/riskEvaluations/df73c23c-71f7-44c7-b9d0-57ae92f20206/event" } }, "id": "df73c23c-71f7-44c7-b9d0-57ae92f20206", "environment": { "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "createdAt": "2026-04-22T15:34:04.081Z", "updatedAt": "2026-04-22T15:34:04.081Z", "event": { "completionStatus": "IN_PROGRESS", "ip": "156.35.85.124", "flow": { "type": "AUTHENTICATION" }, "user": { "id": "7e209c35-8598-4ac9-822b-27167608fb87", "type": "EXTERNAL" } }, "riskPolicySet": { "id": "38c4cd3e-3802-0fb8-3cc9-2d8ed1b0b26b", "name": "Fallback Risk Policy" }, "result": { "level": "LOW", "mitigations": [ { "action": "MFA" } ], "type": "VALUE" }, "details": { "ipAddressReputation": { "score": 0, "domain": { "asn": 766, "sld": "uniovi", "tld": "es", "organization": "universidad de oviedo", "isp": "entidad publica empresarial red.es" }, "level": "LOW" }, "anonymousNetworkDetected": false, "country": "spain", "device": { "os": {}, "browser": {} }, "state": "asturias", "city": "oviedo", "impossibleTravel": false, "geoVelocity": { "level": "LOW", "type": "GEO_VELOCITY" }, "newDevice": { "reason": "This device cannot be identified", "status": "MISSING_DEVICE_IDENTIFIER", "type": "DEVICE" }, "ipRisk": { "level": "LOW", "type": "IP_REPUTATION" }, "anonymousNetwork": { "level": "LOW", "type": "ANONYMOUS_NETWORK" } } } ```