> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Akamai Supplmental Signals in Actions

> Learn how to use Auth0 Actions with Akamai Supplemental Signs.

<Warning>
  Supplemental Signals is available for Enterprise customers, and you must request the Attack Protection Add-on. Contact [Auth0 Sales](https://auth0.com/get-started?place=header\&type=button\&text=talk%20to%20sales) for more information.
</Warning>

<Card title="Before you start">
  To use Akamai Supplmental Signals in Actions, you must:

  * [Configure Akamai as a reverse proxy](/docs/customize/custom-domains/self-managed-certificates)
  * [Configure Akamai to Send Supplemental Signals](/docs/secure/attack-protection/configure-akamai-supplemental-signals)
</Card>

Once you have configured Akamai to use Supplemental Signals, you can use the data provided in those signals in [Auth0 Actions](/docs/customize/actions).

## Supported Supplmental Signals by Action trigger

| Trigger                | Supplemental Signal objects                             | Event object                                                                                                                                                                                       |
| :--------------------- | :------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Login                  | <ul><li>`akamaiBot`</li><li>`akamaiUserRisk`</li></ul>  | [`event.authentication.riskAssessment.supplemental.akamai`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-event-object)                              |
| Pre-User Registration  | <ul><li> `akamaiBot`</li><li>`akamaiUserRisk`</li></ul> | [`event.authentication.riskAssessment.supplemental.akamai`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/pre-user-registration-trigger/pre-user-registration-event-object)   |
| Post-User Registration | <ul><li> `akamaiBot`</li><li>`akamaiUserRisk`</li></ul> | [`event.authentication.riskAssessment.supplemental.akamai`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/post-user-registration-trigger/post-user-registration-event-object) |
| Send Phone Message     | None                                                    | N/A                                                                                                                                                                                                |
| Post-Challenge         | <ul><li> `akamaiBot`</li><li>`akamaiUserRisk`</li></ul> | [`event.authentication.riskAssessment.supplemental.akamai`](/docs/customize/actions/explore-triggers/password-reset-triggers/post-challenge-trigger/post-challenge-event-object)                   |
| Post-Change Password   | <ul><li> `akamaiBot`</li><li>`akamaiUserRisk`</li></ul> | [`event.authentication.riskAssessment.supplemental.akamai`](/docs/customize/actions/explore-triggers/password-reset-triggers/post-change-password-trigger/post-change-password-event-object)       |
| Credentials Exchange   | None                                                    | N/A                                                                                                                                                                                                |

## Supplemental Signal object schemas

The `akamaiBot` and `akamaiUserRisk` objects contain multiple properties you can use to customize your authentication flow.

<ResponseField name="akamaiBot" type="object">
  <Expandable>
    <ResponseField name="action" type="string">
      The action of the Akamai bot manager results.

      Example: `Monitor`
    </ResponseField>

    <ResponseField name="botCategory" type="string[]">
      The bot cateogry of the Akamai bot manager results.

      Example: `["Web Search Engine Bots"]`
    </ResponseField>

    <ResponseField name="botScore" type="number">
      The bot score of the Akamai bot manager results.

      Example: `90`
    </ResponseField>

    <ResponseField name="botScoreResponseSegment" type="string">
      The bot score response segment of the Akamai bot manager results.

      Example: `aggressive`
    </ResponseField>

    <ResponseField name="botnetId" type="string">
      The botnet ID of the Akamai bot manager results.

      Example: `googlebot`
    </ResponseField>

    <ResponseField name="type" type="string">
      The type of the Akamai bot manager results.

      Example: `Akamai-Categorized Bot`
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="akamaiUserRisk" type="object">
  <Expandable>
    <ResponseField name="action" type="string">
      The action of the Akamai user risk assessment.

      Example: `monitor`
    </ResponseField>

    <ResponseField name="allow" type="number">
      The allowed status of the Akamai user risk assessment.

      Example: `0`
    </ResponseField>

    <ResponseField name="emailDomain" type="string">
      The email domain of the user.

      Example: `example.com`
    </ResponseField>

    <ResponseField name="general" type="object">
      The general risk of the Akamai user risk assessment.

      Example: `{ aci: “0”, db: “Chrome 85”, di: “0fc91b5ec42f5a471c16a85e3e388ca57697c1a9”, do: “Mac OX X 10” }`
    </ResponseField>

    <ResponseField name="ouid" type="string">
      The OUID of the user.

      Example: `m534264`
    </ResponseField>

    <ResponseField name="requestid" type="string">
      The request ID of the user.

      Example: `19e22e`
    </ResponseField>

    <ResponseField name="risk" type="object">
      The risk of the Akamai user risk assessment.

      Example: `{ ugp: “ie/M”, unp: “432/H” }`
    </ResponseField>

    <ResponseField name="score" type="number">
      The score of the Akamai user risk assessment.

      Example: `0`
    </ResponseField>

    <ResponseField name="status" type="number">
      The status of the Akamai user risk assessment.

      Example: `4`
    </ResponseField>

    <ResponseField name="trust" type="object">
      The trust of the Akamai user risk assessment.

      Example: `{ udbp: "Chrome85", udfp: "25ba44ec3b391ba4ce5fbbd2979635e254775werwe", udop: "Mac OS X 10", ugp: "FR", unp: "12322", utp: "weekday_3" }`
    </ResponseField>

    <ResponseField name="username" type="string">
      The username of the user.

      Example: `testuser@example.com`
    </ResponseField>

    <ResponseField name="uuid" type="string">
      The UUID of the Akamai user risk assessment.

      Example: `86b37525-8047-4a3c-8d7a-23e99666da05`
    </ResponseField>
  </Expandable>
</ResponseField>

## Use cases

<AccordionGroup>
  <Accordion title="Revoke a session based on Akamai Account Protector results">
    Here’s an example of how you could revoke a session based on the `akamaiUserRisk.score` property:

    ```javascript theme={null}
    exports.onExecutePostLogin = async (event, api) => {
      const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
      if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
            console.log('User is deemed high risk.');
            //This will revoke session cookies to deny login.
            api.session.revoke('Session revoked, User risk score is greater than 90.');
        }
    };

    ```

    Using the `api.session.revoke` method (compared to the `api.access.deny` method) ensures that if the user refreshes the application, the Akamai Supplmental Signals are sent with the authentication request and the post-login Action flow is triggered.
  </Accordion>

  <Accordion title="Prompt multi-factor authentication (MFA) based on Akamai Bot Manager results">
    Here’s an example of how you could enforce MFA based on the `akamaiBot.score` property.

    #### Enforce MFA

    This Action performs two tasks:

    1. **Update [app metadata](/docs/manage-users/user-accounts/metadata/metadata-fields-data)**: If the score property exceeds a specified value, record that MFA is required for the session.
    2. **Require MFA**: If the score property exceeds a specified value or if there is a record in the app metadata indicating MFA is required for the session, enforce MFA.

    ```javascript theme={null}
    exports.onExecutePostLogin = async (event, api) => {
      const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;

      if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
        console.log(`Setting app metadata for session id: ${event.session?.id}`);
        api.user.setAppMetadata(`mfa_required_${event.session?.id}`, true);
      }

      if (userRiskHeader?.score && userRiskHeader?.score >= 90 ||
          event.user.app_metadata[`mfa_required_${event.session?.id}`]) {
            console.log(`Requiring MFA FOR Session id: ${event.session?.id}`);
            api.multifactor.enable('any', {allowRememberBrowser: false});
      }
    };

    ```

    #### Clean up app metadata

    This Action removes session-specific MFA information from app metadata after the user completes MFA successfully.

    ```javascript theme={null}
    exports.onExecutePostLogin = async (event, api) => {
      const mfaMethod = event.authentication?.methods.find((method) => {
        return method.name === 'mfa';
      });

      if (mfaMethod) {
        console.log(`Removing MFA requirement for session id: ${event.session?.id}`);
        api.user.setAppMetadata(`mfa_required_${event.session?.id}`, undefined);
      }
    };
    ```
  </Accordion>
</AccordionGroup>