2026-06-12 · 6 min read
What Is a Trust Score and How Should Your Application Act on It?
A developer guide to request trust scores — what they represent, what they do not, and how to use them in enforcement logic.
A trust score is a probability estimate, not a verdict
A request trust score expresses the system's confidence that a request comes from a legitimate human user rather than automation or abuse infrastructure. It is a probability estimate, not a binary determination.
A score of 85 does not mean the request is safe. It means the available evidence is more consistent with legitimate traffic than with abuse. How you act on that estimate should depend on what you are protecting.
Different endpoints warrant different thresholds
A trust score threshold that is appropriate for a blog comment form would be far too permissive for a payment endpoint, and a threshold appropriate for payments would block too many legitimate users on low-stakes pages.
The decision structure — allow above threshold A, challenge between A and B, block below B — should be configured per endpoint or per endpoint class. One global threshold across your application is almost always wrong.
Act on decisions, not raw scores
Most applications should not implement their own threshold logic. A trust API that returns a structured decision — ALLOW, CHALLENGE, or BLOCK — handles threshold calibration internally and can adjust as the threat landscape evolves.
Building your enforcement on the decision output rather than the raw score means your application logic stays simple and stable even as the underlying evaluation model improves.