Faro/ docs
Get API key

Core concepts

Faro is a verification engine. You hand it an artifact ā€” a URL, a payee, or a message ā€” and it hands back one verdict object. Everything below describes the parts of that object and how it is produced.

The verdict

Every response is the same VerdictResult shape, whatever the artifact type:

FieldMeaning
verdictšŸŸ¢ green, šŸŸ” yellow, or šŸ”“ red ā€” the traffic-light answer.
confidence0.0ā€“1.0. How sure Faro is.
reasonOne plain-language line. Always present ā€” it is the product.
recommended_actionallow / warn / block / review ā€” branch your code on this.
signalsThe evidence behind the verdict (see below).
explanationOptional longer-form context.
cached, first_seen, checked_atFreshness metadata.

Verdicts

šŸŸ¢ Green ā€” allow

No safety problems found. Safe to proceed.

šŸŸ” Yellow ā€” warn / review

Something is uncertain or mildly concerning. Slow down; ask the user.

šŸ”“ Red ā€” block

A confirmed or strong threat. Do not proceed.

Signals

A signal is a single piece of evidence with a severity (info ā†’ low ā†’ medium ā†’ high ā†’ critical), a human-readable detail, and its source (e.g. safe_browsing, rdap, opensanctions, payee_format, llm). The verdict is a deterministic function of the signals ā€” strong evidence raises the verdict, and a confirmed-bad signal forces red regardless of anything else.

The tiers

Faro decides cheaply first and only reaches for the model when it has to:

  1. Tier 1 ā€” deterministic checks

    Fast, high-precision checks decide the clear cases: Google Safe Browsing and domain age (RDAP) for URLs; sanctions screening and payment-handle format detection (UPI, Venmo, Cash App, Pix, IBAN, and more) for payees; link extraction for messages.

  2. Tier 2 ā€” prior signals

    Anything Faro has already recorded about this artifact, folded into the verdict.

  3. Tier 3 ā€” LLM reasoning (only if needed)

    When the deterministic tiers are inconclusive, an LLM reasons about brand impersonation, mule patterns, and scam tactics. It never overrides a confirmed-bad deterministic signal.

Caching & freshness

Repeat artifacts are cached with verdict-aware TTLs: a confirmed šŸ”“ is cached long, a šŸŸ¢ is cached briefly (a clean domain can be weaponized any time), and šŸŸ” / low-confidence results are barely cached at all. Responses carry X-Faro-Cache: hit|miss and a cached flag so you feel the speed without ever being served a stale "safe."