Add Fraud Protection to an Angular Website
This guide walks you through installing Opportify Fraud Protection on an Angular website. Once set up, every form submission is analyzed for fraud signals in real time — bots, disposable emails, VPNs, and more.
Prerequisites
- Access to the Opportify Admin Console
- An Angular project (v14+) you can edit
- Basic familiarity with Angular components, services, and TypeScript
How it works
Opportify's approach has two parts:
- The tracking script — loaded once in the page
<head>. It silently observes browser signals and injects two hidden values into each of your forms:opportifyToken(a per-session risk token) andopportifyFormUUID(the identifier of the matched form endpoint). - The submit endpoint — instead of POSTing to your own backend, your form sends data directly to
https://api.opportify.ai/intel/v1/submit/<endpoint-id>. Opportify analyzes the submission, stores the result, and returns a JSON response your app can act on.
Step-by-Step Setup
Step 1 — Open Opportify Admin and complete the Quick Start
Navigate to Quick Start and complete Steps 1 through 3.
Step 1 — Allowlist your domain. Enter your site's hostname (no https://, no trailing slash).
Example: for
https://my-app.angular.deventermy-app.angular.dev
Step 2 — Create a Form Endpoint. Click + New Endpoint, give it a descriptive name (e.g. Contact Form), and select a public key. Each endpoint maps to one form on your site.
Step 3 — Copy the Submit URL. From the endpoint list, copy the value in the Submit URL column. It looks like:
https://api.opportify.ai/intel/v1/submit/<your-endpoint-id>
Keep this URL handy — you will use it in Step 3 below.
Step 2 — Load the Opportify script
The script must be loaded once, globally, before any user interaction. Add it to src/index.html inside the <head> tag. Replace YOUR_PUBLIC_KEY with the key shown in the Opportify Admin Console.
<!-- src/index.html -->
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>My App</title>
<base href="/" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<!-- Opportify Fraud Protection — load before first user interaction -->
<script
src="https://cdn.opportify.ai/f/v0.4.3.min.js"
data-opportify-key="YOUR_PUBLIC_KEY"
async
></script>
</head>
<body>
<app-root></app-root>
</body>
</html>
In the Opportify Admin Console, go to Settings → API Keys. The public key starts with pk_.
Step 3 — Connect your form to the Opportify endpoint
Update your component's submit method to POST to the Opportify Submit URL instead of your own backend.
Before
async onSubmit(): Promise<void> {
await fetch('/api/contact-form', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(this.form.value),
});
}
After
async onSubmit(): Promise<void> {
await fetch(
'https://api.opportify.ai/intel/v1/submit/YOUR_ENDPOINT_ID',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(this.form.value),
}
);
}
Replace YOUR_ENDPOINT_ID with the UUID from the Submit URL you copied in Step 1.
Step 4 — Include the Opportify tokens in the payload
When the tracking script runs, it injects two hidden <input> fields into your form:
| Field name | Purpose |
|---|---|
opportifyToken | Per-session risk token generated by the script |
opportifyFormUUID | Identifies which Form Endpoint matched this form |
Read these values from the DOM and include them in the payload before the fetch call:
async onSubmit(): Promise<void> {
const opportifyToken =
document
.querySelector<HTMLInputElement>('input[name="opportifyToken"]')
?.value ?? '';
const opportifyFormUUID =
document
.querySelector<HTMLInputElement>('input[name="opportifyFormUUID"]')
?.value ?? '';
const payload = {
name: this.form.value.name,
email: this.form.value.email,
message: this.form.value.message,
opportifyToken,
opportifyFormUUID,
};
const response = await fetch(
'https://api.opportify.ai/intel/v1/submit/YOUR_ENDPOINT_ID',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload),
}
);
const result = await response.json();
if (!result.accepted) {
this.errorMessage = result.errorMessage ?? 'Something went wrong.';
} else {
this.successMessage = 'Your message was sent successfully.';
}
}
The Opportify script injects opportifyToken and opportifyFormUUID as hidden inputs into the rendered HTML form — not into Angular's form model. Reading them with document.querySelector is the correct approach here.
Step 5 — Disable automatic interception on self-managed forms (optional)
By default, the Opportify script intercepts form submissions automatically. If your component already handles its own (ngSubmit) (as shown above), add the data-opty-submit-interception="disable" attribute to the <form> element to prevent double submission:
<form
[formGroup]="form"
data-opty-submit-interception="disable"
(ngSubmit)="onSubmit()"
>
<!-- form fields -->
</form>
Skip this step if you want the script to handle submission automatically (e.g. for simpler template-driven forms with no custom submit logic).
Step 6 — Full example: Contact component
Below is a complete, minimal contact component integrating all the steps above using Angular Reactive Forms.
// contact.component.ts
import { Component } from '@angular/core';
import { FormBuilder, FormGroup, Validators } from '@angular/forms';
@Component({
selector: 'app-contact',
templateUrl: './contact.component.html',
})
export class ContactComponent {
form: FormGroup;
successMessage = '';
errorMessage = '';
isSubmitting = false;
constructor(private fb: FormBuilder) {
this.form = this.fb.group({
name: ['', Validators.required],
email: ['', [Validators.required, Validators.email]],
message: ['', Validators.required],
});
}
async onSubmit(): Promise<void> {
if (this.form.invalid) return;
this.isSubmitting = true;
this.errorMessage = '';
const opportifyToken =
document
.querySelector<HTMLInputElement>('input[name="opportifyToken"]')
?.value ?? '';
const opportifyFormUUID =
document
.querySelector<HTMLInputElement>('input[name="opportifyFormUUID"]')
?.value ?? '';
const payload = {
...this.form.value,
opportifyToken,
opportifyFormUUID,
};
try {
const response = await fetch(
'https://api.opportify.ai/intel/v1/submit/YOUR_ENDPOINT_ID',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload),
}
);
const result = await response.json();
if (!result.accepted) {
this.errorMessage = result.errorMessage ?? 'Something went wrong. Please try again.';
} else {
this.successMessage = 'Your message was sent successfully.';
this.form.reset();
}
} catch {
this.errorMessage = 'Network error. Please check your connection and try again.';
} finally {
this.isSubmitting = false;
}
}
}
<!-- contact.component.html -->
<form
[formGroup]="form"
data-opty-submit-interception="disable"
(ngSubmit)="onSubmit()"
>
<input formControlName="name" placeholder="Your name" />
<span *ngIf="form.get('name')?.invalid && form.get('name')?.touched">
Name is required
</span>
<input type="email" formControlName="email" placeholder="your@email.com" />
<span *ngIf="form.get('email')?.invalid && form.get('email')?.touched">
Valid email is required
</span>
<textarea formControlName="message" placeholder="Your message"></textarea>
<span *ngIf="form.get('message')?.invalid && form.get('message')?.touched">
Message is required
</span>
<p *ngIf="errorMessage" style="color: red">{{ errorMessage }}</p>
<p *ngIf="successMessage" style="color: green">{{ successMessage }}</p>
<button type="submit" [disabled]="isSubmitting">
{{ isSubmitting ? 'Sending…' : 'Send' }}
</button>
</form>
Step 7 — Setup is complete
Your Angular form is now connected to Opportify Fraud Protection.
Return to the Opportify Admin Console and complete the remaining Quick Start steps to fine-tune your setup:
- Step 4 — Data Retention: Choose how long submission data is kept.
- Alerts: Configure email or in-app alerts for suspicious submissions.
- Webhooks: Forward fraud signals and submission data to your own backend or third-party tools.
Viewing Form Submissions
After deploying, every form submission from your site will appear in the Form Submissions page of the Opportify Admin Console. For each submission you can see:
| Field | Description |
|---|---|
| Risk Score | A numeric fraud risk rating assigned to the submission |
| Risk Level | A human-readable label: Low, Medium, High, or Critical |
| IP Address | The originating IP of the submission |
| Country | Geo-location derived from the IP |
| The email address submitted, if collected | |
| Submitted At | Timestamp of when the submission was received |
| Form Endpoint | Which endpoint (and therefore which form) received the submission |
| Fraud Signals | Individual signals that contributed to the risk score (e.g. disposable email, VPN detected, bot behavior) |
You can filter submissions by risk level, date range, or endpoint to quickly identify and act on suspicious activity.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
opportifyToken is always empty | Script not loaded or loaded after form render | Ensure the script tag is in <head> of index.html with async and the page has fully loaded before submission |
| CSP error in browser console | Missing CSP directives for Opportify origins | Add https://cdn.opportify.ai to script-src and https://api.opportify.ai to connect-src in your Content Security Policy |
| Form submits twice | Script auto-interception active on a self-managed form | Add data-opty-submit-interception="disable" to the <form> element (Step 5) |
404 on submit | Wrong endpoint ID in the URL | Double-check the Submit URL copied from the Opportify Admin Console |