> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.uponai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fraud Protection

> Configure rate limiting, geographic restrictions, and sanctioned country blocks to protect your UponAI agents from fraud and abuse.

UponAI provides fraud protection features to help you prevent abuse of your voice AI agents. These features complement the general [abuse prevention measures](/Reliability/prevent-abuse) and give you fine-grained control over how your agents are accessed.

## Rate Limiting

When using public keys to authenticate calls from your frontend, you can enable fraud protection to automatically rate limit requests based on IP address and destination phone number.

### Enabling Fraud Protection

<Steps>
  <Step title="Navigate to Public Keys">
    Go to **Public Keys** in your UponAI dashboard.
  </Step>

  <Step title="Select your public key">
    Click on the public key you want to configure.
  </Step>

  <Step title="Enable fraud protection">
    Toggle on **Fraud Protection** and save your changes.
  </Step>
</Steps>

### How It Works

When fraud protection is enabled on a public key:

* Requests are rate limited based on the combination of the caller's IP address and the destination phone number
* This prevents bad actors from using the same IP to spam calls to premium rate numbers
* Rate limiting applies to outbound phone calls and SMS initiated via public key authentication

<Tip>
  For maximum protection, combine fraud protection with Google reCAPTCHA to prevent bot abuse.
</Tip>

## Geographic Restrictions

Restrict which countries are allowed to make inbound calls to your UponAI phone numbers, and which countries your numbers can call outbound. This helps prevent International Revenue Sharing Fraud (IRSF) and limits exposure to unwanted traffic.

### Allowed Inbound Countries

<Steps>
  <Step title="Navigate to Phone Numbers">
    Go to **Phone Numbers** in your UponAI dashboard.
  </Step>

  <Step title="Select a phone number">
    Click on the number you want to configure.
  </Step>

  <Step title="Set allowed inbound countries">
    Under **Allowed Inbound Countries**, add the countries that should be allowed to call this number. Changes save automatically.
  </Step>
</Steps>

When configured, calls from countries not on the list are automatically rejected.

### Allowed Outbound Countries

<Steps>
  <Step title="Navigate to Phone Numbers">
    Go to **Phone Numbers** in your UponAI dashboard.
  </Step>

  <Step title="Select a phone number">
    Click on the number you want to configure.
  </Step>

  <Step title="Set allowed outbound countries">
    Under **Allowed Outbound Countries**, add the countries this number should be allowed to call. Changes save automatically.
  </Step>
</Steps>

When configured, outbound calls to countries not on the list are blocked.

### Configure via API

```bash theme={null}
# Set geographic restrictions
curl -X PATCH "https://api.uponai.com/update-phone-number/+14155551234" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "allowed_inbound_country_list": ["US", "CA", "GB"],
    "allowed_outbound_country_list": ["US", "CA"]
  }'
```

Use ISO 3166-1 alpha-2 country codes (e.g., `US`, `CA`, `GB`).

```bash theme={null}
# Remove restrictions
curl -X PATCH "https://api.uponai.com/update-phone-number/+14155551234" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "allowed_inbound_country_list": null,
    "allowed_outbound_country_list": null
  }'
```

## Sanctioned Countries

The following countries are always blocked regardless of your configuration:

| Country     | Code |
| ----------- | ---- |
| Cuba        | CU   |
| Iran        | IR   |
| North Korea | KP   |
| Syria       | SY   |
| Russia      | RU   |
| Belarus     | BY   |
| Venezuela   | VE   |

Calls to or from these countries are automatically rejected.

## Best Practices

* **Enable fraud protection on all public keys** — adds an extra layer of protection at minimal cost
* **Combine with reCAPTCHA** — use both fraud protection and reCAPTCHA for web-initiated calls to prevent bot abuse
* **Start with restrictive country lists** — begin with only the countries you need and expand as necessary
* **Monitor for blocked calls** — use webhooks to track when calls are blocked due to geographic restrictions
* **Review regularly** — periodically review your country restrictions to ensure they match your current business needs
