Reviewing workflow runs

Once your workflows are live and users begin completing verification sessions, the Transactions page in SEON becomes your central hub for monitoring outcomes and investigating individual sessions. This page provides two complementary views of your verification activity, each designed for a different operational need.

Every workflow session will end in one of five terminal or transitional states. Understanding these statuses is key to monitoring performance and diagnosing issues.

Authorized users can manually change a workflow run's status from the details page — for example, overriding an automated Decline if investigation reveals a false positive, or moving a Review to Approved or Declined after completing a manual assessment. All manual status changes are logged for audit purposes.

Two views of the same activity: Transactions vs. Workflow runs

The Transactions page is divided into two tabs, each providing a different lens on your verification activity:

Both views are connected. Every workflow run generates multiple transactions (one per step), and every transaction generated by a workflow is linked back to its parent workflow run. This means you can start in the Workflow runs tab to see the big picture, then drill into the details page to see the individual transaction results for each step.

Changing a workflow run's status / Manual status overrides

An authorized users can manually change a workflow run's status from the details page for any of the following example scenarios:

• Override an automated Decline if the investigation reveals a false positive
• Move a Review to Approved or Declined after investigation
• Reopen an Approved run if new fraud evidence emerges

To change the status:

1. Open the workflow run details.
2. Click the status dropdown in the top section.
3. Select Approve or Decline.
4. Enter a reason explaining your decision.
5. Click Confirm.

Your action is recorded in the Analyst Log with your name, the timestamp, and your reason.

When to approve

Approve when your investigation confirms the user is legitimate, even if automated checks flagged concerns. Common scenarios:

• Face match score was low but images clearly show the same person
• VPN was detected but user is a known customer with travel history
• AML hit is a false positive (common name, different person)

When to decline

Decline when your investigation reveals fraud or policy violations. Common scenarios:

• Document is clearly fake or tampered
• Selfie is obviously a different person than the ID photo
• User is on a sanctions list (confirmed, not just potential match)
• Multiple failed attempts suggesting fraud learning

When to leave as Review

Sometimes you need more information. You can:

• Add a note describing what's needed
• Reach out to the user through your normal support channels
• Escalate to compliance or management
• Wait for additional verification attempts

All manual status changes are logged in the Analyst Log for audit purposes.

Best practices for investigations

Before making a decision:

• Review all widgets, not just the one that failed
• Check the Activity tab for user history
• Look at the actual images, not just the automated results
• Consider the context (user tier, transaction value, risk tolerance)

Document your reasoning:

• Always add a note explaining non-obvious decisions
• Be specific enough that another analyst could understand your logic
• Note any external verification you performed

Maintain consistency:

• Follow your team's documented procedures
• When in doubt, escalate rather than guess
• Discuss edge cases with your team to establish precedents

The workflow runs list displays all identity verification sessions with key information at a glance: user details, status, date, workflow name, run ID and user ID.

Use the filter controls to narrow down results:

• Search: Find sessions by user name, email or workflow run ID.
• Status filter: Focus on specific outcomes (Pending, Approved, Review, Abandoned, Declined).
• Workflow filter: View runs from a specific workflow template. This is particularly useful when you have multiple workflows for different jurisdictions or customer segments and want to monitor a specific flow's performance.
• Date range: Use presets (Today, 7D, 30D, 3M, 12M) or set a custom range.

Creating verification sessions from this page

You can initiate verification sessions directly from the Workflow runs tab by clicking Create verification in the top-right corner. This generates a shareable, one-time-use verification link tied to a specific workflow template. This is useful for manual onboarding, re-verification requests, customer support scenarios or testing. Visit the generating shareable verification links page for full details on link creation, configuration and monitoring.

Clicking on any workflow run opens the workflow run details page. This page is your primary tool for manual reviews, fraud investigations and understanding identity verification decisions.

Top section

 Shows the user's basic information, the current status, and key identifiers including the Run ID.

Run steps panel

A visual timeline showing the user's path through the workflow:

• Each node the user passed through is listed in order
• Timestamps show when each step completed

This panel quickly answers "where did verification fail?" or "where did the user drop off?"

Main content area 

The scrollable main panel contains collapsible result sections organized by verification type and according to your nodes in order. Sections only appear if that check was part of the workflow. Common sections include:

• Summary: Run metadata and key identifiers
• Phone information: Phone verification and enrichment results
• Email information: Email verification and enrichment results
• IP information: Geolocation and proxy/VPN detection
• AML information: Sanctions, PEP and adverse media screening
• Document verification: ID document analysis and extracted data
• Selfie verification: Liveness and face match results
• Proof of address: Address document validation

For detailed information about each widget's fields and how to interpret them, see the Transaction details documentation.

Tabs within the details page

The workflow run details page provides multiple tabs for different investigation needs.

Using the activity tab

The Activity tab shows all previous transactions from this user — not just the current workflow run. This context is essential for manual reviews.

Transactions are displayed in a table showing: fraud score, action type, workflow (if applicable), decision state, amount, device hash and country.

Events belonging to the current workflow run are marked with a "CURRENT RUN" badge, making it easy to distinguish the session under review from historical context.

What to look for:

• Is this a first-time user or do they have an established history?
• Have they attempted verification before? What happened?
• Are there patterns of suspicious behavior across runs?
• Have there been sudden changes in device or location?

Network tab

Shows connections between this user and others based on shared data points (same device, IP, email domain, etc.). Use this to:

• Identify potential fraud rings
• Spot multi-accounting
• Understand relationships between flagged users

Raw data tab

Shows the complete technical response in JSON format. Useful for:

• Debugging integration issues
• Sharing details with your development team
• Answering specific technical questions

Analyst log tab

Shows all actions taken on this workflow run and lets you add notes. Always add a note when you:

• Investigate a Review case
• Override an automated decision
• Find something noteworthy for future reference

Taking action on workflow runs

From the workflow run details page, you can:

• Change status: Manually approve or decline a Review case using the status dropdown
• Add notes: Document your investigation findings in the Analyst log
• Add to lists: Place the user or their data points on allow/block lists

All manual actions are logged for audit purposes.

What gets logged?

Workflow-related actions are recorded in SEON's audit logs to support compliance and security requirements. The following actions are logged:

• Status change: When someone manually changes a workflow run's status (e.g., approving or declining a Review case)
• Run viewed: When someone opens a workflow run details page

These logs capture who performed the action, when it happened, and relevant details about the workflow run.

Viewing audit logs

To access audit logs, go to Transactions -> Workflow runs -> Select a workflow run to view -> Open the Analyst log tab. You can filter by date range, user, and action type to find specific activity.

For complete information about SEON's logging capabilities, including how to export logs and retention policies, see the Logs documentation.