For most web apps, you should call the attach function as soon as the user ID is available (i.e. login callback or session initialization) and and on every logged-in page once. This ensures that account sharing prevention works on all pages. If for some reason, you don't want to do that, then at minimum call the
attach function on all key pages of your application (such as dashboard, login, sign up). Every page that has Rupt called is covered by the account sharing prevention mechanisms of Rupt.
For mobile apps, you should call the
attach function as soon as the user ID is available or whenever it changes. Then you should also call it on every key page. No need to call it on all pages, but only on key pages (such as watching video page or the transaction page) or on significant events.
If you are using the
sabil-identity library for device identification, you should only call the
identify function if the user ID is not available. The same frequency for
attach is recommended. Call it on every page if possible (if no user ID is available, otherwise always call the
attach). If this is not feasible for some reason, then call it only on key pages or when significant events happen (such as transaction or guest checkout).