Fingerprinting Account sharingAccount takeoverFake accounts
Challenges
Navigation

Zero trust mode

Zero trust mode is an excellent way to ensure the integrity of your user evaluations while still leveraging the out-of-the-box challenge flow. You will still have the ability to customize all text and appearance to suit your brand. If you want to build your own challenge flow, see the custom implementation guide.

This feature operates under the Zero Trust security model. None of the information about the user is determined by the client.

Rupt dashboard

  1. Go to the fake account settings page and enable the fake account rules you want to enforce.
Enable managed challenges
  1. Configure the fake account challenge appearance. You can upload your logo, customize the text, colors and apply any custom CSS.
Configure challenge appearance

Server side

Language
  1. Include the Rupt Node SDK:
yarn add @ruptjs/core
#OR
npm install @ruptjs/core
  1. Initialize the Rupt Node SDK with your project API secret:
import Rupt from "@ruptjs/core";
const rupt = new Rupt("API_SECRET");

3.3. Call the evaluate method using the signup action, provide the device and user information from your authentication flow.

If you provide the fingerprint hash, the evaluation will be more accurate. To get the fingerprint hash, see fingerprint hashing.

const res = await rupt.evaluate({
  action: "signup", // use "login" for login attempts,
  user: "USER_ID",
  fingerprint: FINGERPRINT_HASH, // optional
  ip: "IP_ADDRESS",
  email: "EMAIL",
  phone: "PHONE",
  metadata: {
    key: "value",
  },
});

curl -X POST https://api.rupt.com/v2/devices/evaluate \
  -H "Authorization: Bearer API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{"action": "signup", "user": "USER_ID", "fingerprint": "REQUEST_HASH", "ip": "IP_ADDRESS", "email": "EMAIL", "phone": "PHONE", "metadata": {"key": "value"}}'

Call the evaluate method/endpoint on both the signup and login flows. If a user abandons the signup challenge flow, the login flow will also recommend a challenge.

4.4. Rupt returns a response that looks like this:

{
  "verdict": "challenge",
  "fingerprint_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "reasons": ["new_device", "new_ip"],
  "challenge_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "redirect": "https://challenge.rupt.dev/?challenge=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

The verdict will be either challenge, allow, restrict, challenge_and_restrict, or deny. The challenge_id can be used to perform a two-factor authentication challenge using the rupt challenge page on the browser side. Return the challenge_id to the browser side.

Browser side

  1. Install the Rupt SDK
yarn add rupt
  1. Include the Rupt Browser SDK
import Rupt from "rupt";
  1. If the challenge_id is returned, you can redirect the user to the challenge page.
const res = await your_signup_api_call({ ... });

Rupt.challenge({
  challenge_id: res.challenge_id,
  redirect_urls: {
    success_url: "https://example.com/success",
  },
});

For more information, see opening a challenge.

  1. Once the challenge is completed, the user will be redirected back to the success url or the referring page if no success url is provided.

For more information on customizing the challenge page, see challenges.