Checks

Checks are the boolean and numeric facts Rupt derives from signals plus a user's history. They turn raw measurements into the language Rupt reasons about: is this fingerprint new for this user, is this IP a VPN, has this user moved impossibly far since we last saw them.

A check is deliberately narrow. Each one captures a single fact at a single moment, and on its own each is weak. A new IP isn't suspicious by itself, and neither is a webmail address. The power comes from how they combine into risks and how your policies match conditions across them.

Here's most of what we check. We keep this in sync with the app as best we can, but it isn't a guarantee. The dashboard policy editor always has the live, complete list.

Identity newness

How established the user, IP, or fingerprint is for this account.

• is_new_user
• is_new_ip: see New IP.
• is_new_fingerprint
• user_age_days
• fingerprint_user_count: how many users share this fingerprint.

Network reputation

What kind of network the connection is coming from. See Anonymizing network.

• ip_is_vpn
• ip_is_proxy
• ip_is_tor
• ip_is_hosting
• ip_country

Velocity and geography

How the user moves through space and time.

• impossible_travel: see Impossible travel.
• concurrent_sessions: see Concurrency.
• has_high_velocity: an unusual rate of actions in a short window. See Velocity.

Device counts

How many devices a user has piled up. Some of the strongest account-sharing signals there are. See Devices.

• device_count
• computer_device_count
• tablet_device_count
• mobile_device_count

Email quality

What kind of email address was provided. See Email quality.

• email_is_disposable
• email_is_webmail
• email_is_invalid
• email_is_accept_all

Account state

Verification and status flags on the user.

• is_email_verified
• is_phone_verified
• is_suspended
• origin_is_new: first time this request origin has been seen for your project in the last 90 days.

Device integrity

Only populated when you ship the iOS or Android SDK. Web flows leave these unset, and each platform reports only its own flags.

• jailbroken_ios
• rooted_android
• is_simulator
• is_emulator
• debugger_attached
• ui_testing

Fingerprint observations

A separate family of checks derived from the deeper signals we collect during fingerprinting. Unlike the checks above, these aren't conditions you match in policies directly. They roll up into the observation-only risks (bots, tampering, anti-fingerprinting, incognito, and replay attacks) so you can watch them without them forcing a verdict.

Bot

• bot_framework_globals
• navigator_webdriver_true
• event_istrusted_synthetic
• window_process_present
• mediadevices_absent_modern_ua
• devtools_open_during_flow
• widevine_missing_on_chrome
• webgl_swiftshader_renderer
• uach_missing_on_chrome
• speech_voices_empty_on_desktop_chrome
• screen_frame_all_zero_desktop
• fonts_empty_on_desktop

Tampering

• prototype_integrity_fail
• plugin_prototype_mismatch
• engine_probe_mismatch
• math_random_patched
• uach_vs_ua_mismatch
• notifications_permission_spoof
• deviceorientation_permission_non_ios

Anti-fingerprinting

• tor_browser_signature
• safari_itp_lockdown
• firefox_etp_timer
• brave_farbling_detected
• firefox_rfp_detected

Incognito

• languages_dedup_incognito
• storage_quota_incognito
• permissions_stuck_prompt
• indexeddb_failures
• notifications_private_spoof

Replay attack

• consumed_nonce
• nonce_session_mismatch
• unknown_nonce
• missing_nonce
• missing_cookie
• session_expired

How checks are used

Checks feed two systems:

1. Risks: Rupt aggregates the relevant checks into a weighted score per category: account takeover, fake account, account sharing, scraping, and linked accounts.
2. Policies: your rules can match conditions over checks directly. A policy can say "if impossible_travel and ip_is_vpn, challenge" without ever going through a risk score.

The complete, current list of checks and their conditions lives in the policy editor in the dashboard.