Navigation
View as Markdown

Verdicts

A verdict is Rupt's decision on an evaluation. It's the output of the policy that matched, and it tells your server what to do with the user's action. The verdict is just the matched policy's action type, so the set below is exactly the set of actions a policy can take.

The verdicts

VerdictWhat it meansServer action
allowNothing matched, or the matched policy says let it through.Honor the action.
denyA policy matched and blocks outright.Block the action.
challengeIdentity needs to be verified before you trust the action.Block until the linked challenge reaches completed. Otherwise keep blocking.
suspendThe user has been suspended on this project.Block. The suspension stays in place until you lift it.
add_to_listThe matched value was added to a list.Honor the action. Rupt has already applied the list change.
remove_from_listThe mirror of add_to_list.Honor the action. The list change is already done.

The value behind add_to_list / remove_from_list depends on the list: it can be the user, IP, email, fingerprint, or another field the list is keyed on.

Soft vs hard verdicts

allow, deny, and suspend are final: the verdict is the answer. challenge is not. With a challenge, the real answer depends on whether the user passes, so treat challenge like deny until you've confirmed the challenge reached completed. Any other state (failed, skipped, or still in progress) should stay blocked.

add_to_list and remove_from_list never block the action. They let a policy maintain state without interrupting the user.

Confirming server-side

The verdict that reaches the client is advisory. A determined attacker can strip it before it gets back to your server, so don't trust the client copy for anything that matters. Confirm the verdict by fetching the evaluation directly from Rupt, then check that the action, user, email, phone, and metadata on it match what your server expected before you honor the action. The wiring is in Quick start step 3.