[{"data":1,"prerenderedAt":416},["ShallowReactive",2],{"docsv3-nav":3,"\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts":198},[4],{"title":5,"path":6,"stem":7,"children":8,"page":188},"V3","\u002Fdocs\u002Fv3","1.docs\u002Fv3",[9,13,17,21,38,87,189],{"title":10,"path":11,"stem":12},"Introduction","\u002Fdocs\u002Fv3\u002Fintroduction","1.docs\u002Fv3\u002F1.Introduction",{"title":14,"path":15,"stem":16},"Quick start","\u002Fdocs\u002Fv3\u002Fquick-start","1.docs\u002Fv3\u002F2.Quick start",{"title":18,"path":19,"stem":20},"Challenge flow","\u002Fdocs\u002Fv3\u002Fchallenge-flow","1.docs\u002Fv3\u002F3.Challenge flow",{"title":22,"path":23,"stem":24,"children":25},"Fundamentals","\u002Fdocs\u002Fv3\u002Ffundamentals","1.docs\u002Fv3\u002F4.fundamentals",[26,30,34],{"title":27,"path":28,"stem":29},"Signup protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Fsignup-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F00.Signup protection",{"title":31,"path":32,"stem":33},"Login protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Flogin-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F01.Login protection",{"title":35,"path":36,"stem":37},"Access protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Faccess-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F02.Access protection",{"title":39,"path":40,"stem":41,"children":42},"Guides","\u002Fdocs\u002Fv3\u002Fguides","1.docs\u002Fv3\u002F5.guides",[43,47,51,55,59,63,67,71,75,79,83],{"title":44,"path":45,"stem":46},"Account sharing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-sharing-prevention","1.docs\u002Fv3\u002F5.guides\u002F1.Account sharing prevention",{"title":48,"path":49,"stem":50},"Web scraping prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fweb-scraping-prevention","1.docs\u002Fv3\u002F5.guides\u002F13.Web scraping prevention",{"title":52,"path":53,"stem":54},"Ban enforcement","\u002Fdocs\u002Fv3\u002Fguides\u002Fban-enforcement","1.docs\u002Fv3\u002F5.guides\u002F14.Ban enforcement",{"title":56,"path":57,"stem":58},"Chargeback dispute","\u002Fdocs\u002Fv3\u002Fguides\u002Fchargeback-dispute","1.docs\u002Fv3\u002F5.guides\u002F15.Chargeback dispute",{"title":60,"path":61,"stem":62},"Multi-accounting prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fmulti-accounting-prevention","1.docs\u002Fv3\u002F5.guides\u002F16.Multi-accounting prevention",{"title":64,"path":65,"stem":66},"Account takeover prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-takeover-prevention","1.docs\u002Fv3\u002F5.guides\u002F2.Account takeover prevention",{"title":68,"path":69,"stem":70},"Risky transaction prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Frisky-transaction-prevention","1.docs\u002Fv3\u002F5.guides\u002F20.Risky transaction prevention",{"title":72,"path":73,"stem":74},"Fake account detection","\u002Fdocs\u002Fv3\u002Fguides\u002Ffake-account-detection","1.docs\u002Fv3\u002F5.guides\u002F3.Fake account detection",{"title":76,"path":77,"stem":78},"Bot detection","\u002Fdocs\u002Fv3\u002Fguides\u002Fbot-detection","1.docs\u002Fv3\u002F5.guides\u002F4.Bot detection",{"title":80,"path":81,"stem":82},"Card testing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fcard-testing-prevention","1.docs\u002Fv3\u002F5.guides\u002F5.Card testing prevention",{"title":84,"path":85,"stem":86},"Incentive abuse prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fincentive-abuse-prevention","1.docs\u002Fv3\u002F5.guides\u002F9.Incentive abuse prevention",{"title":88,"path":89,"stem":90,"children":91,"page":188},"Concepts","\u002Fdocs\u002Fv3\u002Fconcepts","1.docs\u002Fv3\u002F6.concepts",[92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184],{"title":93,"path":94,"stem":95},"Evaluations","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations","1.docs\u002Fv3\u002F6.concepts\u002F01.evaluations",{"title":97,"path":98,"stem":99},"Actions","\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions","1.docs\u002Fv3\u002F6.concepts\u002F02.actions",{"title":101,"path":102,"stem":103},"Signals","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fsignals","1.docs\u002Fv3\u002F6.concepts\u002F03.signals",{"title":105,"path":106,"stem":107},"Checks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks","1.docs\u002Fv3\u002F6.concepts\u002F04.checks",{"title":109,"path":110,"stem":111},"Risks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Frisks","1.docs\u002Fv3\u002F6.concepts\u002F05.risks",{"title":113,"path":114,"stem":115},"Verdicts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts","1.docs\u002Fv3\u002F6.concepts\u002F06.verdicts",{"title":117,"path":118,"stem":119},"Policies","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies","1.docs\u002Fv3\u002F6.concepts\u002F07.policies",{"title":121,"path":122,"stem":123},"Challenges","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchallenges","1.docs\u002Fv3\u002F6.concepts\u002F08.challenges",{"title":125,"path":126,"stem":127},"Concurrency","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fconcurrency","1.docs\u002Fv3\u002F6.concepts\u002F09.concurrency",{"title":129,"path":130,"stem":131},"Impossible travel","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fimpossible-travel","1.docs\u002Fv3\u002F6.concepts\u002F10.impossible-travel",{"title":133,"path":134,"stem":135},"Bots","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fbots","1.docs\u002Fv3\u002F6.concepts\u002F11.bots",{"title":137,"path":138,"stem":139},"Devices","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fdevices","1.docs\u002Fv3\u002F6.concepts\u002F12.devices",{"title":141,"path":142,"stem":143},"Fingerprints","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffingerprints","1.docs\u002Fv3\u002F6.concepts\u002F13.fingerprints",{"title":145,"path":146,"stem":147},"People","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpeople","1.docs\u002Fv3\u002F6.concepts\u002F14.people",{"title":149,"path":150,"stem":151},"Lists","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists","1.docs\u002Fv3\u002F6.concepts\u002F15.lists",{"title":153,"path":154,"stem":155},"Account takeover","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-takeover","1.docs\u002Fv3\u002F6.concepts\u002F16.account-takeover",{"title":157,"path":158,"stem":159},"Account sharing","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-sharing","1.docs\u002Fv3\u002F6.concepts\u002F17.account-sharing",{"title":161,"path":162,"stem":163},"Fake account","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffake-account","1.docs\u002Fv3\u002F6.concepts\u002F18.fake-account",{"title":165,"path":166,"stem":167},"Scraping","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fscraping","1.docs\u002Fv3\u002F6.concepts\u002F19.scraping",{"title":169,"path":170,"stem":171},"Linked accounts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flinked-accounts","1.docs\u002Fv3\u002F6.concepts\u002F20.linked-accounts",{"title":173,"path":174,"stem":175},"New IP","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fip","1.docs\u002Fv3\u002F6.concepts\u002F21.ip",{"title":177,"path":178,"stem":179},"Anonymizing network","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fanonymizing-network","1.docs\u002Fv3\u002F6.concepts\u002F22.anonymizing-network",{"title":181,"path":182,"stem":183},"Email quality","\u002Fdocs\u002Fv3\u002Fconcepts\u002Femail","1.docs\u002Fv3\u002F6.concepts\u002F23.email",{"title":185,"path":186,"stem":187},"Velocity","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fvelocity","1.docs\u002Fv3\u002F6.concepts\u002F24.velocity",false,{"title":190,"path":191,"stem":192,"children":193,"page":188},"Advanced","\u002Fdocs\u002Fv3\u002Fadvanced","1.docs\u002Fv3\u002F7.Advanced",[194],{"title":195,"path":196,"stem":197},"Proxy setup","\u002Fdocs\u002Fv3\u002Fadvanced\u002Fproxy-setup","1.docs\u002Fv3\u002F7.Advanced\u002F1.Proxy-setup",{"id":199,"title":113,"body":200,"description":409,"extension":410,"meta":411,"navigation":412,"path":114,"rawbody":413,"seo":414,"stem":115,"__hash__":415},"docsv3\u002F1.docs\u002Fv3\u002F6.concepts\u002F06.verdicts.md",{"type":201,"value":202,"toc":402},"minimark",[203,207,224,229,344,353,357,380,388,392],[204,205,113],"h1",{"id":206},"verdicts",[208,209,210,211,215,216,219,220,223],"p",{},"A verdict is Rupt's decision on an ",[212,213,214],"a",{"href":94},"evaluation",". It's the output of the ",[212,217,218],{"href":118},"policy"," that matched, and it tells your server what to do with the user's ",[212,221,222],{"href":98},"action",". The verdict is just the matched policy's action type, so the set below is exactly the set of actions a policy can take.",[225,226,228],"h2",{"id":227},"the-verdicts","The verdicts",[230,231,232,248],"table",{},[233,234,235],"thead",{},[236,237,238,242,245],"tr",{},[239,240,241],"th",{},"Verdict",[239,243,244],{},"What it means",[239,246,247],{},"Server action",[249,250,251,266,279,299,312,329],"tbody",{},[236,252,253,260,263],{},[254,255,256],"td",{},[257,258,259],"code",{},"allow",[254,261,262],{},"Nothing matched, or the matched policy says let it through.",[254,264,265],{},"Honor the action.",[236,267,268,273,276],{},[254,269,270],{},[257,271,272],{},"deny",[254,274,275],{},"A policy matched and blocks outright.",[254,277,278],{},"Block the action.",[236,280,281,286,289],{},[254,282,283],{},[257,284,285],{},"challenge",[254,287,288],{},"Identity needs to be verified before you trust the action.",[254,290,291,292,294,295,298],{},"Block until the linked ",[212,293,285],{"href":122}," reaches ",[257,296,297],{},"completed",". Otherwise keep blocking.",[236,300,301,306,309],{},[254,302,303],{},[257,304,305],{},"suspend",[254,307,308],{},"The user has been suspended on this project.",[254,310,311],{},"Block. The suspension stays in place until you lift it.",[236,313,314,319,326],{},[254,315,316],{},[257,317,318],{},"add_to_list",[254,320,321,322,325],{},"The matched value was added to a ",[212,323,324],{"href":150},"list",".",[254,327,328],{},"Honor the action. Rupt has already applied the list change.",[236,330,331,336,341],{},[254,332,333],{},[257,334,335],{},"remove_from_list",[254,337,338,339,325],{},"The mirror of ",[257,340,318],{},[254,342,343],{},"Honor the action. The list change is already done.",[208,345,346,347,349,350,352],{},"The value behind ",[257,348,318],{}," \u002F ",[257,351,335],{}," depends on the list: it can be the user, IP, email, fingerprint, or another field the list is keyed on.",[225,354,356],{"id":355},"soft-vs-hard-verdicts","Soft vs hard verdicts",[208,358,359,361,362,364,365,367,368,370,371,373,374,376,377,379],{},[257,360,259],{},", ",[257,363,272],{},", and ",[257,366,305],{}," are final: the verdict is the answer. ",[257,369,285],{}," is not. With a challenge, the real answer depends on whether the user passes, so treat ",[257,372,285],{}," like ",[257,375,272],{}," until you've confirmed the challenge reached ",[257,378,297],{},". Any other state (failed, skipped, or still in progress) should stay blocked.",[208,381,382,384,385,387],{},[257,383,318],{}," and ",[257,386,335],{}," never block the action. They let a policy maintain state without interrupting the user.",[225,389,391],{"id":390},"confirming-server-side","Confirming server-side",[208,393,394,395,397,398,325],{},"The verdict that reaches the client is advisory. A determined attacker can strip it before it gets back to your server, so don't trust the client copy for anything that matters. Confirm the verdict by fetching the ",[212,396,214],{"href":94}," directly from Rupt, then check that the action, user, email, phone, and metadata on it match what your server expected before you honor the action. The wiring is in ",[212,399,401],{"href":400},"\u002Fdocs\u002Fv3\u002Fquick-start#3-confirm-the-evaluation-server-side","Quick start step 3",{"title":403,"searchDepth":404,"depth":404,"links":405},"",2,[406,407,408],{"id":227,"depth":404,"text":228},{"id":355,"depth":404,"text":356},{"id":390,"depth":404,"text":391},"A verdict is Rupt's decision on an action (allow, deny, challenge, suspend, or a list mutation). The matching policy chooses the verdict; your server enforces it.","md",{},true,"---\ntitle: Verdicts\ndescription: A verdict is Rupt's decision on an action (allow, deny, challenge, suspend, or a list mutation). The matching policy chooses the verdict; your server enforces it.\n---\n\n# Verdicts\n\nA verdict is Rupt's decision on an [evaluation](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations). It's the output of the [policy](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies) that matched, and it tells your server what to do with the user's [action](\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions). The verdict is just the matched policy's action type, so the set below is exactly the set of actions a policy can take.\n\n## The verdicts\n\n| Verdict            | What it means                                                | Server action                                                                                                |\n| ------------------ | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ |\n| `allow`            | Nothing matched, or the matched policy says let it through.  | Honor the action.                                                                                            |\n| `deny`             | A policy matched and blocks outright.                        | Block the action.                                                                                            |\n| `challenge`        | Identity needs to be verified before you trust the action.   | Block until the linked [challenge](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchallenges) reaches `completed`. Otherwise keep blocking. |\n| `suspend`          | The user has been suspended on this project.                 | Block. The suspension stays in place until you lift it.                                                      |\n| `add_to_list`      | The matched value was added to a [list](\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists). | Honor the action. Rupt has already applied the list change.                                             |\n| `remove_from_list` | The mirror of `add_to_list`.                                 | Honor the action. The list change is already done.                                                           |\n\nThe value behind `add_to_list` \u002F `remove_from_list` depends on the list: it can be the user, IP, email, fingerprint, or another field the list is keyed on.\n\n## Soft vs hard verdicts\n\n`allow`, `deny`, and `suspend` are final: the verdict is the answer. `challenge` is not. With a challenge, the real answer depends on whether the user passes, so treat `challenge` like `deny` until you've confirmed the challenge reached `completed`. Any other state (failed, skipped, or still in progress) should stay blocked.\n\n`add_to_list` and `remove_from_list` never block the action. They let a policy maintain state without interrupting the user.\n\n## Confirming server-side\n\nThe verdict that reaches the client is advisory. A determined attacker can strip it before it gets back to your server, so don't trust the client copy for anything that matters. Confirm the verdict by fetching the [evaluation](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations) directly from Rupt, then check that the action, user, email, phone, and metadata on it match what your server expected before you honor the action. The wiring is in [Quick start step 3](\u002Fdocs\u002Fv3\u002Fquick-start#3-confirm-the-evaluation-server-side).\n",{"title":113,"description":409},"UV2WDesQ1K7n9l47b487PqOaV1BqAOSqSVOrJf4aFmo",1780344893242]