---
title: Verdicts
description: A verdict is Rupt's decision on an action (allow, deny, challenge, suspend, or a list mutation). The matching policy chooses the verdict; your server enforces it.
---

# Verdicts

A verdict is Rupt's decision on an [evaluation](/docs/v3/concepts/evaluations). It's the output of the [policy](/docs/v3/concepts/policies) that matched, and it tells your server what to do with the user's [action](/docs/v3/concepts/actions). The verdict is just the matched policy's action type, so the set below is exactly the set of actions a policy can take.

## The verdicts

| Verdict            | What it means                                                | Server action                                                                                                |
| ------------------ | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ |
| `allow`            | Nothing matched, or the matched policy says let it through.  | Honor the action.                                                                                            |
| `deny`             | A policy matched and blocks outright.                        | Block the action.                                                                                            |
| `challenge`        | Identity needs to be verified before you trust the action.   | Block until the linked [challenge](/docs/v3/concepts/challenges) reaches `completed`. Otherwise keep blocking. |
| `suspend`          | The user has been suspended on this project.                 | Block. The suspension stays in place until you lift it.                                                      |
| `add_to_list`      | The matched value was added to a [list](/docs/v3/concepts/lists). | Honor the action. Rupt has already applied the list change.                                             |
| `remove_from_list` | The mirror of `add_to_list`.                                 | Honor the action. The list change is already done.                                                           |

The value behind `add_to_list` / `remove_from_list` depends on the list: it can be the user, IP, email, fingerprint, or another field the list is keyed on.

## Soft vs hard verdicts

`allow`, `deny`, and `suspend` are final: the verdict is the answer. `challenge` is not. With a challenge, the real answer depends on whether the user passes, so treat `challenge` like `deny` until you've confirmed the challenge reached `completed`. Any other state (failed, skipped, or still in progress) should stay blocked.

`add_to_list` and `remove_from_list` never block the action. They let a policy maintain state without interrupting the user.

## Confirming server-side

The verdict that reaches the client is advisory. A determined attacker can strip it before it gets back to your server, so don't trust the client copy for anything that matters. Confirm the verdict by fetching the [evaluation](/docs/v3/concepts/evaluations) directly from Rupt, then check that the action, user, email, phone, and metadata on it match what your server expected before you honor the action. The wiring is in [Quick start step 3](/docs/v3/quick-start#3-confirm-the-evaluation-server-side).