[{"data":1,"prerenderedAt":419},["ShallowReactive",2],{"docsv3-nav":3,"\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists":198},[4],{"title":5,"path":6,"stem":7,"children":8,"page":188},"V3","\u002Fdocs\u002Fv3","1.docs\u002Fv3",[9,13,17,21,38,87,189],{"title":10,"path":11,"stem":12},"Introduction","\u002Fdocs\u002Fv3\u002Fintroduction","1.docs\u002Fv3\u002F1.Introduction",{"title":14,"path":15,"stem":16},"Quick start","\u002Fdocs\u002Fv3\u002Fquick-start","1.docs\u002Fv3\u002F2.Quick start",{"title":18,"path":19,"stem":20},"Challenge flow","\u002Fdocs\u002Fv3\u002Fchallenge-flow","1.docs\u002Fv3\u002F3.Challenge flow",{"title":22,"path":23,"stem":24,"children":25},"Fundamentals","\u002Fdocs\u002Fv3\u002Ffundamentals","1.docs\u002Fv3\u002F4.fundamentals",[26,30,34],{"title":27,"path":28,"stem":29},"Signup protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Fsignup-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F00.Signup protection",{"title":31,"path":32,"stem":33},"Login protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Flogin-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F01.Login protection",{"title":35,"path":36,"stem":37},"Access protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Faccess-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F02.Access protection",{"title":39,"path":40,"stem":41,"children":42},"Guides","\u002Fdocs\u002Fv3\u002Fguides","1.docs\u002Fv3\u002F5.guides",[43,47,51,55,59,63,67,71,75,79,83],{"title":44,"path":45,"stem":46},"Account sharing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-sharing-prevention","1.docs\u002Fv3\u002F5.guides\u002F1.Account sharing prevention",{"title":48,"path":49,"stem":50},"Web scraping prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fweb-scraping-prevention","1.docs\u002Fv3\u002F5.guides\u002F13.Web scraping prevention",{"title":52,"path":53,"stem":54},"Ban enforcement","\u002Fdocs\u002Fv3\u002Fguides\u002Fban-enforcement","1.docs\u002Fv3\u002F5.guides\u002F14.Ban enforcement",{"title":56,"path":57,"stem":58},"Chargeback dispute","\u002Fdocs\u002Fv3\u002Fguides\u002Fchargeback-dispute","1.docs\u002Fv3\u002F5.guides\u002F15.Chargeback dispute",{"title":60,"path":61,"stem":62},"Multi-accounting prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fmulti-accounting-prevention","1.docs\u002Fv3\u002F5.guides\u002F16.Multi-accounting prevention",{"title":64,"path":65,"stem":66},"Account takeover prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-takeover-prevention","1.docs\u002Fv3\u002F5.guides\u002F2.Account takeover prevention",{"title":68,"path":69,"stem":70},"Risky transaction prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Frisky-transaction-prevention","1.docs\u002Fv3\u002F5.guides\u002F20.Risky transaction prevention",{"title":72,"path":73,"stem":74},"Fake account detection","\u002Fdocs\u002Fv3\u002Fguides\u002Ffake-account-detection","1.docs\u002Fv3\u002F5.guides\u002F3.Fake account detection",{"title":76,"path":77,"stem":78},"Bot detection","\u002Fdocs\u002Fv3\u002Fguides\u002Fbot-detection","1.docs\u002Fv3\u002F5.guides\u002F4.Bot detection",{"title":80,"path":81,"stem":82},"Card testing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fcard-testing-prevention","1.docs\u002Fv3\u002F5.guides\u002F5.Card testing prevention",{"title":84,"path":85,"stem":86},"Incentive abuse prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fincentive-abuse-prevention","1.docs\u002Fv3\u002F5.guides\u002F9.Incentive abuse prevention",{"title":88,"path":89,"stem":90,"children":91,"page":188},"Concepts","\u002Fdocs\u002Fv3\u002Fconcepts","1.docs\u002Fv3\u002F6.concepts",[92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184],{"title":93,"path":94,"stem":95},"Evaluations","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations","1.docs\u002Fv3\u002F6.concepts\u002F01.evaluations",{"title":97,"path":98,"stem":99},"Actions","\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions","1.docs\u002Fv3\u002F6.concepts\u002F02.actions",{"title":101,"path":102,"stem":103},"Signals","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fsignals","1.docs\u002Fv3\u002F6.concepts\u002F03.signals",{"title":105,"path":106,"stem":107},"Checks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks","1.docs\u002Fv3\u002F6.concepts\u002F04.checks",{"title":109,"path":110,"stem":111},"Risks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Frisks","1.docs\u002Fv3\u002F6.concepts\u002F05.risks",{"title":113,"path":114,"stem":115},"Verdicts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts","1.docs\u002Fv3\u002F6.concepts\u002F06.verdicts",{"title":117,"path":118,"stem":119},"Policies","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies","1.docs\u002Fv3\u002F6.concepts\u002F07.policies",{"title":121,"path":122,"stem":123},"Challenges","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchallenges","1.docs\u002Fv3\u002F6.concepts\u002F08.challenges",{"title":125,"path":126,"stem":127},"Concurrency","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fconcurrency","1.docs\u002Fv3\u002F6.concepts\u002F09.concurrency",{"title":129,"path":130,"stem":131},"Impossible travel","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fimpossible-travel","1.docs\u002Fv3\u002F6.concepts\u002F10.impossible-travel",{"title":133,"path":134,"stem":135},"Bots","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fbots","1.docs\u002Fv3\u002F6.concepts\u002F11.bots",{"title":137,"path":138,"stem":139},"Devices","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fdevices","1.docs\u002Fv3\u002F6.concepts\u002F12.devices",{"title":141,"path":142,"stem":143},"Fingerprints","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffingerprints","1.docs\u002Fv3\u002F6.concepts\u002F13.fingerprints",{"title":145,"path":146,"stem":147},"People","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpeople","1.docs\u002Fv3\u002F6.concepts\u002F14.people",{"title":149,"path":150,"stem":151},"Lists","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists","1.docs\u002Fv3\u002F6.concepts\u002F15.lists",{"title":153,"path":154,"stem":155},"Account takeover","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-takeover","1.docs\u002Fv3\u002F6.concepts\u002F16.account-takeover",{"title":157,"path":158,"stem":159},"Account sharing","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-sharing","1.docs\u002Fv3\u002F6.concepts\u002F17.account-sharing",{"title":161,"path":162,"stem":163},"Fake account","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffake-account","1.docs\u002Fv3\u002F6.concepts\u002F18.fake-account",{"title":165,"path":166,"stem":167},"Scraping","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fscraping","1.docs\u002Fv3\u002F6.concepts\u002F19.scraping",{"title":169,"path":170,"stem":171},"Linked accounts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flinked-accounts","1.docs\u002Fv3\u002F6.concepts\u002F20.linked-accounts",{"title":173,"path":174,"stem":175},"New IP","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fip","1.docs\u002Fv3\u002F6.concepts\u002F21.ip",{"title":177,"path":178,"stem":179},"Anonymizing network","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fanonymizing-network","1.docs\u002Fv3\u002F6.concepts\u002F22.anonymizing-network",{"title":181,"path":182,"stem":183},"Email quality","\u002Fdocs\u002Fv3\u002Fconcepts\u002Femail","1.docs\u002Fv3\u002F6.concepts\u002F23.email",{"title":185,"path":186,"stem":187},"Velocity","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fvelocity","1.docs\u002Fv3\u002F6.concepts\u002F24.velocity",false,{"title":190,"path":191,"stem":192,"children":193,"page":188},"Advanced","\u002Fdocs\u002Fv3\u002Fadvanced","1.docs\u002Fv3\u002F7.Advanced",[194],{"title":195,"path":196,"stem":197},"Proxy setup","\u002Fdocs\u002Fv3\u002Fadvanced\u002Fproxy-setup","1.docs\u002Fv3\u002F7.Advanced\u002F1.Proxy-setup",{"id":199,"title":149,"body":200,"description":412,"extension":413,"meta":414,"navigation":415,"path":150,"rawbody":416,"seo":417,"stem":151,"__hash__":418},"docsv3\u002F1.docs\u002Fv3\u002F6.concepts\u002F15.lists.md",{"type":201,"value":202,"toc":404},"minimark",[203,207,225,230,233,266,269,273,287,309,312,316,323,342,351,355],[204,205,149],"h1",{"id":206},"lists",[208,209,210,211,215,216,220,221,224],"p",{},"A list is a set of values you can match against in a ",[212,213,214],"a",{"href":118},"policy"," condition. Lists are how you encode rules that depend on ",[217,218,219],"em",{},"which user, IP, email, or fingerprint",", not ",[217,222,223],{},"what kind of"," user, IP, email, or fingerprint. Allow lists, block lists, VIP lists, known-fraud lists: all the same primitive.",[226,227,229],"h2",{"id":228},"what-goes-in-a-list","What goes in a list",[208,231,232],{},"A list holds values of a single kind:",[234,235,236,245,248,251,257,260,263],"ul",{},[237,238,239,240,244],"li",{},"User ",[241,242,243],"code",{},"external_id","s.",[237,246,247],{},"IP addresses.",[237,249,250],{},"Email addresses or domains.",[237,252,253,256],{},[212,254,255],{"href":142},"Fingerprint"," IDs.",[237,258,259],{},"Phone numbers.",[237,261,262],{},"Country codes.",[237,264,265],{},"Device IDs.",[208,267,268],{},"You manage list contents from the dashboard or the API. Policies reference lists by name.",[226,270,272],{"id":271},"how-policies-use-lists","How policies use lists",[208,274,275,276,279,280,282,283,286],{},"The ",[241,277,278],{},"in_list"," ",[212,281,214],{"href":118}," condition matches when the value on the ",[212,284,285],{"href":94},"evaluation"," appears in the list:",[288,289,290,301],"blockquote",{},[208,291,292,293,296,297,300],{},"If ",[241,294,295],{},"user_external_id in_list \"vip-customers\""," → ",[241,298,299],{},"allow",".",[208,302,292,303,296,306,300],{},[241,304,305],{},"ip in_list \"known-fraud-ips\"",[241,307,308],{},"deny",[208,310,311],{},"Combine list checks with other conditions for finer rules, for example, \"challenge unless the user is on the VIP list.\"",[226,313,315],{"id":314},"side-effect-verdicts","Side-effect verdicts",[208,317,318,319,322],{},"Two ",[212,320,321],{"href":114},"verdicts"," mutate lists as a side-effect:",[234,324,325,334],{},[237,326,327,333],{},[328,329,330],"strong",{},[241,331,332],{},"add_to_list",": the matching policy adds the user (or IP, email, fingerprint) to a configured list.",[237,335,336,341],{},[328,337,338],{},[241,339,340],{},"remove_from_list",": the inverse.",[208,343,344,345,347,348,350],{},"The list mutation is applied by Rupt before the evaluation returns, and the action itself is honored by your server. Use this pattern for \"first offense\" rules: record the user with ",[241,346,332],{}," once, then a second policy with ",[241,349,278],{}," denies on subsequent attempts.",[226,352,354],{"id":353},"practical-patterns","Practical patterns",[234,356,357,370,381],{},[237,358,359,362,363,366,367,369],{},[328,360,361],{},"VIP allowlist."," A high-priority policy that matches ",[241,364,365],{},"user_external_id in_list \"vip\""," and returns ",[241,368,299],{}," short-circuits any later policy from challenging or denying these users.",[237,371,372,362,375,366,378,380],{},[328,373,374],{},"Known-fraud blocklist.",[241,376,377],{},"ip in_list \"fraud-ips\"",[241,379,308],{}," cuts off repeat offenders before any other check runs.",[237,382,383,386,387,390,391,394,395,398,399,401,402,300],{},[328,384,385],{},"Progressive enforcement."," First policy: ",[241,388,389],{},"add_to_list \"watching\""," on suspicious signals. Second policy: ",[241,392,393],{},"in_list \"watching\" AND"," (any new offense) → ",[241,396,397],{},"challenge",". Third policy: ",[241,400,393],{}," (severe offense) → ",[241,403,308],{},{"title":405,"searchDepth":406,"depth":406,"links":407},"",2,[408,409,410,411],{"id":228,"depth":406,"text":229},{"id":271,"depth":406,"text":272},{"id":314,"depth":406,"text":315},{"id":353,"depth":406,"text":354},"Lists are sets of values (user IDs, IPs, emails, fingerprints) that policies match against. Use them to encode allow, block, VIP, and known-fraud rules.","md",{},true,"---\ntitle: Lists\ndescription: Lists are sets of values (user IDs, IPs, emails, fingerprints) that policies match against. Use them to encode allow, block, VIP, and known-fraud rules.\n---\n\n# Lists\n\nA list is a set of values you can match against in a [policy](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies) condition. Lists are how you encode rules that depend on _which user, IP, email, or fingerprint_, not _what kind of_ user, IP, email, or fingerprint. Allow lists, block lists, VIP lists, known-fraud lists: all the same primitive.\n\n## What goes in a list\n\nA list holds values of a single kind:\n\n- User `external_id`s.\n- IP addresses.\n- Email addresses or domains.\n- [Fingerprint](\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffingerprints) IDs.\n- Phone numbers.\n- Country codes.\n- Device IDs.\n\nYou manage list contents from the dashboard or the API. Policies reference lists by name.\n\n## How policies use lists\n\nThe `in_list` [policy](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies) condition matches when the value on the [evaluation](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations) appears in the list:\n\n> If `user_external_id in_list \"vip-customers\"` → `allow`.\n>\n> If `ip in_list \"known-fraud-ips\"` → `deny`.\n\nCombine list checks with other conditions for finer rules, for example, \"challenge unless the user is on the VIP list.\"\n\n## Side-effect verdicts\n\nTwo [verdicts](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts) mutate lists as a side-effect:\n\n- **`add_to_list`**: the matching policy adds the user (or IP, email, fingerprint) to a configured list.\n- **`remove_from_list`**: the inverse.\n\nThe list mutation is applied by Rupt before the evaluation returns, and the action itself is honored by your server. Use this pattern for \"first offense\" rules: record the user with `add_to_list` once, then a second policy with `in_list` denies on subsequent attempts.\n\n## Practical patterns\n\n- **VIP allowlist.** A high-priority policy that matches `user_external_id in_list \"vip\"` and returns `allow` short-circuits any later policy from challenging or denying these users.\n- **Known-fraud blocklist.** A high-priority policy that matches `ip in_list \"fraud-ips\"` and returns `deny` cuts off repeat offenders before any other check runs.\n- **Progressive enforcement.** First policy: `add_to_list \"watching\"` on suspicious signals. Second policy: `in_list \"watching\" AND` (any new offense) → `challenge`. Third policy: `in_list \"watching\" AND` (severe offense) → `deny`.\n",{"title":149,"description":412},"dbkhAhTpwuh3-dQoajo7oeVYerR3TLP3aJ41ztzqltk",1780344893585]