[{"data":1,"prerenderedAt":562},["ShallowReactive",2],{"docsv3-nav":3,"\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies":198},[4],{"title":5,"path":6,"stem":7,"children":8,"page":188},"V3","\u002Fdocs\u002Fv3","1.docs\u002Fv3",[9,13,17,21,38,87,189],{"title":10,"path":11,"stem":12},"Introduction","\u002Fdocs\u002Fv3\u002Fintroduction","1.docs\u002Fv3\u002F1.Introduction",{"title":14,"path":15,"stem":16},"Quick start","\u002Fdocs\u002Fv3\u002Fquick-start","1.docs\u002Fv3\u002F2.Quick start",{"title":18,"path":19,"stem":20},"Challenge flow","\u002Fdocs\u002Fv3\u002Fchallenge-flow","1.docs\u002Fv3\u002F3.Challenge flow",{"title":22,"path":23,"stem":24,"children":25},"Fundamentals","\u002Fdocs\u002Fv3\u002Ffundamentals","1.docs\u002Fv3\u002F4.fundamentals",[26,30,34],{"title":27,"path":28,"stem":29},"Signup protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Fsignup-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F00.Signup protection",{"title":31,"path":32,"stem":33},"Login protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Flogin-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F01.Login protection",{"title":35,"path":36,"stem":37},"Access protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Faccess-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F02.Access protection",{"title":39,"path":40,"stem":41,"children":42},"Guides","\u002Fdocs\u002Fv3\u002Fguides","1.docs\u002Fv3\u002F5.guides",[43,47,51,55,59,63,67,71,75,79,83],{"title":44,"path":45,"stem":46},"Account sharing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-sharing-prevention","1.docs\u002Fv3\u002F5.guides\u002F1.Account sharing prevention",{"title":48,"path":49,"stem":50},"Web scraping prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fweb-scraping-prevention","1.docs\u002Fv3\u002F5.guides\u002F13.Web scraping prevention",{"title":52,"path":53,"stem":54},"Ban enforcement","\u002Fdocs\u002Fv3\u002Fguides\u002Fban-enforcement","1.docs\u002Fv3\u002F5.guides\u002F14.Ban enforcement",{"title":56,"path":57,"stem":58},"Chargeback dispute","\u002Fdocs\u002Fv3\u002Fguides\u002Fchargeback-dispute","1.docs\u002Fv3\u002F5.guides\u002F15.Chargeback dispute",{"title":60,"path":61,"stem":62},"Multi-accounting prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fmulti-accounting-prevention","1.docs\u002Fv3\u002F5.guides\u002F16.Multi-accounting prevention",{"title":64,"path":65,"stem":66},"Account takeover prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-takeover-prevention","1.docs\u002Fv3\u002F5.guides\u002F2.Account takeover prevention",{"title":68,"path":69,"stem":70},"Risky transaction prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Frisky-transaction-prevention","1.docs\u002Fv3\u002F5.guides\u002F20.Risky transaction prevention",{"title":72,"path":73,"stem":74},"Fake account detection","\u002Fdocs\u002Fv3\u002Fguides\u002Ffake-account-detection","1.docs\u002Fv3\u002F5.guides\u002F3.Fake account detection",{"title":76,"path":77,"stem":78},"Bot detection","\u002Fdocs\u002Fv3\u002Fguides\u002Fbot-detection","1.docs\u002Fv3\u002F5.guides\u002F4.Bot detection",{"title":80,"path":81,"stem":82},"Card testing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fcard-testing-prevention","1.docs\u002Fv3\u002F5.guides\u002F5.Card testing prevention",{"title":84,"path":85,"stem":86},"Incentive abuse prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fincentive-abuse-prevention","1.docs\u002Fv3\u002F5.guides\u002F9.Incentive abuse prevention",{"title":88,"path":89,"stem":90,"children":91,"page":188},"Concepts","\u002Fdocs\u002Fv3\u002Fconcepts","1.docs\u002Fv3\u002F6.concepts",[92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184],{"title":93,"path":94,"stem":95},"Evaluations","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations","1.docs\u002Fv3\u002F6.concepts\u002F01.evaluations",{"title":97,"path":98,"stem":99},"Actions","\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions","1.docs\u002Fv3\u002F6.concepts\u002F02.actions",{"title":101,"path":102,"stem":103},"Signals","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fsignals","1.docs\u002Fv3\u002F6.concepts\u002F03.signals",{"title":105,"path":106,"stem":107},"Checks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks","1.docs\u002Fv3\u002F6.concepts\u002F04.checks",{"title":109,"path":110,"stem":111},"Risks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Frisks","1.docs\u002Fv3\u002F6.concepts\u002F05.risks",{"title":113,"path":114,"stem":115},"Verdicts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts","1.docs\u002Fv3\u002F6.concepts\u002F06.verdicts",{"title":117,"path":118,"stem":119},"Policies","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies","1.docs\u002Fv3\u002F6.concepts\u002F07.policies",{"title":121,"path":122,"stem":123},"Challenges","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchallenges","1.docs\u002Fv3\u002F6.concepts\u002F08.challenges",{"title":125,"path":126,"stem":127},"Concurrency","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fconcurrency","1.docs\u002Fv3\u002F6.concepts\u002F09.concurrency",{"title":129,"path":130,"stem":131},"Impossible travel","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fimpossible-travel","1.docs\u002Fv3\u002F6.concepts\u002F10.impossible-travel",{"title":133,"path":134,"stem":135},"Bots","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fbots","1.docs\u002Fv3\u002F6.concepts\u002F11.bots",{"title":137,"path":138,"stem":139},"Devices","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fdevices","1.docs\u002Fv3\u002F6.concepts\u002F12.devices",{"title":141,"path":142,"stem":143},"Fingerprints","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffingerprints","1.docs\u002Fv3\u002F6.concepts\u002F13.fingerprints",{"title":145,"path":146,"stem":147},"People","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpeople","1.docs\u002Fv3\u002F6.concepts\u002F14.people",{"title":149,"path":150,"stem":151},"Lists","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists","1.docs\u002Fv3\u002F6.concepts\u002F15.lists",{"title":153,"path":154,"stem":155},"Account takeover","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-takeover","1.docs\u002Fv3\u002F6.concepts\u002F16.account-takeover",{"title":157,"path":158,"stem":159},"Account sharing","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-sharing","1.docs\u002Fv3\u002F6.concepts\u002F17.account-sharing",{"title":161,"path":162,"stem":163},"Fake account","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffake-account","1.docs\u002Fv3\u002F6.concepts\u002F18.fake-account",{"title":165,"path":166,"stem":167},"Scraping","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fscraping","1.docs\u002Fv3\u002F6.concepts\u002F19.scraping",{"title":169,"path":170,"stem":171},"Linked accounts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flinked-accounts","1.docs\u002Fv3\u002F6.concepts\u002F20.linked-accounts",{"title":173,"path":174,"stem":175},"New IP","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fip","1.docs\u002Fv3\u002F6.concepts\u002F21.ip",{"title":177,"path":178,"stem":179},"Anonymizing network","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fanonymizing-network","1.docs\u002Fv3\u002F6.concepts\u002F22.anonymizing-network",{"title":181,"path":182,"stem":183},"Email quality","\u002Fdocs\u002Fv3\u002Fconcepts\u002Femail","1.docs\u002Fv3\u002F6.concepts\u002F23.email",{"title":185,"path":186,"stem":187},"Velocity","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fvelocity","1.docs\u002Fv3\u002F6.concepts\u002F24.velocity",false,{"title":190,"path":191,"stem":192,"children":193,"page":188},"Advanced","\u002Fdocs\u002Fv3\u002Fadvanced","1.docs\u002Fv3\u002F7.Advanced",[194],{"title":195,"path":196,"stem":197},"Proxy setup","\u002Fdocs\u002Fv3\u002Fadvanced\u002Fproxy-setup","1.docs\u002Fv3\u002F7.Advanced\u002F1.Proxy-setup",{"id":199,"title":117,"body":200,"description":552,"extension":553,"meta":554,"navigation":555,"path":118,"rawbody":556,"seo":557,"stem":119,"__hash__":561},"docsv3\u002F1.docs\u002Fv3\u002F6.concepts\u002F07.policies.md",{"type":201,"value":202,"toc":544},"minimark",[203,207,224,230,235,310,314,321,477,487,491,505,514,518],[204,205,117],"h1",{"id":206},"policies",[208,209,210,211,215,216,219,220,223],"p",{},"A policy is a rule that turns ",[212,213,214],"a",{"href":106},"checks"," into a ",[212,217,218],{"href":114},"verdict",". It's a tree of conditions plus an action: when the conditions match an ",[212,221,222],{"href":94},"evaluation",", the action becomes the verdict.",[208,225,226,227,229],{},"Policies are the v3 replacement for v2 environments. Where v2 leaned on fixed environment thresholds, v3 lets you write your own AND\u002FOR conditions over any check and pick the ",[212,228,218],{"href":114}," to apply.",[231,232,234],"h2",{"id":233},"anatomy-of-a-policy","Anatomy of a policy",[236,237,238,246,261,267,289,295,304],"ul",{},[239,240,241,245],"li",{},[242,243,244],"strong",{},"Name and description",": for your own reference in the dashboard.",[239,247,248,251,252,256,257,260],{},[242,249,250],{},"Type",": ",[253,254,255],"code",{},"development"," or ",[253,258,259],{},"production",". A development policy is evaluated only for traffic from a development API key, and a production policy only for production keys. That lets you test rules without touching live traffic.",[239,262,263,266],{},[242,264,265],{},"Enabled",": turn a policy on or off without deleting it.",[239,268,269,272,273,276,277,280,281,284,285,288],{},[242,270,271],{},"Event types",": which ",[212,274,275],{"href":98},"actions"," the policy applies to: ",[253,278,279],{},"login",", ",[253,282,283],{},"signup",", or ",[253,286,287],{},"access",".",[239,290,291,294],{},[242,292,293],{},"Conditions",": a nested AND\u002FOR tree of comparisons over checks, lists, and metadata.",[239,296,297,300,301,303],{},[242,298,299],{},"Action",": the ",[212,302,218],{"href":114}," to produce when the conditions match.",[239,305,306,309],{},[242,307,308],{},"Priority",": decides which policy wins when more than one matches. The highest-priority match takes effect.",[231,311,313],{"id":312},"what-conditions-can-check","What conditions can check",[208,315,316,317,320],{},"Condition fields line up with the ",[212,318,319],{"href":106},"check"," inventory, grouped by category:",[236,322,323,343,372,408,425,436,444,468],{},[239,324,325,251,328,280,331,280,334,280,337,280,340,288],{},[242,326,327],{},"Device",[253,329,330],{},"device_count",[253,332,333],{},"computer_device_count",[253,335,336],{},"tablet_device_count",[253,338,339],{},"mobile_device_count",[253,341,342],{},"device_id",[239,344,345,251,348,280,351,280,354,280,357,280,360,280,363,280,366,280,369,288],{},[242,346,347],{},"Network",[253,349,350],{},"impossible_travel",[253,352,353],{},"is_new_ip",[253,355,356],{},"ip_country",[253,358,359],{},"ip_is_vpn",[253,361,362],{},"ip_is_proxy",[253,364,365],{},"ip_is_tor",[253,367,368],{},"ip_is_hosting",[253,370,371],{},"concurrent_sessions",[239,373,374,251,377,280,380,280,383,280,386,280,389,280,392,395,396,398,399,280,402,280,405,288],{},[242,375,376],{},"User",[253,378,379],{},"is_new_user",[253,381,382],{},"is_email_verified",[253,384,385],{},"is_phone_verified",[253,387,388],{},"user_age_days",[253,390,391],{},"is_suspended",[253,393,394],{},"in_list"," (see ",[212,397,149],{"href":150},"), ",[253,400,401],{},"user_external_id",[253,403,404],{},"user_email",[253,406,407],{},"metadata",[239,409,410,251,413,280,416,280,419,280,422,288],{},[242,411,412],{},"Email",[253,414,415],{},"email_is_disposable",[253,417,418],{},"email_is_webmail",[253,420,421],{},"email_is_invalid",[253,423,424],{},"email_is_accept_all",[239,426,427,251,430,280,433,288],{},[242,428,429],{},"Fingerprint",[253,431,432],{},"is_new_fingerprint",[253,434,435],{},"fingerprint_user_count",[239,437,438,251,440,443],{},[242,439,185],{},[253,441,442],{},"event_count"," over a sliding window.",[239,445,446,449,450,280,453,280,456,280,459,280,462,280,465,288],{},[242,447,448],{},"Device integrity"," (native SDKs): ",[253,451,452],{},"jailbroken_ios",[253,454,455],{},"rooted_android",[253,457,458],{},"is_simulator",[253,460,461],{},"is_emulator",[253,463,464],{},"debugger_attached",[253,466,467],{},"ui_testing",[239,469,470,251,473,476],{},[242,471,472],{},"Group",[253,474,475],{},"group",", the user's assigned group (if you use groups).",[208,478,479,480,482,483,486],{},"Conditions match on ",[212,481,214],{"href":106},", not ",[212,484,485],{"href":110},"risks",". Risks are scored separately and recorded on the evaluation for review. Matching a policy directly on a risk score or severity is coming soon.",[231,488,490],{"id":489},"how-matching-works","How matching works",[208,492,493,494,496,497,500,501,504],{},"When an ",[212,495,222],{"href":94}," runs, Rupt walks every enabled policy whose ",[253,498,499],{},"type"," matches the calling API key's environment and whose event type matches the action, in ",[253,502,503],{},"priority"," order, and tests each one's conditions against the derived checks. The highest-priority match wins; ties break toward the older policy. Order your rules so the most specific ones sit above the broad catch-alls.",[208,506,507,508,510,511,288],{},"The winning policy's action becomes the evaluation's ",[212,509,218],{"href":114},". If nothing matches, the verdict is ",[253,512,513],{},"allow",[231,515,517],{"id":516},"practical-guidance","Practical guidance",[236,519,520,529,538],{},[239,521,522,523,525,526,528],{},"Start broad and narrow as you learn. A first ",[253,524,279],{}," policy that challenges when ",[253,527,350],{}," is true catches a lot with very few false positives.",[239,530,531,532,534,535,537],{},"Reach for specific checks when you want a surgical rule: deny on ",[253,533,458],{}," in native flows, or challenge once ",[253,536,330],{}," crosses a threshold.",[239,539,540,541,543],{},"Keep development and production policies separate by ",[253,542,499],{},". The dashboard shows both side by side, and only the set matching the calling key is evaluated.",{"title":545,"searchDepth":546,"depth":546,"links":547},"",2,[548,549,550,551],{"id":233,"depth":546,"text":234},{"id":312,"depth":546,"text":313},{"id":489,"depth":546,"text":490},{"id":516,"depth":546,"text":517},"[object Object]","md",{},true,"---\ntitle: Policies\ndescription: Policies are the rules that turn checks into a verdict. A policy is a tree of conditions plus an action: when the conditions match, the action becomes the verdict.\n---\n\n# Policies\n\nA policy is a rule that turns [checks](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks) into a [verdict](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts). It's a tree of conditions plus an action: when the conditions match an [evaluation](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations), the action becomes the verdict.\n\nPolicies are the v3 replacement for v2 environments. Where v2 leaned on fixed environment thresholds, v3 lets you write your own AND\u002FOR conditions over any check and pick the [verdict](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts) to apply.\n\n## Anatomy of a policy\n\n- **Name and description**: for your own reference in the dashboard.\n- **Type**: `development` or `production`. A development policy is evaluated only for traffic from a development API key, and a production policy only for production keys. That lets you test rules without touching live traffic.\n- **Enabled**: turn a policy on or off without deleting it.\n- **Event types**: which [actions](\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions) the policy applies to: `login`, `signup`, or `access`.\n- **Conditions**: a nested AND\u002FOR tree of comparisons over checks, lists, and metadata.\n- **Action**: the [verdict](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts) to produce when the conditions match.\n- **Priority**: decides which policy wins when more than one matches. The highest-priority match takes effect.\n\n## What conditions can check\n\nCondition fields line up with the [check](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks) inventory, grouped by category:\n\n- **Device**: `device_count`, `computer_device_count`, `tablet_device_count`, `mobile_device_count`, `device_id`.\n- **Network**: `impossible_travel`, `is_new_ip`, `ip_country`, `ip_is_vpn`, `ip_is_proxy`, `ip_is_tor`, `ip_is_hosting`, `concurrent_sessions`.\n- **User**: `is_new_user`, `is_email_verified`, `is_phone_verified`, `user_age_days`, `is_suspended`, `in_list` (see [Lists](\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists)), `user_external_id`, `user_email`, `metadata`.\n- **Email**: `email_is_disposable`, `email_is_webmail`, `email_is_invalid`, `email_is_accept_all`.\n- **Fingerprint**: `is_new_fingerprint`, `fingerprint_user_count`.\n- **Velocity**: `event_count` over a sliding window.\n- **Device integrity** (native SDKs): `jailbroken_ios`, `rooted_android`, `is_simulator`, `is_emulator`, `debugger_attached`, `ui_testing`.\n- **Group**: `group`, the user's assigned group (if you use groups).\n\nConditions match on [checks](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks), not [risks](\u002Fdocs\u002Fv3\u002Fconcepts\u002Frisks). Risks are scored separately and recorded on the evaluation for review. Matching a policy directly on a risk score or severity is coming soon.\n\n## How matching works\n\nWhen an [evaluation](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations) runs, Rupt walks every enabled policy whose `type` matches the calling API key's environment and whose event type matches the action, in `priority` order, and tests each one's conditions against the derived checks. The highest-priority match wins; ties break toward the older policy. Order your rules so the most specific ones sit above the broad catch-alls.\n\nThe winning policy's action becomes the evaluation's [verdict](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts). If nothing matches, the verdict is `allow`.\n\n## Practical guidance\n\n- Start broad and narrow as you learn. A first `login` policy that challenges when `impossible_travel` is true catches a lot with very few false positives.\n- Reach for specific checks when you want a surgical rule: deny on `is_simulator` in native flows, or challenge once `device_count` crosses a threshold.\n- Keep development and production policies separate by `type`. The dashboard shows both side by side, and only the set matching the calling key is evaluated.\n",{"title":117,"description":558},{"Policies are the rules that turn checks into a verdict":559},{" A policy is a tree of conditions plus an action":560},"when the conditions match, the action becomes the verdict.","8Z38IjP_ulprsDMcfEgdvNjMZNispFIX3Sqzah3Ovy8",1780344893253]