---
title: Account sharing prevention
---

# Account sharing prevention

Account sharing is one subscription used by several people, and it's the use-case framing of the [Access protection](/docs/v3/fundamentals/access-protection) fundamental.

## Step 1: Set up access protection

Set up [Access protection](/docs/v3/fundamentals/access-protection) first. It's self-managed: you call `evaluate.access` on the client and Rupt handles detection, the challenge, owner verification, and device capping client-side. There's no server step. With that in place, the policies below are what actually catch sharing.

## Step 2: Add the policies

A policy has a trigger (the event it runs on) and a verdict. Add these in your [policies dashboard](https://app.rupt.dev/policies):

| Policy           | Trigger  | Conditions                                                                                                | Verdict    |
| ---------------- | -------- | --------------------------------------------------------------------------------------------------------- | --------- |
| Verify the owner | `access` | `concurrent_sessions`, or `impossible_travel`                                                             | Challenge |
| Cap devices      | `access` | `device_count` over your limit (or per-type `computer_device_count` / `tablet_device_count` / `mobile_device_count`) | Challenge |

Account sharing leans on devices, not fingerprints, and the goal is to convert the extra user, so point the challenge Success URL at signup. The device-cap challenge logs the extra devices out. Tune conservatively: a false sharing accusation is costly, so start loose and tighten only if you need to.

## Related

- [Access protection](/docs/v3/fundamentals/access-protection)
- [Concurrency](/docs/v3/concepts/concurrency)
- [Devices](/docs/v3/concepts/devices)