What is to stop someone sharing their app user id with a friend and so gaining the entitlements? In other words, how do we know whether it’s the same user legitimately using the app on a second device, or a different user illegitimately user the app on their device?
Already have an account? Login
Log in to the Community
Authenticate with RevenueCat
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
This is quite complicated to achieve and not something that RevenueCat is intended for or supports at this time. Some companies automatically log you out of your old device once you log into a new device. Other's try to achieve similar based on location - if you seemingly time traveled 80 miles in 3 minutes, one of the devices is logged out etc. This would be something implemented on your own login system level.
So if the app does not have the functionality (e.g. does not have its own backend) to make such checks, then it would be better the user does not know the app user id?
Maybe one way would be to make the user login to something like Google Sign In and then force that to be part (e.g. prefix) of the custom app user id?