What is to stop someone sharing their app user id with a friend and so gaining the entitlements? In other words, how do we know whether it’s the same user legitimately using the app on a second device, or a different user illegitimately user the app on their device?
This is quite complicated to achieve and not something that RevenueCat is intended for or supports at this time. Some companies automatically log you out of your old device once you log into a new device. Other's try to achieve similar based on location - if you seemingly time traveled 80 miles in 3 minutes, one of the devices is logged out etc. This would be something implemented on your own login system level.
So if the app does not have the functionality (e.g. does not have its own backend) to make such checks, then it would be better the user does not know the app user id?
Maybe one way would be to make the user login to something like Google Sign In and then force that to be part (e.g. prefix) of the custom app user id?
Any update on this please?
My first idea for a strategy is to get the user to sign into their Google account (Google Sign In) and then use their email address as the App User ID. Is that a good approach?
Also, would there be any benefit to appending some kind of token suffix?
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.