> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Rule

> Set a rule for a particular `visitor_id`, `browser_id`, `visitor_fingerprint`, `browser_fingerprint`, `hardware_fingerprint`, `network_fingerprint`, `cidr_block`, `asn`, or `country_code`. This is helpful in cases where you want to allow or block a specific user or fingerprint. You should be careful when setting rules for `browser_fingerprint`, `hardware_fingerprint`, or `network_fingerprint` as they can be shared across multiple users, and you could affect more users than intended.

You may not set an `ALLOW` rule for a `country_code`.

Rules are applied in the order specified above. For example, if an end user has an `ALLOW` rule set for their `visitor_id` but a `BLOCK` rule set for their `hardware_fingerprint`, they will receive an `ALLOW` verdict because the `visitor_id` rule takes precedence.

If there are conflicts between multiple `cidr_block` rules (for example, if the `ip_address` of the end user overlaps with multiple CIDR blocks that have rules set), the conflicts are resolved as follows:
- The smallest block size takes precedence. For example, if an `ip_address` overlaps with a `cidr_block` rule of `ALLOW` for a block with a prefix of `/32` and a `cidr_block` rule of `BLOCK` with a prefix of `/24`, the rule match verdict will be `ALLOW`.
- Among equivalent size blocks, `BLOCK` takes precedence over `CHALLENGE`, which takes precedence over `ALLOW`. For example, if an `ip_address` overlaps with two `cidr_block` rules with blocks of the same size that return `CHALLENGE` and `ALLOW`, the rule match verdict will be `CHALLENGE`.



## OpenAPI

````yaml POST /v1/rules/set
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/rules/set:
    servers:
      - url: https://telemetry.stytch.com
    post:
      tags:
        - Fraud
      summary: Set
      description: >-
        Set a rule for a particular `visitor_id`, `browser_id`,
        `visitor_fingerprint`, `browser_fingerprint`, `hardware_fingerprint`,
        `network_fingerprint`, `cidr_block`, `asn`, or `country_code`. This is
        helpful in cases where you want to allow or block a specific user or
        fingerprint. You should be careful when setting rules for
        `browser_fingerprint`, `hardware_fingerprint`, or `network_fingerprint`
        as they can be shared across multiple users, and you could affect more
        users than intended.


        You may not set an `ALLOW` rule for a `country_code`.


        Rules are applied in the order specified above. For example, if an end
        user has an `ALLOW` rule set for their `visitor_id` but a `BLOCK` rule
        set for their `hardware_fingerprint`, they will receive an `ALLOW`
        verdict because the `visitor_id` rule takes precedence.


        If there are conflicts between multiple `cidr_block` rules (for example,
        if the `ip_address` of the end user overlaps with multiple CIDR blocks
        that have rules set), the conflicts are resolved as follows:

        - The smallest block size takes precedence. For example, if an
        `ip_address` overlaps with a `cidr_block` rule of `ALLOW` for a block
        with a prefix of `/32` and a `cidr_block` rule of `BLOCK` with a prefix
        of `/24`, the rule match verdict will be `ALLOW`.

        - Among equivalent size blocks, `BLOCK` takes precedence over
        `CHALLENGE`, which takes precedence over `ALLOW`. For example, if an
        `ip_address` overlaps with two `cidr_block` rules with blocks of the
        same size that return `CHALLENGE` and `ALLOW`, the rule match verdict
        will be `CHALLENGE`.
      operationId: api_fraud_v1_fraud_rules_Set
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/api_fraud_v1_fraud_rules_SetRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/api_fraud_v1_fraud_rules_SetResponse'
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: |-
            // POST /v1/rules/set
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              action: CHALLENGE,
              visitor_id: "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
              expires_in_minutes: 120,
            };

            client.Fraud.Rules.Set(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// POST /v1/rules/set\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/consumer/fraud\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/consumer/fraud/rules\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/consumer/stytchapi\"\n)\n\nfunc main() {\n\tclient, err := stytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &rules.SetParams{\n\t\tAction:           fraud.RuleActionCHALLENGE,\n\t\tVisitorID:        \"visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72\",\n\t\tExpiresInMinutes: 120,\n\t}\n\n\tresp, err := client.Fraud.Rules.Set(context.Background(), params)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: |-
            // POST /v1/rules/set
            package com.example;

            import com.stytch.java.common.StytchResult;
            import com.stytch.java.consumer.models.fraud.RuleAction;
            import com.stytch.java.consumer.models.fraudrules.SetRequest;
            import com.stytch.java.consumer.StytchClient;

            public class Main {
                public static void main(String[] args) {
                    StytchClient.configure("${projectId}", "${secret}");

                    SetRequest params = new SetRequest();
                    params.setAction(RuleAction.CHALLENGE);
                    params.setVisitorId("visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72");
                    params.setExpiresInMinutes(120);

                    Object result = StytchClient.getFraud().getRules().set(params);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: |
            // POST /v1/rules/set
            package com.example

            import com.stytch.java.consumer.StytchClient
            import com.stytch.java.consumer.models.fraud.RuleAction
            import com.stytch.java.consumer.models.fraudrules.SetRequest

            fun main() {
                StytchClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchClient.fraud.rules.set(
                            SetRequest(
                                action = RuleAction.CHALLENGE,
                                visitorId = "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
                                expiresInMinutes = 120,
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: |-
            // POST /v1/rules/set
            const stytch = require('stytch');

            const client = new stytch.Client({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              action: "CHALLENGE",
              visitor_id: "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
              expires_in_minutes: 120,
            };

            client.fraud.rules.set(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->fraud->rules->set([
                'action' => 'CHALLENGE',
                'visitor_id' => 'visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72',
                'expires_in_minutes' => 120,
            ]);
        - lang: python
          label: Python
          source: |
            # POST /v1/rules/set
            from stytch import Client
            from stytch.consumer.models.fraud import RuleAction

            client = Client(
                project_id="${projectId}",
                secret="${secret}",
            )

            resp = client.fraud.rules.set(
                action=RuleAction.CHALLENGE,
                visitor_id="visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
                expires_in_minutes=120,
            )

            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # POST /v1/rules/set
            require 'stytch'

            client = Stytch::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.fraud.rules.set(
              action: "CHALLENGE",
              visitor_id: "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
              expires_in_minutes: 120
              
            )

            puts resp
        - lang: rust
          label: Rust
          source: |-
            // POST /v1/rules/set
            use stytch::consumer::client::Client;
            use stytch::consumer::fraud_rules::SetRequest;
            use stytch::consumer::fraud::RuleAction;

            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.fraud.rules.set(
                    SetRequest{
                        action: RuleAction::CHALLENGE,
                        visitor_id: Some(String::from("visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72")),
                        expires_in_minutes: 120,
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # POST /v1/rules/set
            curl --request POST \
              --url https://telemetry.stytch.com/v1/rules/set \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -d '{
                "action": "CHALLENGE",
                "visitor_id": "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72",
                "expires_in_minutes": 120
              }'
components:
  schemas:
    api_fraud_v1_fraud_rules_SetRequest:
      type: object
      properties:
        action:
          $ref: '#/components/schemas/api_fraud_v1_RuleAction'
          description: >-
            The action that should be returned by a fingerprint lookup for that
            identifier with a `RULE_MATCH` reason. The following values are
            valid: `ALLOW`, `BLOCK`, `CHALLENGE`, or `NONE`. For country codes,
            `ALLOW` actions are not allowed. If a `NONE` action is specified, it
            will clear the stored rule.
        visitor_id:
          type: string
          description: >-
            The visitor ID we want to set a rule for. Only one identifier can be
            specified in the request.
        browser_id:
          type: string
          description: >-
            The browser ID we want to set a rule for. Only one identifier can be
            specified in the request.
        visitor_fingerprint:
          type: string
          description: >-
            The visitor fingerprint we want to set a rule for. Only one
            identifier can be specified in the request.
        browser_fingerprint:
          type: string
          description: >-
            The browser fingerprint we want to set a rule for. Only one
            identifier can be specified in the request.
        hardware_fingerprint:
          type: string
          description: >-
            The hardware fingerprint we want to set a rule for. Only one
            identifier can be specified in the request.
        network_fingerprint:
          type: string
          description: >-
            The network fingerprint we want to set a rule for. Only one
            identifier can be specified in the request.
        expires_in_minutes:
          type: integer
          format: int32
          description: >-
            The number of minutes until this rule expires. If no
            `expires_in_minutes` is specified, then the rule is kept
            permanently.
        description:
          type: string
          description: An optional description for the rule.
        cidr_block:
          type: string
          description: >-
            The CIDR block we want to set a rule for. You may pass either an IP
            address or a CIDR block. The CIDR block prefix must be between 16
            and 32, inclusive. If an end user's IP address is within this CIDR
            block, this rule will be applied. Only one identifier can be
            specified in the request.
        country_code:
          type: string
          description: >-
            The country code we want to set a rule for. The country code must be
            a valid ISO 3166-1 alpha-2 code. You may not set `ALLOW` rules for
            country codes. Only one identifier can be specified in the request.
        asn:
          type: string
          description: >-
            The ASN we want to set a rule for. The ASN must be the string
            representation of an integer between 0 and 4294967295, inclusive.
            Only one identifier can be specified in the request.
      description: Request type
      required:
        - action
    api_fraud_v1_fraud_rules_SetResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        action:
          $ref: '#/components/schemas/api_fraud_v1_RuleAction'
          description: The action that will be returned for the specified identifier.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        visitor_id:
          type: string
          description: The visitor ID that a rule was set for.
        browser_id:
          type: string
          description: The browser ID that a rule was set for.
        visitor_fingerprint:
          type: string
          description: The visitor fingerprint that a rule was set for.
        browser_fingerprint:
          type: string
          description: The browser fingerprint that a rule was set for.
        hardware_fingerprint:
          type: string
          description: The hardware fingerprint that a rule was set for.
        network_fingerprint:
          type: string
          description: The network fingerprint that a rule was set for.
        expires_at:
          type: string
          description: >-
            The timestamp when the rule expires. Values conform to the RFC 3339
            standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        cidr_block:
          type: string
          description: >-
            The CIDR block that a rule was set for. If an end user's IP address
            is within this CIDR block, this rule will be applied.
        country_code:
          type: string
          description: The country code that a rule was set for.
        asn:
          type: string
          description: The ASN that a rule was set for.
      required:
        - request_id
        - action
        - status_code
    api_fraud_v1_RuleAction:
      type: string
      enum:
        - ALLOW
        - CHALLENGE
        - BLOCK
        - NONE
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````