Documentation / Drop Configuration
Policy Rules Reference
Detailed reference for every rule available in a FairDrop V1 policy. For a step-by-step setup guide, see Creating a Policy.
Rule overview
| Rule | What it checks | Status | Bypass risk |
|---|---|---|---|
| Account required | Whether the buyer is signed in to a Shopify customer account | Active | Very low |
| VIP tags | Whether the buyer's account has any of the selected tags (OR semantics) | Active | Very low |
| Quantity cap | Whether the cart contains more protected units than the configured limit | Active | Very low |
| Passkey verification | Whether the buyer has completed a biometric challenge on your storefront | Active | Low |
| Discount codes | Whether a redeemed discount code is attached to this policy | V2 enforcement | n/a |
All active rules are enforced by Shopify's checkout engine — not the storefront, not the browser. A buyer who doesn't meet an active rule cannot complete checkout regardless of how they reached it.
Understanding bypass risk
Very low
The rule runs inside Shopify Functions, server-side. It cannot be bypassed by scripts, browser automation, or API calls. The buyer must meet the condition — there is no client-side gate to work around.
Low
Passkey verification runs a client-side challenge before checkout, so a technically sophisticated buyer who completes checkout via direct API call (without a storefront) would bypass the challenge. The account-required rule still applies.
V2 roadmap