Crossdeck University
Docs Start free
Watch — why Crossdeck refuses to guess when humans collide Film in production
0:00 / 0:00
Lesson 4 of 4 · Prove it

Resolve a conflict — your call, not ours

When a sign-in clearly belongs to the same person, Crossdeck merges it automatically. But when two signals could be two different humans sharing a device, it refuses to guess — and puts the decision in front of you.

4 min Concepts · Dashboard

When you're done: you understand why the safe merge is automatic and the ambiguous one is always yours.

1 The problem

Two signals, maybe two people

When you call identify(userId, anonymousId), two things resolve. The userId is the person who just signed in. The anonymousId is the device that was browsing before they did — and that device may already carry a Stripe or Apple subscription someone paid for anonymously. Usually that's the same human, finally logging in. But not always: a shared family iPad, a borrowed laptop, a kiosk — and now the signed-in user and the prior buyer might be two different people.

Merge them blindly and you could hand one person another's subscription. Refuse to merge at all and the real anonymous buyer signs in to find they've lost the access they paid for. Both failures are unacceptable, so the answer can't be a single blunt rule.

2 How Crossdeck decides

Automatic when safe, your call when it isn't

Crossdeck runs the conflict through a deliberately conservative classifier. When the evidence clearly says "same person," it auto-merges — folding the anonymous purchase onto the signed-in user the same bank-grade way Apple already folds its own equivalent conflict, so the buyer keeps the access they paid for, instantly.

But the moment the two sides could be two different humans sharing a device, the classifier stops. It does not merge on a maybe. It routes the conflict to human review and surfaces it for you to decide — because a wrong auto-merge is far more damaging than a short wait, and only you know your customers.

3 Why it's built this way

The expensive default is the right one

The first draft of this logic was more aggressive — and an adversarial review found it had catastrophic false-merge holes, the kind that quietly leak one customer's paid subscription to another. The fix was to make the classifier err, always, toward caution: auto-merge only the cases that are provably one person, and treat everything else as a decision a human has to make.

That's the philosophy behind the whole "Prove it" course in one feature. Crossdeck won't silently do the dangerous thing and hope you don't notice. When it's certain, it acts; when it isn't, it tells you and waits. The merge of two human identities is your call, not ours — and the system is engineered to keep it that way.

4 Why this is the moat

A refusal you can trust

Plenty of platforms merge identities automatically and you only find out it went wrong when two customers complain. Crossdeck's edge is restraint: the safe merge is instant, and the ambiguous one is queued for you, visibly, instead of being guessed. A pending conflict isn't a gap in the product — it's the product protecting two customers from each other.

app.cross-deck.com · people · identity conflicts
review · your decision

A shared-device sign-in held for review instead of merged — the signed-in user and the anonymous buyer both protected until you call it.

Open People to review conflicts

On identify(userId, anonymousId), a conservative classifier auto-merges only when it's provably the same person — folding an anonymous purchase onto the signed-in user instantly. When the two sides could be different humans on one device, it refuses to guess and routes the conflict to human review. The merge of two identities is your call, by design. That's Prove it, complete.