Shopify's native quantity limit resets with every new checkout. Place an order at the limit, complete it, start another — and the counter is back to zero. For limited drops, this is the single biggest gap in Shopify's order management. Resellers know it. Bots know it. Merchants discover it the hard way, usually right after a drop sells out in five minutes to the same three people.
This piece explains what "per checkout" really means in practice, why Shopify's native limit works that way, which apps in the order-limits category enforce true per-customer rules, and how cross-order tracking actually works.
Already know you need per-customer limits and want the setup steps? Skip to the per-customer order limits guide for the configuration walkthrough. This piece is the conceptual explainer behind it.
The Problem: Shopify's Native Limit Resets Per Checkout
Shopify lets you set a per-product purchase limit — for example, "maximum 2 per order." That rule is attached to the product or variant and validated when the cart is built. As long as a single checkout has 2 or fewer of that item, the order proceeds. When the order completes, the customer can start a new checkout. The product still allows 2 per order. So they buy 2 more.
There is no built-in cross-checkout aggregation. Shopify's checkout layer has access to the current cart, the current customer (if logged in), and the products in the cart. It does not, by default, have access to "how many of this product has this customer bought in the last 30 days." That information lives in the orders table — which Shopify does not query during checkout validation.
This isn't a bug. Shopify's native limit was designed for inventory protection and high-volume safety: stop the cart from accepting 10,000 units at once. It was never designed as an anti-reseller feature.
What "Per Checkout" Means in Practice — A Reseller's Playbook
If you sell limited drops on Shopify with the native limit of "2 per order," here is the playbook a reseller runs:
- 9:59 AM — drop announced for 10:00 AM
- 10:00:00 — opens product page, adds 2 to cart, checks out, pays
- 10:00:45 — same browser, opens product page again, adds 2, checks out, pays
- 10:01:30 — third checkout, same drill
- 10:02:15 — fourth checkout
- 10:03:00 — fifth checkout
In three minutes, one person bought 10 units of a drop that was supposed to be "2 per customer." Same Shopify customer account. Same email. Same shipping address. Same credit card. The native limit fired correctly on each checkout — and let all five through. By the time the genuine fan refreshes their browser at 10:05, the drop is sold out.
Community threads from sneaker drops, streetwear releases, and collectible launches document this pattern repeatedly. The merchant frustration is universal: "I set 2 per customer, why did one customer buy 10?" The answer is that the rule said "2 per checkout," not "2 per customer."
What "Per Customer" Means — Tracking Across Orders
A per-customer limit caps the cumulative purchase total for a single shopper, across all their orders, over a configured time period. The rule is no longer "2 per checkout" — it's "2 per customer per drop" or "2 per customer ever" or "1 per customer per week."
For this to work, the app has to do three things Shopify's native limit doesn't:
- Identify the customer across multiple checkouts, including guest checkouts on the same email
- Maintain a ledger of how many units each customer has purchased over the configured period
- Validate against the ledger at every checkout — server-side, so it can't be bypassed by direct checkout URLs
This is the architectural difference between a per-checkout app and a per-customer app. It is also why most order-limit apps are per-checkout: they integrate with Shopify's existing per-product validation and never maintain a customer ledger.
Which Shopify Apps Are Per-Checkout vs Per-Customer
Of the major Shopify order limit apps, only a small subset enforce true per-customer limits at the checkout layer. The breakdown:
| App | Per-Customer Enforcement | Notes |
|---|---|---|
| OrderRules | Yes — at checkout via Shopify Functions | Customer ID + email + address fingerprint. Optional strict login. |
| DC Customer Order Limits | Yes — at checkout | Lifetime limits and Shopify Flow integration. $14/mo Pro pricing. |
| KOR Order Limits | Tag-based only (Pro plan) | Requires manual customer tagging — weaker than ledger-based tracking. |
| Avada Order Limits | No — per-checkout only | Largest install base, but doesn't track across orders. |
| MinMaxify | No — per-checkout only | Per-product min/max — same gap as native. |
| MinCart | No — per-checkout only | Cart-level rules, no customer ledger. |
| Pareto Order Limits | No — per-checkout only | Free plan, basic per-product rules. |
| LIMITER (MageComp) | No — per-checkout only | Annual billing, only 3 reviews. |
See the full hub comparison of Shopify order limit apps for ratings, pricing, and use-case recommendations across all eight. For the dedicated comparison of the two apps that do enforce per-customer limits, see OrderRules vs DC Customer Order Limits.
There is also a category of niche, single-purpose apps — Limit Once (Wandelic) and UR: Limit 1 Item Per Customer (UnReact) — that handle the per-customer rule type but only the per-customer rule type. They cover one drop, on one product, with one rule. For anything more complex, they're a dead end.
The Three Ways Per-Customer Limits Are Identified
When an app says it enforces per-customer limits, the next question is: how does it know the customer? The answer determines how bypass-proof the rule is.
Shopify Customer ID — for logged-in shoppers, the customer ID is the strongest identifier. It cannot be spoofed by clearing cookies, switching browsers, or using incognito mode. A customer who logs in is uniquely identified, and OrderRules' ledger keys off this ID first.
Email address — for guest checkouts, the email entered at checkout is the next-strongest identifier. A reseller running multiple guest checkouts on the same email gets caught by the ledger. The bypass is using different emails per checkout — which is easy enough to be a real concern for adversarial drops.
Shipping address fingerprint — even with different emails, repeat orders to the same shipping address are detectable. OrderRules computes a normalized address fingerprint and uses it as a tertiary identifier. This catches the "10 fake email accounts, all shipping to the reseller's apartment" pattern.
For ordinary use cases (bakery daily caps, B2B account spending limits, replenishable product per-month rules), the customer ID + email combination catches 95%+ of cases without forcing login. For adversarial use cases (sneaker drops, collectibles, scalper-bait products), strict login mode is the right call — see the anti-scalping playbook for the full threat model.
Why Guest Checkout Breaks Per-Customer (and How to Fix It)
The most common source of "the per-customer limit didn't work" complaints is guest checkout abuse. A reseller using different email addresses on each guest checkout looks like a different person every time — unless the app also tracks address fingerprint or forces login.
OrderRules handles this two ways:
- Email + shipping address fingerprint (default) — catches multi-email orders to the same address. Adequate for most use cases.
- Strict login mode (optional) — blocks guest checkout entirely for products under per-customer rules. Customer must sign in. The customer ID becomes the source of truth, and email/address tracking is no longer the primary defense. This is the right setting for limited drops, exclusive collections, and any scenario where reseller arbitrage is the dominant threat.
DC Customer Order Limits offers similar behavior on its Pro tier. The remaining per-checkout-only apps do not have a meaningful answer here — by design, they don't track across orders, so guest checkout is irrelevant to them.
When Per-Checkout Is Actually OK
Not every limit needs to be per-customer. For some use cases, per-checkout is appropriate and per-customer is overkill:
- Inventory safety caps — "maximum 100 of this SKU per order" to prevent accidental bulk orders. Per-checkout is the right rule.
- B2B case-pack quantities — "must order in multiples of 6" or "minimum 12 per SKU." Per-checkout is fine because the rule is about the order shape, not the customer history.
- MOQ for wholesale — "$500 minimum cart total." Per-checkout makes sense — the rule is on cart total, not per buyer.
The decision point is whether the rule cares about who is buying or what is in the cart. If "who" matters, you need per-customer. If only "what" matters, per-checkout is sufficient.
Setting Up True Per-Customer Limits on OrderRules
The configuration steps are documented in the per-customer order limits guide, but the short version:
- Install OrderRules from the Shopify App Store
- Go to Customer Limits and create a rule
- Pick the limit type — order count, total quantity, or total spend
- Pick the period — daily, weekly, monthly, yearly, or lifetime
- For adversarial drops, enable strict login mode
- Test with a draft order — place one at the limit, then try a second
The enforcement happens through Shopify Functions, which validates checkout server-side. Shop Pay, Apple Pay, Google Pay, and direct checkout URLs all hit the same validation — meaning there's no client-side bypass. For the technical detail on how Shopify Functions checkout validation works, see how OrderRules uses checkout validation functions.
The Bottom Line
If your problem is "one person bought 10 of something I set to 2 per order," the issue isn't that your limit failed — it's that you set a per-checkout rule when you needed a per-customer rule. Shopify's native limit is per-checkout. Most order-limit apps are per-checkout. Only OrderRules and DC Customer Order Limits enforce true per-customer limits at the checkout layer.
For limited drops, anti-reseller setups, exclusive releases, and any product where fair distribution is part of the brand promise, per-customer is the rule type that matches the merchant intent. For everything else — inventory caps, B2B case packs, cart minimums — per-checkout is fine.
Want to see the full app-by-app breakdown? Read the Shopify order limit apps comparison hub. For the dedicated comparison between the two apps that enforce per-customer at checkout, see OrderRules vs DC Customer Order Limits. And for the broader anti-scalping framework that uses per-customer limits as one layer of defense, see the anti-scalping guide.