First 60 minutes after buying an OSRS account: my 2026 playbook
The exact order I tell buyers to lock down a new OSRS account: email, password, Authenticator, bank PIN. Plus the post-purchase trade rule that gets ignored most often.
Five steps, done in this order, finished inside the first hour: change the recovery email, change the password, add the RuneScape Authenticator, set a bank PIN with the 7-day delay, then leave the account alone in terms of trades for at least a month. The order is the thing most buyers get wrong, and a couple of the steps people skip are the ones that decide whether the account is yours in a week.
This is what I tell every buyer who DMs me asking "what now," written out properly so I can link to it instead of typing it ten times a day. None of it is specific to buying from me. It applies whether you bought a tutorial-island account, a 60 melee, or a near-max main, and whether you bought it here, on Sythe, or off Eldorado.
Why the order matters
The shape of the risk is that someone other than you can still recover the account during the handover window. Two threats: the original seller doing a scam-recover (rare with a vouched shop, common in DM deals), or a hijacker who already had the credentials from somewhere upstream of you.
Both threats route through whichever recovery channels are still pointed at someone else's inbox or phone. The email is the deepest hook. Authenticator and bank PIN sit on top of it. If you enable the Authenticator first and leave the old email in place, the seller can just click "disable authenticator" and the disable confirmation lands in their inbox. The OSRS Wiki RuneScape Authenticator page spells this out: "Jagex sends an email" to the registered address when an Authenticator disable is requested. Email first or the rest of the stack does not hold.
Step 1: change the recovery email
Open account.jagex.com, log in with the credentials you were given, and change the email to one you own and the seller has never seen. Ideally a brand-new mailbox you set up specifically for OSRS, with 2FA on the inbox itself. Gmail, ProtonMail either work.
A few notes on this step:
- Jagex's official Change email address article is the canonical flow. The page doesn't document a hard cooldown between email changes, despite the "72-hour rule" you'll see repeated on Sythe. The 72-hour figure is folklore, not Jagex policy.
- Use an email you'll still have access to in a year. The single worst version of a hijacked account is the buyer not being able to prove ownership because the email they set during purchase was a burner they lost.
- Don't reuse the email tied to any of your other Jagex accounts. If Jagex ever decides one of your accounts has broken the rules, the shared email is the rope that drags the others in.
Step 2: change the password
Generate a unique strong password (a password manager is fine, as long as the manager itself is not on a list of past breaches). Don't reuse anything from your other accounts. Don't share it back to the seller for any reason. A surprising number of recovery scams go "hey something's wrong with your authenticator, can you send me the new password so I can check?" No.
Step 3: add the RuneScape Authenticator
Inside the Jagex Account settings, enable two-step authentication and scan the QR code with Google Authenticator, Authy, or any TOTP app. Two follow-ups that matter:
- Generate the 10 backup codes Jagex offers and save them offline. Print them, or stash them in a password vault that lives off your main machine. Per Jagex's two-step auth article, losing access to both the Authenticator and the backup codes leaves you in a "contact support" loop, and support's appeal track is weeks long.
- If the account already had an Authenticator set by the seller, disable theirs first using your now-verified email, then enable yours from a clean state. Do not just "trust" that the seller disabled it before delivery. Verify in settings.
The Authenticator step is the one that makes a stolen credential useless on its own. After this step, anybody trying to log in needs your TOTP app or your backup codes. Email reset paths are gated by 2FA on the email side. The recovery surface shrinks to basically zero for everything except a Jagex-side appeal.
Step 4: set a bank PIN with the 7-day delay
Walk into a bank in-game and ask the banker to set a PIN. Per the OSRS Wiki Bank PIN page, the bank treats a new PIN as pending for 7 days before it activates, and removing or changing an existing PIN runs a 3-day or 7-day recovery delay depending on the option you pick.
The point of the pending window is that if someone else hijacks the account during the gap, they hit a wall at the bank for a full week even if they get through the login layer. Most account hijackers don't have that kind of patience. They move on to easier targets.
Pick a PIN that isn't your phone PIN, your birthday, or four consecutive digits. The "1234" attempt rate is non-trivial.
Step 5: the post-purchase trade rule
This is the step buyers skip and it's the one that actually triggers Jagex's RWT detection on a clean account.
Don't accept GP, items, or "drop parties" from random players for the first 30 days. Don't run gold swap services on the account. Don't take a 50M transfer from someone in your clan because they're being nice. Jagex's detection sweeps look at the trade graph: a fresh ownership pattern (different IP, different login time, different play hours) combined with a sudden inbound transfer from a flagged trader is the bowl-and-spoon of buyer-side RWT bans.
The danger here is delayed. There's a recurring r/2007scape pattern where buyers got hit with bans weeks after the transfer that caused it. The buyer often had no idea who they took GP from. Jagex doesn't care: the trade record is the trade record, and the burden of "I didn't know they were a real-world trader" doesn't shift back from the receiver.
For a clean first month, the safe rule is: only trade with players you know, only buy GE items at GE prices, and don't accept anything that wasn't part of a transaction you initiated.
The five steps as a table
| Step | What it locks down | Time to set | Why this order |
|---|---|---|---|
| Deepest recovery channel | 5 min | If old email still set, seller can disable everything below | |
| Password | Direct login access | 1 min | Useless without 2FA but cheap insurance |
| Authenticator | All login attempts | 5 min | Needs the new email verified above it |
| Bank PIN (7-day delay) | Wealth in the bank | 2 min in-game | Pending window covers hijack-during-handover |
| Trade discipline (30 days) | RWT flag | Ongoing | This is the one that's not technical |
The whole stack takes about 15 minutes plus a walk to a banker in-game. The 30-day trade rule is the only one with a calendar duration, and it's the only one where the failure mode is the new owner doing something wrong rather than the old owner doing something sneaky.
Two common mistakes
Trying to "recover" the account yourself via Jagex's appeal flow. Some buyers see an unfamiliar email or Authenticator on the account and panic-submit a recovery request, hoping Jagex will reset everything to them. This actively flags the account for review. The appeal endpoint is designed for hijack victims and Jagex's reviewers will ask for purchase history and creator-side evidence you do not have. Set the account up the way you'd set up a fresh one, through the normal settings panel. Not through the appeal flow.
Logging in from an obviously different country without warming the IP first. Less of an issue post Jagex-Launcher migration than it used to be, but worth knowing: if the seller was on US East and you're in Manchester, expect Jagex to throw an email-verification challenge the first time you log in. That's not a problem, it just needs the new email you set in step 1 to be working. If you skipped step 1 and the verification email lands in the seller's inbox, the account is gone.
The replacement-guarantee note
One thing this guide doesn't cover, because the moment you take ownership it's your account: bans for things you do after purchase are not on the seller. My replacement guarantee covers Jagex bans where the cause predates the sale (a tutorial-island detection that catches up a week later, for example). Anything that happens after the credentials are handed over runs through the post-purchase playbook above, not through me. The full conditional terms are on the FAQ page.
If you bought from me and the original credentials are still on file, they're retrievable from your orders page indefinitely. So you can change the live email, live password, and live Authenticator in step 1-3 above, harden the account properly for daily use, and still have the original delivery on record if you ever need to make a replacement claim.
What to do next
The whole point of doing this in the first hour is that the most common failure modes are time-windowed. A seller's recovery window shrinks every minute the credentials they remember are no longer live. Jagex's "different IP same account" review trigger gets less sensitive once the new pattern is the consistent pattern.
If you came here from the safety guide and you're now done with both posts, the accounts in stock right now are on the home page. Crypto checkout is the default, Stripe is there if you'd rather. Delivery is automated, credentials land on your order page the moment payment confirms, and you can run the playbook above before the kettle boils.