diff --git a/crates/handlers/src/compat/login.rs b/crates/handlers/src/compat/login.rs
index 92f35914e..48ba23f9a 100644
--- a/crates/handlers/src/compat/login.rs
+++ b/crates/handlers/src/compat/login.rs
@@ -594,7 +594,7 @@ async fn token_login(
             user: &browser_session.user,
             login: CompatLogin::Token,
             session_replaced,
-            session_counts,
+            session_counts: &session_counts,
             requester,
         })
         .await?;
@@ -730,7 +730,7 @@ async fn user_password_login(
             user: &user,
             login: CompatLogin::Password,
             session_replaced,
-            session_counts,
+            session_counts: &session_counts,
             requester: policy_requester,
         })
         .await?;
@@ -781,7 +781,7 @@ async fn user_password_login(
                         let mut sessions_removed = 0;
                         for edge in compat.edges {
                             let (compat_session, _) = edge.node;
-                            let compat_session =
+                            let _compat_session =
                                 repo.compat_session().finish(clock, compat_session).await?;
                             sessions_removed += 1;
                         }
diff --git a/crates/handlers/src/compat/login_sso_complete.rs b/crates/handlers/src/compat/login_sso_complete.rs
index df059cd36..0e93edafd 100644
--- a/crates/handlers/src/compat/login_sso_complete.rs
+++ b/crates/handlers/src/compat/login_sso_complete.rs
@@ -123,7 +123,7 @@ pub async fn get(
             // We don't know if there's going to be a replacement until we received the device ID,
             // which happens too late.
             session_replaced: false,
-            session_counts,
+            session_counts: &session_counts,
             requester: mas_policy::Requester {
                 ip_address: activity_tracker.ip(),
                 user_agent,
@@ -268,7 +268,7 @@ pub async fn post(
             login: CompatLogin::Sso {
                 redirect_uri: login.redirect_uri.to_string(),
             },
-            session_counts,
+            session_counts: &session_counts,
             // We don't know if there's going to be a replacement until we received the device ID,
             // which happens too late.
             session_replaced: false,
diff --git a/crates/policy/src/model.rs b/crates/policy/src/model.rs
index a3bf24b5f..68ef49195 100644
--- a/crates/policy/src/model.rs
+++ b/crates/policy/src/model.rs
@@ -202,7 +202,7 @@ pub struct CompatLoginInput<'a> {
     pub user: &'a User,
 
     /// How many sessions the user has.
-    pub session_counts: SessionCounts,
+    pub session_counts: &'a SessionCounts,
 
     /// Whether a session will be replaced by this login
     pub session_replaced: bool,