Users receive a blocked warning after 10 failed login attempts, but they do not exist in auth0.
Brute force triggers all failed attempts regardless of whether the user exists.
Use the Auth0 Management API’s Get blocks by identifier endpoint (Auth0 Management API v2) to retrieve the blocks for the given identifier. In this case, the user’s email is sufficient.
An example GET request should look like
If you find the block, you can unblock the user by using the Management API’s Unblock by identifier endpoint (Auth0 Management API v2) by sending the identifier.