Brute-Force Unblock Link in Emails Consumed by Security Scanners

Problem statement

There is an issue with the emails that are being sent when an account is blocked by Brute-Force Protection. Auth0 sends an email to the user whose account has been blocked, but when the user clicks on the unblock link in the email, they will get this error:

`The URL can be used only once.


Users see an error page when they click on the unblock link they receive in the email that’s triggered by Brute-Force Protection. However, if you check the user profile, the account was unblocked.

Steps to reproduce

The steps to reproduce the issue:

  1. Enable brute force protection.
  2. Trigger brute force protection as a test user.
  3. Use the unblock link sent to their email.
  4. Due to Safelinks or something similar, the email client must’ve consumed the link. And you get the “The URL can be used only once” error page.

The user is already unblocked.


3rd-party email security scanning software is activating the link.


There is not currently a workaround for this particular issue. Make sure there isn’t a service that opens the unblock user link. A GET request consumes the links as of February 2024. Please leave feedback to our product team if you want to have links consumed with the POST requests.

1 Like