Disable Brute Force Protection

My app is composed of an API, web app, and a mobile app. All authentication happens through our API, therefore our clients are never communicating with Auth0 directly. This means ALL API requests come to Auth0 from the same IP address. We are having issues with brute force protection temporarily blocking our API’s IP address and affecting our entire application.

What options do we have?

Hi @tim.gabrhel,

You can whitelist the IP address of your API in the Brute-force Protection settings page in your tenant:

This should resolve your immediate issue, however I would recommend reviewing if any mitigation may be required in your app with your API’s IP address being whitelisted, such as failed login attempt back off times or the use of captchas after so many failed login attempts from the same IP address

Thanks @andy.carter,

This UX was misleading me. The warning of the purchase is only specific to the Breached-password Detection, not Brute-force protection. That warning prevented me from ever enabling Brute-force protection to see the settings.

1 Like

Thanks for that feedback! I’ll relay that to our dashboard team!