Forgot Password API Receiving Excessive Requests Despite Brute-Force Protection Enabled

Get Help
,
1

Hello Support Team,

We are facing an issue with the Auth0 Forgot Password API being abused through what appears to be a brute-force style attack.

Currently, the API is receiving nearly 1000 requests from the same IP, which results in thousands of password reset emails being triggered. This is causing email flooding and a poor user experience.

We have already enabled Brute-Force Protection in the Auth0 Dashboard with the default configuration. However, the protection does not seem to be limiting or blocking these repeated requests as expected.

Our requirement:

We want to restrict the Forgot Password API to:

  • A maximum of 3 requests per IP address within a defined time window.

  • Automatically block or throttle further requests from the same IP.

Questions:

  1. Why is Brute-Force Protection not restricting Forgot Password API calls in this scenario?

  2. Is there a specific setting or rule required to enforce IP-based rate limiting for the Forgot Password endpoint?

  3. What is the recommended Auth0 best practice to prevent mass password reset email abuse?

Please let us know the correct configuration or any additional security controls we should apply at the Auth0 level to resolve this issue.

We appreciate your support in helping us secure this endpoint.

3

Hi @artha.tech,

Welcome to the Auth0 Community!

Since there is an identical question under this thread - Forgot Password API Receiving Excessive Requests Despite Brute-Force Protection Enabled, we will continue the discussion there, but do not hesitate to step in with further questions if needed.

Thank you!
Kind regards,
Remus