How does Auth0 filter spam Authorization token requests for SPAs?

I was planning on using Auth0 for my React project (SPA), and according to the OAuth flow of SPA’s, client_secret is not issued. Anyone can see the request that my application makes to Auth0 for the authorization token, and can use the request to spam my account. How does Auth0 defend my account against it, otherwise, I will have several login attempts count that will drive up my quota.


Hi @gitscr,

Welcome to the Auth0 Community! :wave:

There is no quota for failed auth transactions. Quotas are based on active users and M2M tokens, which only occur when an auth transaction is successful.

We also offer a suite of attack protection features, some are enabled by default.

1 Like