How does Auth0 filter spam Authorization token requests for SPAs?

gitscr · March 14, 2022, 7:34am

I was planning on using Auth0 for my React project (SPA), and according to the OAuth flow of SPA’s, client_secret is not issued. Anyone can see the request that my application makes to Auth0 for the authorization token, and can use the request to spam my account. How does Auth0 defend my account against it, otherwise, I will have several login attempts count that will drive up my quota.

Thanks

dan.woda · March 17, 2022, 8:02pm

Hi @gitscr,

Welcome to the Auth0 Community!

There is no quota for failed auth transactions. Quotas are based on active users and M2M tokens, which only occur when an auth transaction is successful.

We also offer a suite of attack protection features, some are enabled by default.

Topic		Replies	Views
Confusion over flow for multi-instanced SPA+API Help jwt , api	7	3225	August 2, 2019
Lock, Auth0.js, Auth0 React SDK or Authentication API Help auth0-spa-js , sdks-quickstarts	0	1676	November 7, 2022
Have I understood Auth0 wrong? Help api , rules , login	2	1949	January 12, 2022
Code samples available for utilizing auth0-spa-js? Help auth0 , login	2	2030	February 23, 2022
How to secure an SPA which fetch data from REST api? Does every authentication needs to be done at backend? Help jwt , api , login	4	4411	March 9, 2021

How does Auth0 filter spam Authorization token requests for SPAs?

Related topics