Invalid_signup error returns instead of user_exists from authentication API

Hello, we recently changed user_exits error to invalid_signup to improve security against a potential username enumeration attack.

The feature is “on” by default for new tenants so these would get a generic invalid_signup error. For existing tenants it’s an opt-in behaviour which can be enabled from tenant settings.

You can find the official notification here.

We highly recommend that you turn on this feature to close username enumeration threat.

2 Likes