We’ve set up a webhook to alert our superusers when an auth0 user causes their account to become blocked by bruteforce attack protection.

However, I’ve noticed that even though the description shows the specific user name/email address used to login, the user_id field is blank for a limit_wc event.

On the other hand, I have also noticed that the specific event occurs simultaneously with the actual fp event that does have the user_id field. Can I be confident that these events will always arrive within the same webhook call, to allow cross-referencing?

Looks like I just answered my own question, as my next attempt had the limit_wc event called seperately from the fp event.

Why is the user_id field blank in the limit_wc event?