Overview
When sending email campaigns, Safe Links Scanners or URL Checkers designed to detect malicious links in emails implemented as a security measure can erroneously trigger login flows if a link is included in the email. When a scanner or checker accesses the link, it triggers an /authorize request. In mass email marketing campaigns, this can lead to the rate limit on a tenant being saturated with /authorize requests, blocking real users until the rate limit recovers.
Applies To
- Rate limits
- Email links
Cause
Sometimes, an application triggers automatic logins to improve the user experience when loading its home page or other route, saving the user from having to click a login button.
However, this can lead to issues when this route is called in a manner that is different from its intended use case. See for more details on automatic redirect considerations: Error “You were redirected too many times” during Authentication
Solution
To avoid potentially hitting rate limits when including links to applications in emails, it is recommended that the shared link leads to a page in the application that would allow the user to start a login flow through only a button click that calls /authorize.
- This page should not attempt to perform an automatic login request on page load using something like JavaScript or an SDK to log the user in.
- For example, it should be a public page not requiring authentication to load, and it should not attempt to redirect to a login automatically.
This should stop link scanners from generating /authorize requests that the user has not initiated themselves, which would otherwise consume the Authentication API’s rate limits and potentially impact real user login attempts.
Details on rate limits applied to the different subscription levels can be found here: Rate Limit Configurations