Passwordless user blocked by IP (I assume) from further login attempts


On our app we use passwordless phone login, with brute-force protection enabled (sending the ip trough x-forward-ref header). After couple of failed login attempts user got this message: Your account has been blocked after multiple consecutive login attempts. We’ve sent you an email with instructions on how to unblock it.

Going trough docs, I noticed that the user can be unblocked using management api /api/v2/user-blocks by email or phone. And when I trigger this endpoint everything is fine, 204 is returned, but the user still gets the same message. Also the blocked_for property is empty, and I don’t understand how, and why user is blocked.

I would appreciate explanation, because this is super confusing, also what is the way to unblock that user?