Since last night, we’ve been seeing periodical login failures for our applications. Looking in the monitoring logs, we see lots of Rate Limit on API messages and seem to be occurring every minute. The problem we have is that we can’t seem to identify what is causing this. We identified a web application of ours which saw an unusual amount of requests and our initial thoughts was that this was an attack of some sort due to the frequency and path that was trying to be accessed. This application forwards it’s log in requests to Auth0 so we took the application down so that no traffic would be sent to Auth0, but we are still seeing the rate limit errors. We’re a bit stuck in being able to identify what is causing this. Is it possible someone is trying to access our Auth0 tenant directly? The request is always a GET /authorize and the user agent is always the same : “user_agent”: “Chrome 130.0.0 / Windows 10.0.0”, but the IP is always different for each request. Is there a way we can block a specific user_agent? We’re currently on the free plan and looking around the docs I am not sure this is possible. Any help greatly appreciated 
Hi, @webdev4,
The response for this post might be useful:
You should also check the user’s name to make sure there is no suspicious activity, but generally speaking, look in your codebase to make sure you’re not authenticating or authorizing the user more than you should.
If you have any other questions feel free to ask.
Have a good one,
Vlad