Users from custom DB blocked by Brute-Force Protection with "|" pipe character in username

Problem statement

Some users from a custom DB connection were blocked by Brute-Force Protection. We use the “|” pipe character in the username and can’t unblock them.


I tried the GET/api/v2/user-blocks Management API endpoint to get the blocks for the user (e.g.|test) and receive an empty array:

"blocked_for": []

I also tried the DELETE/api/v2/user-blocks Management API endpoint to unlock the user, but they still couldn’t log in.


This could be due to the “|” character being used internally on the API V2 endpoint for parsing the connection.

For example, when parsing|test, we incorrectly parse ‘test’ as the connection.

The following doc has the list of allowed characters for the username attribute.
Adding Username for Database Connections. Pipe “|” is not on the list.

Also, as explained in the same doc, “No other characters/symbols are allowed, and Auth0 does not validate or sanitize custom database inputs.”.


As a workaround, with the example above, you can use|test| connection-name instead to retrieve such users.