A sophisticated credential-stuffing bot is hitting your login endpoint that is protected by Akamai at the perimeter. Akamai Bot Manager's advanced bot detection algorithms detect bot activity and flags a malicious script. An alarm is ringing at the edge.
But as the request reaches Auth0, that signal goes quiet. While the network intelligence stays at the edge, internally we see a valid username and password from a clean looking IP. The door opens.
Your edge can let high risk traffic through. What if you could use Auth0 to stop them from turning into identity attacks?
Our shared customers trust Akamai to manage their edge securely as a layer in front of Auth0. While this gives them more control over their traffic, it creates a problem: the most high-fidelity bot and risk signals are often stripped or ignored by the time the request hits our identity pipeline.
Bridging the Gap with Supplemental Signals in Actions
With the release of Akamai Integration GA, we are turning that silent alarm into an actionable event. Customers using Akamai as a reverse proxy can now ingest Akamai Supplemental Signals directly into Auth0 Actions and orchestrate a response.
By surfacing Akamai’s telemetry from products like Account Protector and Bot Manager within Auth0 Actions, we’ve moved beyond simple visibility. These signals are now first-class citizens in our extensibility model. A developer can now write a few lines of code to force an MFA challenge in a Post-Login Action if the User Risk Score is too high:
// First Action to require MFA exports.onExecutePostLogin = async (event, api) => { const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk; // Trigger MFA if Akamai Account Protector signals high risk if (userRiskHeader?.score && userRiskHeader?.score >= 90) { console.log(`Setting app metadata for session id: ${event.session?.id}`); api.user.setAppMetadata(`mfa_required_${event.session?.id}`, true); } if (userRiskHeader?.score && userRiskHeader?.score >= 90 || event.user.app_metadata[`mfa_required_${event.session?.id}`]) { console.log(`Requiring MFA FOR Session id: ${event.session?.id}`); api.multifactor.enable('any', {allowRememberBrowser: false}); } };
// Second Action to clean up metadata exports.onExecutePostLogin = async (event, api) => { const mfaMethod = event.authentication?.methods.find((method) => { return method.name === 'mfa'; }); if (mfaMethod) { console.log(`Removing MFA requirement for session id: ${event.session?.id}`); api.user.setAppMetadata(`mfa_required_${event.session?.id}`, undefined); } };
Or mitigate a signup attack by denying user registration based on Akamai’s trusted Bot Score:
exports.onExecutePreUserRegistration = async (event, api) => { const akamaiBot = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiBot; // Deny registration if Bot Manager results indicate a high bot score if (akamaiBot?.botScore && akamaiBot.botScore >= 90) { return api.access.deny( "automated_registration_detected", "Registration is currently unavailable. Please ensure you are using a supported browser." ); } };
Akamai is excellent at managing traffic through blocks or challenges at the edge, but if you aren’t extending those signals into the identity flow it becomes a wasted superpower. By connecting these signals to Auth0, our customers can finally perform Identity Orchestration and make surgical, user-aware security decisions based on the full context of the network journey.
Do Not Waste Your Edge: Activate the Intelligence You Already Own
At Auth0, we’ve always believed that you should be able to use the security tools that work best for you. Because our vision is to free everyone to safely use any technology, we provide a neutral identity layer that works across your entire ecosystem.
Don’t let your security investment go to waste. If you are already using Akamai to protect your perimeter, you are sitting on a goldmine of risk intelligence that your identity layer can’t see. By integrating these signals into Auth0 Actions today, you turn a silent monitor into an active defense.
Stop flying blind at the login box. Connect your Akamai signals to Auth0 and start making smarter, data-driven security decisions now.
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.
About the author
Tiffany Larson
Senior Software Engineer