In September 2025, Auth0 announced general availability of Tenant Access Control List (ACL), which manages traffic to your Auth0 services with configurable rules. This feature enables teams to neutralize malicious traffic using predefined signals before it ever reaches their applications. In this post, learn how an Auth0 customer mitigated a sustained attack and blocked over 21 million requests using Tenant ACL.
The Signup Fraud Attack
In early September, threat actors undertook a large-scale, opportunistic fake signup campaign against a large Auth0 tenant. Within a few days, the tenant logged millions of illegitimate signup requests, nearly 40 times the tenant’s typical sign up volume.
With the assistance of Auth0 support, the tenant’s administrator identified specific JA3 and JA4 TLS client fingerprints (unique identifiers for the malicious clients) and requested a block. Auth0 Support implemented the block, the traffic dropped, and the immediate threat subsided. Or so it seemed.
Detect, Respond, Block, and Tenant ACL
The calm barely lasted 24 hours. The attackers pivoted, changing their tactics to bypass the initial block. This new surge triggered rate limits, causing collateral damage: legitimate users could no longer sign up.
Building on intelligence provided by rules like Auth0’s open-source detection catalog, the customer’s security team parsed the security_context log object in signup events and isolated the attackers’ new JA3 signatures. But they needed a way to act on threat intelligence instantly. Auth0 Support showed the tenant’s administrator how to employ Tenant ACL. Now, rather than waiting for support tickets or engaging consultants, the customer seized control and mitigated the attack using Tenant ACL.
Sure enough, adding the new fingerprints to their ACL with authentication scope blocked the attack. Auth0’s knowledge base provides examples and details on how you can write your own rules like the one below, which blocks all traffic from a malicious JA4.
{ "description": "Block authentication traffic from malicious JA4", "active": true, "priority": 1, "rule": { "action": { "block": true }, "match": { "ja4_fingerprints": ["t13d201100_2b729b4bf6f3_9e7b989ebec8"] }, "scope": "authentication" } }
Data-Driven Agility Outmaneuvers Identity Attacks at the Edge
In the following weeks, the customer stayed one step ahead by monitoring attacker fingerprints and updating their Tenant ACL rules to maintain effective blocking. This wasn't a static "set and forget" configuration; it was a data-driven, agile response that evolved in step with attacker tactics.
By the end of the campaign, Tenant ACL intercepted over 21 million malicious requests. Each one was a fake signup neutralized at the network edge before it could reach the application, trigger collateral rate limits, or disrupt legitimate users. Most importantly, the customer achieved this independently, requiring zero intervention from Auth0 Support after the initial setup. They didn't survive the attack; they outmaneuvered it.
Putting Edge Superpowers to Work
Tenant ACL places the edge-level controls necessary for a proactive, data-driven defense directly into the hands of our customers. This case is one example of how security teams armed with deep log insights and the right toolkit can neutralize sophisticated adversaries at scale and with speed.
Blocking attacks and frustrating attackers is part of Auth0’s aim. We want to foster a secure identity and access management ecosystem. Auth0 tools and services give customers the sovereignty to protect themselves and their users in real time. We want to hear from you as you put Tenant ACL to work: share your feedback and success stories in the Auth0 Community forums, reach out to your customer advocate, or contact support to help us improve identity security for everyone.
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.