User/Password Authentication Rate Limits

To protect the overall health of the system, Auth0 puts these limits in place to mitigate the system load. Because Auth0 provides a high amount of customization, we risk service degradation that may be caused by high load stress tests, benchmark tests, or inefficient code that causes users to log in multiple times. Requests are subject to limits as outlined in the Rate Limit Policy for Auth0 APIs.

For database connections, Auth0 limits certain types of repeat login attempts depending on the user account and IP address. Some of these limits are set as part of anomaly detection:

If a user enters their password incorrectly more than 10 times consecutively from a single IP address, they will be blocked from logging into their account from that IP address. Auth0 will send an email containing a link to unblock the account/IP address combination to the email address attached to the user account. This is the Brute Force Protection shield which is part of Auth0's anomaly detection. Users may also unblock their accounts by resetting their password, and Dashboard administrators may manually unblock users.
If a user attempts to log in 20 times per minute as the same user from the same IP, regardless of having the correct credentials, the rate limit will come into effect. When this happens, the user can make 10 attempts per minute.

If a user triggers a block as part of anomaly detection, you can unblock the IP address using the Remove IP Block endpoint. To learn how to unblock users using the Dashboard, see Block and Unblock Users.

Docs