Skip to main content
Attack Protection provides security features to protect your Auth0 tenant from common attacks like brute force, breached password detection, and suspicious IP throttling.

Overview

The Attack Protection API is organized into sub-clients:
  • BotDetection - Configure bot detection settings
  • BreachedPasswordDetection - Manage breached password detection
  • BruteForceProtection - Configure brute force protection
  • Captcha - Manage CAPTCHA settings
  • SuspiciousIPThrottling - Configure suspicious IP throttling

Accessing Attack Protection

// Access attack protection clients
client.Management.AttackProtection.BotDetection
client.Management.AttackProtection.BreachedPasswordDetection
client.Management.AttackProtection.BruteForceProtection
client.Management.AttackProtection.Captcha
client.Management.AttackProtection.SuspiciousIPThrottling

Bot Detection

Manage bot detection settings to identify and block automated attacks.

Get Bot Detection Settings

settings, err := client.Management.AttackProtection.BotDetection.Get(
    context.TODO(),
)
if err != nil {
    log.Fatalf("Failed to get bot detection settings: %v", err)
}

fmt.Printf("Bot detection enabled: %v\n", settings.GetEnabled())

Update Bot Detection Settings

import "github.com/auth0/go-auth0/v2/management"

update := &management.UpdateBotDetectionRequestContent{
    Enabled: management.Bool(true),
}

updated, err := client.Management.AttackProtection.BotDetection.Update(
    context.TODO(),
    update,
)
if err != nil {
    log.Fatalf("Failed to update bot detection: %v", err)
}

Breached Password Detection

Detect and prevent the use of passwords that have been exposed in known data breaches.

Get Breached Password Detection Settings

settings, err := client.Management.AttackProtection.BreachedPasswordDetection.Get(
    context.TODO(),
)
if err != nil {
    log.Fatalf("Failed to get settings: %v", err)
}

fmt.Printf("Breached password detection enabled: %v\n", settings.GetEnabled())
fmt.Printf("Method: %s\n", settings.GetMethod())

Update Breached Password Detection Settings

update := &management.UpdateBreachedPasswordDetectionRequestContent{
    Enabled: management.Bool(true),
    Method: management.String("standard"),
    AdminNotificationFrequency: []string{"immediately"},
}

updated, err := client.Management.AttackProtection.BreachedPasswordDetection.Update(
    context.TODO(),
    update,
)
if err != nil {
    log.Fatalf("Failed to update settings: %v", err)
}

Brute Force Protection

Protect against brute force attacks by limiting failed login attempts.

Get Brute Force Protection Settings

settings, err := client.Management.AttackProtection.BruteForceProtection.Get(
    context.TODO(),
)
if err != nil {
    log.Fatalf("Failed to get settings: %v", err)
}

fmt.Printf("Enabled: %v\n", settings.GetEnabled())
fmt.Printf("Max attempts: %d\n", settings.GetMaxAttempts())

Update Brute Force Protection Settings

update := &management.UpdateBruteForceProtectionRequestContent{
    Enabled: management.Bool(true),
    MaxAttempts: management.Int(10),
    Shields: []string{"block", "user_notification"},
    AllowList: []string{"192.168.1.1", "10.0.0.0/8"},
}

updated, err := client.Management.AttackProtection.BruteForceProtection.Update(
    context.TODO(),
    update,
)
if err != nil {
    log.Fatalf("Failed to update settings: %v", err)
}

CAPTCHA

Manage CAPTCHA requirements for authentication flows.

Get CAPTCHA Settings

settings, err := client.Management.AttackProtection.Captcha.Get(
    context.TODO(),
)
if err != nil {
    log.Fatalf("Failed to get CAPTCHA settings: %v", err)
}

fmt.Printf("Provider: %s\n", settings.GetProvider())

Update CAPTCHA Settings

update := &management.UpdateCaptchaRequestContent{
    Provider: management.String("recaptcha_v2"),
    SiteKey: management.String("your-site-key"),
    SecretKey: management.String("your-secret-key"),
}

updated, err := client.Management.AttackProtection.Captcha.Update(
    context.TODO(),
    update,
)
if err != nil {
    log.Fatalf("Failed to update CAPTCHA settings: %v", err)
}

Suspicious IP Throttling

Throttle requests from IP addresses that exhibit suspicious behavior.

Get Suspicious IP Throttling Settings

settings, err := client.Management.AttackProtection.SuspiciousIPThrottling.Get(
    context.TODO(),
)
if err != nil {
    log.Fatalf("Failed to get settings: %v", err)
}

fmt.Printf("Enabled: %v\n", settings.GetEnabled())

Update Suspicious IP Throttling Settings

update := &management.UpdateSuspiciousIPThrottlingRequestContent{
    Enabled: management.Bool(true),
    Shields: []string{"block", "admin_notification"},
    AllowList: []string{"192.168.1.1"},
}

updated, err := client.Management.AttackProtection.SuspiciousIPThrottling.Update(
    context.TODO(),
    update,
)
if err != nil {
    log.Fatalf("Failed to update settings: %v", err)
}

Complete Example

package main

import (
    "context"
    "fmt"
    "log"
    "os"

    "github.com/auth0/go-auth0/v2/management"
)

func main() {
    client, err := management.New(
        context.TODO(),
        os.Getenv("AUTH0_DOMAIN"),
        management.WithClientCredentials(
            os.Getenv("AUTH0_CLIENT_ID"),
            os.Getenv("AUTH0_CLIENT_SECRET"),
        ),
    )
    if err != nil {
        log.Fatalf("Failed to create client: %v", err)
    }

    // Enable all attack protection features
    ctx := context.TODO()

    // Enable bot detection
    _, err = client.Management.AttackProtection.BotDetection.Update(ctx, &management.UpdateBotDetectionRequestContent{
        Enabled: management.Bool(true),
    })
    if err != nil {
        log.Fatalf("Failed to enable bot detection: %v", err)
    }

    // Enable breached password detection
    _, err = client.Management.AttackProtection.BreachedPasswordDetection.Update(ctx, &management.UpdateBreachedPasswordDetectionRequestContent{
        Enabled: management.Bool(true),
        Method: management.String("standard"),
    })
    if err != nil {
        log.Fatalf("Failed to enable breached password detection: %v", err)
    }

    // Enable brute force protection
    _, err = client.Management.AttackProtection.BruteForceProtection.Update(ctx, &management.UpdateBruteForceProtectionRequestContent{
        Enabled: management.Bool(true),
        MaxAttempts: management.Int(10),
    })
    if err != nil {
        log.Fatalf("Failed to enable brute force protection: %v", err)
    }

    fmt.Println("All attack protection features enabled successfully")
}

Best Practices

  1. Enable Multiple Layers - Use multiple attack protection features together for defense in depth
  2. Monitor Logs - Regularly review security logs to identify attack patterns
  3. Test Changes - Test attack protection settings in a development environment first
  4. Maintain Allow Lists - Keep IP allow lists up to date to prevent blocking legitimate traffic
  5. Configure Notifications - Set up admin notifications for security events

Build docs developers (and LLMs) love

Get started for freeTalk to us