Before you start

To use one of the supported third-party CAPTCHA provider integrations, you need the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.
mitigates scripted attacks by detecting when a request is likely coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. Bot Detection provides support against certain attacks and adds very little friction to legitimate users. Auth Challenge is our default bot detection response, which provides a CAPTCHA-free user verification. To learn more, read Credential Stuffing Attacks: What Are They and How to Combat Them. Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of login, signup, or password reset traffic are likely from a bot or script. Users who attempt to log in, create accounts, or reset passwords from IP addresses that have a high likelihood of being part of a credential stuffing attack are required to complete an additional verification step. The triggers detect traffic relating to these attacks without adding unnecessary friction to legitimate users.

Configure Bot Detection

Auth0 enables Bot Detection by default for all connections. If you do not configure Response settings with Bot Detection enabled, Bot Detection operates in Monitoring mode. Monitoring mode records related events (with risk assessment information) in your tenant log for you to review. To learn more, read View Attack Protection Log Events. You can enable tenant logs for Risk Assessment in the Auth0 Dashboard.
  1. Go to Dashboard > Security > Attack Protection and select Bot Detection.
  2. In the Detection section, enable the toggle.
    Detection section of the Attack protection screen
    If you cannot see the toggle to enable tenant logs for Risk Assessment, you may need to upgrade your plan.
  3. In the Response section, choose a bot detection response.
    Dashboard - Attack Protection - Bot Detection
    When using Auth Challenge, the Fail open toggle is disabled by default.
    Auth Challenge is the default bot detection response, offering a CAPTCHA-free web experience with stronger privacy and a better user experience.As noted on the dashboard, this login experience requires Javascript; if your login experience is required to work without Javascript, select Simple CAPTCHA.
  4. Select when you want to require CAPTCHA for password flows, passwordless flows, and password reset flows.
    • Never: Never require your users to complete a CAPTCHA to log in.
    • When Risky: Only require your users to complete a CAPTCHA if the login matches your Bot Detection Level setting.
    • Always: Always require your users to complete a CAPTCHA to log in.
  5. If you choose When Risky or Always, the CAPTCHA Providers field will appear in the Response section. Select Auth Challenge (provided by Auth0), Simple CAPTCHA (provided by Auth0), or one of the supported third-party provider integrations (requires external setup and registration).
    • If you choose Auth Challenge or Simple CAPTCHA, you are done. If your login experience does not support JavaScript, you must select Simple CAPTCHA.
    • If you choose one of our third-party provider integrations, enter the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.
    • If you choose Simple CAPTCHA, the CAPTCHA image is not legible to screen readers.
  6. If you choose When Risky, the Bot Detection Level field will appear in the Response section. Select the security level that best fits your use case. For more information, read Configure Bot Detection Level.
  7. Select Save.

Configure Bot Detection Level

Configure the Bot Detection Level setting to match your risk tolerance and business needs. There are three settings to choose from:
  1. Low: Triggers CAPTCHA when there is a high chance of bot activity, providing a relatively frictionless experience for real users.
  2. Medium: Default. Triggers CAPTCHA when there is a moderate chance of bot activity, providing a balance of security and experience for real users.
  3. High: Triggers CAPTCHA when there is a small chance of bot activity, providing more security but potentially more friction for real users.
Auth0 Dashboard > Security > Attack Protection to access this slider

Allow trusted IP addresses to bypass Bot Detection

You can allow up to 100 discrete IP addresses and/or CIDR ranges (IPv4 or IPv6) to bypass Bot Detection by adding them to the IP AllowList field. Auth0 does not enforce blocking and does not send alerts for IP addresses or CIDR ranges on this list.
  1. Go to Dashboard > Security > Attack Protection, and select Bot Detection.
  2. In the IP AllowList field, enter the IP addresses and/or CIDR ranges you want to bypass Bot Detection. Separate multiple addresses or ranges with commas.

Configure signup detection model for Custom Login Page and Classic Login Experience

Auth0 provides a signup detection machine-learning model, distinct from the login model, that addresses different attack types by analyzing unique signals. This model allows CAPTCHA to behave differently between signup and login flows to provide stronger protection against signup attacks and align with the latest security advancements.
Ensure all applications using Auth0.js and/or Lock are using the most recent library version(s) before you enable this model:
  • Auth0.js: 9.28.0+
  • Lock: 13.0+
If you enable this model while using an outdated library, your application may encounter errors.
You can configure the detection model that Bot Detection uses for signup flows when using a Custom Login Page or the Classic Login Experience in the .
  1. Go to Dashboard > Security > Attack Protection, and select Bot Detection.
  2. Locate the Detection Models section.
  3. Enable the toggle for Signup detection models for custom and classic login pages.

Restrictions and limitations

Flow limitations

Bot Detection works for web and mobile applications that use Auth0 Universal Login. For applications that do not use , levels of support are limited, in particular for flows that cannot support a CAPTCHA or reCAPTCHA challenge. Ensure all of your login experiences are supported before you enable Bot Detection, or you may introduce errors into your application.
FlowLimitation
Universal LoginSupported by default.
Classic Login (no customizations)Supported by default.
Classic Login (Custom Login Page using Lock template)Supported if using lock.js SDK version 12.4.0 or higher.
Classic Login (Custom Login Page using Custom Login Form template)Supported if using auth0.js SDK version 9.24 or higher, and you enhance your code to handle a CAPTCHA or reCAPTCHA challenge.
Native applicationsSupported if using one of the following SDKs:
  • Auth0.swift version 1.28.0+
  • Auth0.Android version 1.25.0+
  • Lock.Swift version 2.19.0+
  • Lock.Android version 2.22.0+
Regular Web or Native applications using Resource Owner Password FlowSupported in a limited capacity. Bot Detection Response such as CAPTCHA requires an interactive flow and therefore is not supported. If the requires_verification error is returned by the SDK, you must trigger a web-based login flow for the user to complete authentication.
Flows not hosted by Auth0 using lock.js or auth0.js SDK which perform cross-origin authentication (co/authenticate endpoint)Not supported.

Connection type limitations

Depending on the types of connections you use, Bot Detection has the following limitations.
Connection TypeLimitation
DatabaseSupported if the login uses a compatible login flow as described in the Flow limitations table.
Custom databaseSupported if the login uses a compatible login flow as described in the Flow limitations table.
Active Directory/LDAPSupported if the login uses a compatible login flow as described in the Flow limitations table.
EnterpriseNot supported.
Social LoginNot supported.
PasswordlessSupported if the login uses a compatible login flow as described in the Flow limitations table.

Custom login page support

If you build a custom login page using Auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk. Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Custom Login Pages.

Native application support

If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk. Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Native Applications.

Learn more