> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use Attack Protection with Custom Token Exchange.

# Attack Protection with Custom Token Exchange

export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => {
  const stageTextMap = {
    "beta": "Beta",
    "ea": "Early Access"
  };
  const stageText = stageTextMap[stage] || "a product release stage";
  const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages";
  const linkify = (text, url) => {
    return <a href={url} target="_blank" rel="noreferrer" class="link">{text}</a>;
  };
  const includeDetails = (plans, contact, terms) => {
    const hasDetails = terms || plans || contact;
    if (!hasDetails) return null;
    return <span data-as="p">
            {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. </>}
            {contact && "To participate, contact " + contact + ". "}
            {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.</>}
        </span>;
  };
  return <Warning>
            <span data-as="p">
                <strong>The {feature} feature is in {linkify(stageText, prsLink)}.</strong>
            </span>

            {includeDetails(plans, contact, terms)}
        </Warning>;
};

<ReleaseStageNotice feature="Custom Token Exchange (CTE)" stage="ea" plans="B2C Professional, B2B Professional, and Enterprise" terms="true" />

To protect against spoofing and replay attacks, which involve unauthorized attempts to compromise or reuse a `subject_token`, Custom Token Exchange supports [Suspicious IP Throttling](/docs/secure/attack-protection/suspicious-ip-throttling). This enables you to indicate in your Actions code when a subject token is invalid, allowing Auth0 to count the number of failed attempts sent from that external IP.

When the number of failed attempts from an IP address reaches a pre-configured threshold, Auth0 blocks traffic for a Custom Token Exchange request coming from that IP with the following error:

```json lines theme={null}
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
{
    "error": "too_many_attempts",
    "error_description": "We have detected suspicious login behavior and further attempts will be blocked. Please contact the administrator."
}
```

The IP address can start making requests again after a configured period of time.

We recommend you use Suspicious IP Throttling for all Custom Token Exchange use cases, especially with native applications and single-page applications (SPAs). Because non-confidential applications like native applications and SPAs can’t securely store secrets to authenticate themselves, attackers can more easily re-use stolen or leaked subject tokens.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  To implement Suspicious IP Throttling protection, use `api.access.rejectInvalidSubjectToken` in your Actions code whenever the received subject token does not pass strong validation.
</Callout>

Suspicious IP Throttling is activated by default for Auth0 tenants. When activated, the default settings for Custom Token Exchange will be applied:

* Threshold: 10. Maximum number of failed attempts for an IP address.
* Throttling rate: 6 per hour. One additional attempt will become available after every 10 minutes until the threshold is refilled.

<Frame>
  <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/RDh-UBFSkTEu_d9f/docs/images/cdy7uua7fh8z/47PB3OAci9fotSHFrCNBVn/1bafbaacbeb22a4d94eb78506ab89bb8/Screenshot_2025-02-03_at_4.44.29_PM.png?fit=max&auto=format&n=RDh-UBFSkTEu_d9f&q=85&s=77528b0c43cd6c969daeb43f4094ed71" alt="" width="1244" height="966" data-path="docs/images/cdy7uua7fh8z/47PB3OAci9fotSHFrCNBVn/1bafbaacbeb22a4d94eb78506ab89bb8/Screenshot_2025-02-03_at_4.44.29_PM.png" />
</Frame>

## Configure Suspicious IP Throttling for Custom Token Exchange

You can configure a custom threshold and throttling rate for the Custom Token Exchange with the Management API.

First, [get a Management API token](/docs/secure/tokens/access-tokens/management-api-access-tokens#get-management-api-tokens) to consume the API. Then, make the following `GET` request to the [Get Suspicious IP Throttling settings endpoint](https://auth0.com/docs/api/management/v2/attack-protection/get-suspicious-ip-throttling):

```bash lines theme={null}
curl --location 'https://{yourDomain}/api/v2/attack-protection/suspicious-ip-throttling' \
--header 'Authorization: Bearer <YOUR_MANAGEMENT_API_TOKEN>' \
```

You will receive a response like the following:

```json lines theme={null}
{
  "enabled": true,
  "shields": [
    "admin_notification",
    "block"
  ],
  "allowlist": [],
  "stage": {
    "pre-login": {
      "max_attempts": 100,
      "rate": 864000
    },
    "pre-user-registration": {
      "max_attempts": 50,
      "rate": 1200
    },
    "pre-custom-token-exchange": {
      "max_attempts": 10,
      "rate": 600000
    }
  }
}
```

Use the following `PATCH` request to update the `pre-custom-token-exchange` stage with the needed values. Note that the rate is the interval of time in milliseconds at which new attempts are granted.

```bash lines theme={null}
curl --location --request PATCH 'https://{yourDomain}/api/v2//attack-protection/suspicious-ip-throttling' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <YOUR_MANAGEMENT_API_TOKEN>' \
--data '{"stage":{"pre-custom-token-exchange":{"max_attempts":10,"rate":600000}}}'
```