> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how Auth0 detects attacks to protect against malicious attempts to access your application, alert you and your users of suspicious activity, and block further login attempts.

# Bot Detection

<Card title="Before you start">
  To use one of the supported third-party CAPTCHA provider integrations, you need the provider’s configuration details. To learn more, read [Configure third-party CAPTCHA provider integrations](/docs/secure/attack-protection/bot-detection/configure-captcha).
</Card>

<Tooltip tip="Bot Detection: Form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process." cta="View Glossary" href="/docs/glossary?term=Bot+Detection">Bot Detection</Tooltip> mitigates scripted attacks by detecting when a request is likely coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. Bot Detection provides support against certain attacks and adds very little friction to legitimate users. Auth Challenge is our default bot detection response, which provides a CAPTCHA-free user verification.

To learn more, read [Credential Stuffing Attacks: What Are They and How to Combat Them](https://auth0.com/resources/whitepapers/credential-stuffing-attacks).

Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of login, signup, or password reset traffic are likely from a bot or script. Users who attempt to log in, create accounts, or reset passwords from IP addresses that have a high likelihood of being part of a credential stuffing attack are required to complete an additional verification step. The triggers detect traffic relating to these attacks without adding unnecessary friction to legitimate users.

## Configure Bot Detection

When enabled, you can customize Bot Detection preferences, such as the detection model, and response actions, which applies to all connections in your tenant.

If you do not configure **Response** actions with Bot Detection enabled, Bot Detection operates in [Monitoring](/docs/secure/attack-protection#monitoring) mode. Monitoring mode records related events, including risk assessment details, in your tenant logs for review. To learn more, read [View Attack Protection Log Events](/docs/secure/attack-protection/view-attack-protection-events).

You can enable tenant logs for Risk Assessment in the [Auth0 Dashboard](https://manage.auth0.com/#).

1. Go to [Dashboard > Security > Attack Protection](https://manage.auth0.com/#/security/attack-protection) and select **Bot Detection**.
2. In the **Detection** section, enable the toggle.

   <Frame>
     <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/RDh-UBFSkTEu_d9f/docs/images/cdy7uua7fh8z/3q0HlAm0m0aLilEOAhQ81h/d8626e6e7572a1eb026421d17799d2f0/Screenshot_2024-02-01_at_10.43.58_AM.png?fit=max&auto=format&n=RDh-UBFSkTEu_d9f&q=85&s=91631924b9cb3ce7886eee955af3646e" alt="Detection section of the Attack protection screen" width="2122" height="1192" data-path="docs/images/cdy7uua7fh8z/3q0HlAm0m0aLilEOAhQ81h/d8626e6e7572a1eb026421d17799d2f0/Screenshot_2024-02-01_at_10.43.58_AM.png" />
   </Frame>

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     If you cannot see the toggle to enable tenant logs for Risk Assessment, you may need to [upgrade your plan](https://manage.auth0.com/#/tenant/billing/subscription).
   </Callout>
3. In the **Response** section, choose a bot detection response.

   <Frame>
     <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/RDh-UBFSkTEu_d9f/docs/images/cdy7uua7fh8z/3vuVvc01mfCPdc70AU9Oq1/0d5b1519818211ba49c17f5c9e1d1887/2024-05-06_15-47-06.png?fit=max&auto=format&n=RDh-UBFSkTEu_d9f&q=85&s=dfafa22c5feb67a2fdb5af72bf2bda7b" alt="Dashboard - Attack Protection - Bot Detection" width="1200" height="1002" data-path="docs/images/cdy7uua7fh8z/3vuVvc01mfCPdc70AU9Oq1/0d5b1519818211ba49c17f5c9e1d1887/2024-05-06_15-47-06.png" />
   </Frame>

   When using Auth Challenge, the **Fail open** toggle is disabled by default.

   If you enable the **Fail Open** toggle:

   * When the Bot Detection service is unreacheable, Auth0 prioritizes the authentication process and proceeds without a CAPTCHA challenge. End users do not see an error message and can still log in or register.
   * When the Bot Detection service is reachable, the authentication process proceeds with a CAPTCHA challenge.

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     Auth Challenge is the default bot detection response, offering a CAPTCHA-free web experience with stronger privacy and a better user experience.

     As noted on the dashboard, this login experience requires Javascript; if your login experience is required to work without Javascript, select Simple CAPTCHA.
   </Callout>
4. Select when you want to require CAPTCHA for password flows, passwordless flows, and password reset flows.

   * **Never**: Never require your users to complete a CAPTCHA to log in.
   * **When Risky**: Only require your users to complete a CAPTCHA if the login matches your **Bot Detection Level** setting.
   * **Always**: Always require your users to complete a CAPTCHA to log in.
5. If you choose **When Risky** or **Always**, the **CAPTCHA Providers** field will appear in the **Response** section. Select **Auth Challenge** (provided by Auth0), **Simple CAPTCHA** (provided by Auth0), or one of the supported third-party provider integrations (requires external setup and registration).

   * If you choose **Auth Challenge** or **Simple CAPTCHA**, you are done. If your login experience does not support JavaScript, you must select **Simple CAPTCHA**.
   * If you choose one of our third-party provider integrations, enter the provider’s configuration details. To learn more, read [Configure third-party CAPTCHA provider integrations](/docs/secure/attack-protection/bot-detection/configure-captcha).
   * If you choose **Simple CAPTCHA,** the CAPTCHA image is not legible to screen readers.
6. If you choose **When Risky**, the **Bot Detection Level** field will appear in the **Response** section. Select the security level that best fits your use case. For more information, read [Configure Bot Detection Level](/docs/secure/attack-protection/bot-detection#configure-bot-detection-level).
7. Select **Save**.

## Configure Bot Detection Level

Configure the **Bot Detection Level** setting to match your risk tolerance and business needs.

There are three settings to choose from:

1. **Low**: Triggers CAPTCHA when there is a high chance of bot activity, providing a relatively frictionless experience for real users.
2. **Medium**: Default. Triggers CAPTCHA when there is a moderate chance of bot activity, providing a balance of security and experience for real users.
3. **High**: Triggers CAPTCHA when there is a small chance of bot activity, providing more security but potentially more friction for real users.

<Frame>
  <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=b5cb618444996539e25790f5ceabdce4" alt="Auth0 Dashboard > Security > Attack Protection to access this slider" data-og-width="609" width="609" data-og-height="905" height="905" data-path="docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=280&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=8e56883fa4caac55fdc50898ee1d44f0 280w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=560&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=548e257e13f24cad66a6a9e130fe0a1f 560w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=840&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=ca9e12387737c3196b1941ca31d7dce4 840w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=1100&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=b5b762ee413a3f06447968cbf8639e4f 1100w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=1650&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=59f307e2ccf1829cbf6799a583d0cd42 1650w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/wYcZudKzAy7DVE3d/docs/images/cdy7uua7fh8z/6HSMEXmDHVks6aUH0FUTPo/e0ca6efd3de736113e5a53e9fc27ab7e/Bot_Detection_Levels_-_English.png?w=2500&fit=max&auto=format&n=wYcZudKzAy7DVE3d&q=85&s=626389e7dbe222c4046de435b6951df4 2500w" />
</Frame>

## Allow trusted IP addresses to bypass Bot Detection

You can allow up to 100 discrete IP addresses and/or CIDR ranges (IPv4 or IPv6) to bypass Bot Detection by adding them to the **IP AllowList** field. Auth0 does not enforce blocking and does not send alerts for IP addresses or CIDR ranges on this list.

1. Go to [Dashboard > Security > Attack Protection](https://manage.auth0.com/#/security/attack-protection), and select **Bot Detection**.
2. In the **IP AllowList** field, enter the IP addresses and/or CIDR ranges you want to bypass Bot Detection. Separate multiple addresses or ranges with commas.

## Configure signup detection model for Custom Login Page and Classic Login Experience

Auth0 provides a signup detection machine-learning model, distinct from the login model, that addresses different attack types by analyzing unique signals.

This model allows CAPTCHA to behave differently between signup and login flows to provide stronger protection against signup attacks and align with the latest security advancements.

<Warning>
  Ensure all applications using [Auth0.js](https://github.com/auth0/auth0.js/) and/or [Lock](https://github.com/auth0/lock) are using the most recent library version(s) before you enable this model:

  * **Auth0.js**: 9.28.0+
  * **Lock**: 13.0+

  If you enable this model while using an outdated library, your application may encounter errors.
</Warning>

You can configure the detection model that Bot Detection uses for signup flows when using a [Custom Login Page](/docs/customize/login-pages) or the [Classic Login Experience](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience) in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>.

1. Go to [Dashboard > Security > Attack Protection](https://manage.auth0.com/#/security/attack-protection), and select **Bot Detection**.
2. Locate the **Detection Models** section.
3. Enable the toggle for **Signup detection models for custom and classic login pages**.

## Restrictions and limitations

### Flow limitations

Bot Detection works for web and mobile applications that use [Auth0 Universal Login](/docs/authenticate/login/auth0-universal-login). For applications that do not use <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip>, levels of support are limited, in particular for flows that cannot support a CAPTCHA or reCAPTCHA challenge.

Ensure all of your login experiences are supported before you enable Bot Detection, or you may introduce errors into your application.

| Flow                                                                                                                               | Limitation                                                                                                                                                                                                                                                                         |
| ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Universal Login                                                                                                                    | Supported by default.                                                                                                                                                                                                                                                              |
| Classic Login (no customizations)                                                                                                  | Supported by default.                                                                                                                                                                                                                                                              |
| Classic Login (Custom Login Page using **Lock** template)                                                                          | Supported if using `lock.js` SDK version 12.4.0 or higher.                                                                                                                                                                                                                         |
| Classic Login (Custom Login Page using **Custom Login Form** template)                                                             | Supported if using `auth0.js` SDK version 9.24 or higher, and you enhance your code to handle a CAPTCHA or reCAPTCHA challenge.                                                                                                                                                    |
| Native applications                                                                                                                | Supported if using one of the following SDKs:<ul><li>`Auth0.swift` version 1.28.0+</li><li>`Auth0.Android` version 1.25.0+</li><li>`Lock.Swift` version 2.19.0+</li><li>`Lock.Android` version 2.22.0+</li></ul>                                                                   |
| Regular Web or Native applications using Resource Owner Password Flow                                                              | Supported in a limited capacity. Bot Detection Response such as CAPTCHA requires an interactive flow and therefore is not supported. If the `requires_verification` error is returned by the SDK, you must trigger a web-based login flow for the user to complete authentication. |
| Flows not hosted by Auth0 using `lock.js` or `auth0.js` SDK which perform cross-origin authentication (`co/authenticate` endpoint) | Not supported.                                                                                                                                                                                                                                                                     |

### Connection type limitations

Depending on the types of connections you use, Bot Detection has the following limitations.

| Connection Type       | Limitation                                                                                      |
| --------------------- | ----------------------------------------------------------------------------------------------- |
| Database              | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
| Custom database       | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
| Active Directory/LDAP | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
| Enterprise            | Not supported.                                                                                  |
| Social Login          | Not supported.                                                                                  |
| Passwordless          | Supported if the login uses a compatible login flow as described in the Flow limitations table. |

### Custom login page support

If you build a custom login page using Auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read [Add Bot Detection to Custom Login Pages](/docs/secure/attack-protection/bot-detection/bot-detection-custom-login-pages).

### Native application support

If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read [Add Bot Detection to Native Applications](/docs/secure/attack-protection/bot-detection/bot-detection-native-apps).

## Learn more

* [Configure Third-Party CAPTCHA Provider Integrations](/docs/secure/attack-protection/bot-detection/configure-captcha)
* [Add Bot Detection to Custom Login Pages](/docs/secure/attack-protection/bot-detection/bot-detection-custom-login-pages)
* [Add Bot Detection to Native Applications](/docs/secure/attack-protection/bot-detection/bot-detection-native-apps)
* [Breached Password Detection](/docs/secure/attack-protection/breached-password-detection)
* [Brute-Force Protection](/docs/secure/attack-protection/brute-force-protection)
* [Suspicious IP Throttling](/docs/secure/attack-protection/suspicious-ip-throttling)