User Lockouts: What to Expect After Too Many Failed Login Attempts
Author:
Fluent Commerce
Changed on:
3 July 2025
Overview
This explains what happens when an is temporarily locked due to multiple failed login attempts, whether caused by a user entering the wrong password or an integration using outdated credentials.
After reading this , you will understand:
- What triggers a username lockout in Fluent
- How the lockout works
- What actions users and integration owners should take
Key Points to Know:
- Lockouts are temporary (15 minutes).
- Applies to both web console users and API clients.
- A lockout is enforced even if the correct password is entered after the threshold is reached.
Key points
- Accounts are locked after multiple failed login attempts ( 5 attempts).
- Lockouts are specific to the username with failed login attempts
- The lockout period is 15 minutes, starting from the last failed attempt.
- Lockouts apply across all login methods (web, API, scripts) using the same username.
- During a lockout for a given username:
- All logins (even with correct credentials) will return an error
- The error message will be exactly the same as providing an incorrect username and password (even with correct credentials)
- The login screen and error messages will clearly reflect lockout status.
- Technical users maintaining integration code should ensure their code does not retry authentication more than 5 times.
- Avoid account sharing between UI users and integrations to prevent cross-impact.
- Contact Support if you're locked out and need urgent access.
🔐 What Triggers a Lockout?
Fluent temporarily locks an for a given user if there are multiple consecutive failed login attempts, such as:
- Typing the wrong password repeatedly
- A script or API integration using outdated credentials
- Password manager autofilling an old password
- Another person is using a shared account username and failing to log in
⏳ How Long Does the Lockout Last?
- The default lockout duration is 15 minutes from the time of the last failed login.
- During this window, all login attempts will fail, even if the correct password is used.
🔓 How can I tell if I've been locked out?
Unfortunately, for security reasons, there is no surefire way to tell if your user is locked out or if you are simply providing the wrong username or password.
🧾 What Happens When You’re Locked Out?
Login Method | What You’ll See or Receive |
Web (Console) | When too many failed authentication attempts are detected, the web app will warn the user that they may be locked out. |
API/Script | The same error response as providing an incorrect username/password |
👥 If You Use the Web Login
You might get locked out if:
- You mistype your password too many times (Caps Lock, keyboard layout)
- Autofill uses your old password
- Someone else is using your account and getting it wrong
What to do:
- Wait for 15 minutes, then try again
- Contact Support if it's urgent
🤖 If You Use API or Integration Access
You might get locked out if:
- Your script is using the wrong password
- Your password was changed, but the script wasn't updated
- The script is retrying too aggressively without handling failures
What to do:
- Wait till the lockout expires
- Contact Support if critical workflows are blocked
🧠 Best Practices to Avoid Lockouts
- Use separate accounts for web login vs API integrations
- Don’t share credentials between people or systems
- Monitor integration logs for 400/500 errors
- Implement retry logic with backoff for all automated systems
- When rotating credentials, update all systems simultaneously
🆘 Need Help?
If you’ve waited for the lockout window and still can’t log in:
- Web users: Contact Support
- Integration users: ensure your credentials are correct, and contact Support if your access is blocked
