Brute-Force Login Protection for Web and API Access

This release introduces automatic lockouts for individual usernames after repeated failed login attempts, strengthening protection against brute-force attacks. If a user, whether logging in through the web console or via an integration, exceeds the allowed number of failed attempts, they will be temporarily blocked from logging in.

Key Features

• Username-Specific Lockouts: Lockouts apply only to the specific username and do not impact other users or systems within the same account.
• Setup Convenience: No setup is required to benefit from this feature, ensuring seamless implementation and reduced security risks

Initial Release: Brute-Force Login Protection

• Feature: Automatically locks a username for 15 minutes after 5 failed login attempts within a rolling 15-minute window.
• Scope: Applies to all authentication via the `/oauth/token` endpoint (UI and API).
• API Response for Locked Users:
  • Non-SSO User
    • Same response as providing incorrect username/password.
    • HTTP Code: 400 Bad Request
    • JSON response body:
      

1{
2    "error": "invalid_grant",
3    "error_description": "Bad credentials"
4}

• API Response for Locked Users:
  • SSO User
    • Same response as providing incorrect username/password.
    • HTTP Code: 500 Internal Server Error
    • JSON response body: 

1{
2    "errors": [
3        {
4            "code": "400",
5            "message": "The username or password you entered is incorrect. Please try again."
6        }
7    ]
8}

Unaffected Areas: Existing valid sessions remain active; no impact to "Forgot Password" flow.

Reference: See User Lockouts: What to Expect After Too Many Failed Login Attempts for full behavior, examples, and best practices.