Add Bot Detection to Native Applications
You can add Bot Detection to your native applications with little to no additional configuration depending on the SDK and authentication flow you are using.
Auth0.swift and Auth0.Android
If you’re using Universal Login, Bot Detection is supported automatically by the following SDK versions:
Auth0.swift
version 1.28.0+Auth0.Android
version 1.25.0+
If you’re not using Universal Login, Bot Detection is supported, but you need to configure your application accordingly:
Your application must handle the
requires_verification
exception (which is thrown when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.When you trigger the WebAuth flow, you may pass the
login_hint
parameter to prevent the user from needing to type in their username again.
Auth0.swift example
If your application performs database login/signup through the Authentication API, you must handle the isVerificationRequired
error. This error indicates that the request was flagged as suspicious and an additional verification step is necessary to authenticate the user.
Auth0
.authentication()
.login(usernameOrEmail: email,
password: password,
realmOrConnection: connection,
scope: scope)
.start { result in
switch result {
case .success(let credentials): // ...
case .failure(let error) where error.isVerificationRequired:
DispatchQueue.main.async {
Auth0
.webAuth()
.connection(connection)
.scope(scope)
.useEphemeralSession()
// ☝🏼 Otherwise a session cookie will remain
.parameters(["login_hint": email])
// ☝🏼 So the user doesn't have to type it again
.start { result in
// ...
}
}
case .failure(let error): // ...
}
}
Was this helpful?
In the case of signup, you can add an additional parameter to make the user land directly on the signup page:
.parameters(["login_hint": email, "screen_hint": "signup"])
Read Auth0.swift Getting Started for details on how to set up Universal Login.
Auth0.Android example
If your application performs database login/signup through the Authentication API, you must handle the AuthenticationException#isVerificationRequired()
error. This error indicates that the request was flagged as suspicious and an additional verification step is necessary to log the user in.
final String email = "username@domain.com";
final String password = "a secret password";
final String realm = "my-database-connection";
AuthenticationAPIClient authentication = new AuthenticationAPIClient(account);
authentication.login(email, password, realm)
.start(new BaseCallback<Credentials, AuthenticationException>() {
@Override
public void onFailure(AuthenticationException error) {
if (error.isVerificationRequired()){
Map<String, Object> params = new HashMap<>();
params.put("login_hint", email); // So the user doesn't have to type it again
WebAuthProvider.login(account)
.withConnection(realm)
.withParameters(params)
.start(LoginActivity.this, new AuthCallback() {
// You might already have an AuthCallback instance defined
@Override
public void onFailure(@NonNull Dialog dialog) {
// Error dialog available
}
@Override
public void onFailure(AuthenticationException exception) {
// Error
}
@Override
public void onSuccess(@NonNull Credentials credentials) {
// Handle WebAuth success
}
});
}
}
@Override
public void onSuccess(Credentials payload) {
// Handle API success
}
});
Was this helpful?
In the case of signup, you can add an additional parameter to make the user land directly on the signup page:
params.put("screen_hint", "signup");
Read Auth0.Android Authentication with Universal Login SDK documentation for details on how to set up Universal Login.
Lock.Swift and Lock.Android
If you’re using Universal Login, Bot Detection is supported automatically by the following SDK versions:
Lock.Swift
version 2.19.0+Lock.Android
version 2.22.0+
If you’re not using Universal Login, Bot Detection is supported, but you need to configure your application accordingly:
Your application must handle the
requires_verification
exception (which is thrown when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.When you trigger the WebAuth flow, you may pass the
login_hint
parameter to prevent the user from needing to type in their username again.
Authentication API
If you’re using the Authentication API directly, Bot Detection is supported, but you need to configure your application accordingly:
Your application must handle the
requires_verification
error (which is returned by the Authentication API when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.