Add Bot Detection to Native Applications

You can add Bot Detection to your native applications with little to no additional configuration depending on the SDK and authentication flow you are using.

Auth0.swift and Auth0.Android

If you’re using Universal Login, Bot Detection is supported automatically by the following SDK versions:

Auth0.swift version 1.28.0+
Auth0.Android version 1.25.0+

If you’re not using Universal Login, Bot Detection is supported, but you need to configure your application accordingly:

Your application must handle the requires_verification exception (which is thrown when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.
When you trigger the WebAuth flow, you may pass the login_hint parameter to prevent the user from needing to type in their username again.

Auth0.swift example

If your application performs database login/signup through the Authentication API, you must handle the isVerificationRequired error. This error indicates that the request was flagged as suspicious and an additional verification step is necessary to authenticate the user.

This verification step is web-based, so you need to use Universal Login to complete it.

Auth0
    .authentication()
    .login(usernameOrEmail: email, 
           password: password, 
           realmOrConnection: connection, 
           scope: scope)
    .start { result in
        switch result {
        case .success(let credentials): // ...
        case .failure(let error) where error.isVerificationRequired:
            DispatchQueue.main.async {
                Auth0
                    .webAuth()
                    .connection(connection)
                    .scope(scope)
                    .useEphemeralSession()
                    // ☝🏼 Otherwise a session cookie will remain
                    .parameters(["login_hint": email])
                    // ☝🏼 So the user doesn't have to type it again
                    .start { result in
                        // ...
                    }
            }
        case .failure(let error): // ...
        }
    }

Was this helpful?

In the case of signup, you can add an additional parameter to make the user land directly on the signup page:

.parameters(["login_hint": email, "screen_hint": "signup"])

Read Auth0.swift Getting Started for details on how to set up Universal Login.

Auth0.Android example

If your application performs database login/signup through the Authentication API, you must handle the AuthenticationException#isVerificationRequired() error. This error indicates that the request was flagged as suspicious and an additional verification step is necessary to log the user in.

This verification step is web-based, so you need to use Universal Login to complete it.

final String email = "username@domain.com";
final String password = "a secret password";
final String realm = "my-database-connection";

AuthenticationAPIClient authentication = new AuthenticationAPIClient(account);
authentication.login(email, password, realm)
        .start(new BaseCallback<Credentials, AuthenticationException>() {

            @Override
            public void onFailure(AuthenticationException error) {
                if (error.isVerificationRequired()){
                    Map<String, Object> params = new HashMap<>();
                    params.put("login_hint", email); // So the user doesn't have to type it again
                    WebAuthProvider.login(account)
                            .withConnection(realm)
                            .withParameters(params)
                            .start(LoginActivity.this, new AuthCallback() {
                                // You might already have an AuthCallback instance defined

                                @Override
                                public void onFailure(@NonNull Dialog dialog) {
                                    // Error dialog available
                                }

                                @Override
                                public void onFailure(AuthenticationException exception) {
                                    // Error
                                }

                                @Override
                                public void onSuccess(@NonNull Credentials credentials) {
                                    // Handle WebAuth success
                                }
                            });
                }
            }

            @Override
            public void onSuccess(Credentials payload) {
                // Handle API success
            }
        });

Was this helpful?

In the case of signup, you can add an additional parameter to make the user land directly on the signup page:

params.put("screen_hint", "signup");

Read Auth0.Android Authentication with Universal Login SDK documentation for details on how to set up Universal Login.

Lock.Swift and Lock.Android

If you’re using Universal Login, Bot Detection is supported automatically by the following SDK versions:

Lock.Swift version 2.19.0+
Lock.Android version 2.22.0+

If you’re not using Universal Login, Bot Detection is supported, but you need to configure your application accordingly:

Your application must handle the requires_verification exception (which is thrown when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.
When you trigger the WebAuth flow, you may pass the login_hint parameter to prevent the user from needing to type in their username again.

Authentication API

If you’re using the Authentication API directly, Bot Detection is supported, but you need to configure your application accordingly:

Your application must handle the requires_verification error (which is returned by the Authentication API when a high-risk login attempt is detected) and then trigger a WebAuth flow to render a CAPTCHA verification step.

Learn more

Add Bot Detection to Custom Login Pages

Secure