Security Configuration

Security Settings

Configure account lockout, bot protection, sign-up modes, and email restrictions to protect your application.

Overview

AuthCore provides enterprise-grade security features that can be configured per-tenant. All security settings are stored in the database and can be managed through the SecuritySettings component or API.

🔒 Account Lockout

Protect against brute force attacks by locking accounts after failed attempts

🤖 Bot Protection

Block automated attacks and suspicious registration patterns

📧 Email Restrictions

Control who can sign up with allowlists, blocklists, and domain restrictions

🎫 Sign-up Modes

Control registration flow: Public, Restricted, or Waitlist-only

Account Lockout Configuration

Prevent brute force attacks by locking accounts after too many failed login attempts.

Database Configuration

Setting via API

Using SecuritySettings Component

How It Works:

Failed login attempts are tracked in the database
After maxLoginAttempts failures, account is locked
User receives 423 (Locked) response with lockout duration
After lockoutDuration minutes, account auto-unlocks
Set lockoutDuration: null for permanent lockout (admin must unlock)

Bot Protection

Enable bot protection to block automated attacks, suspicious patterns, and disposable email addresses.

Enable Bot Protection

Bot Protection Features:

✓ Blocks disposable email providers (tempmail, guerrillamail, etc.)
✓ Detects suspicious registration patterns
✓ Rate limiting on auth endpoints
✓ Optional: Block email subaddresses (plus addressing)
✓ CAPTCHA integration (configure separately)

Sign-up Modes

Control how users can register for your application.

Available Modes

PUBLIC Mode (Default)

Anyone can sign up freely. Best for consumer apps and SaaS products.

RESTRICTED Mode

Users must be invited or manually created by admins. Best for internal tools and B2B apps.

WAITLIST Mode

Users must join waitlist and be approved before signing up. Best for beta launches and exclusive access.

Waitlist Mode Example

Email Restrictions

Control who can sign up using email domain allowlists, blocklists, and specific email addresses.

Using EmailListManager Component

Programmatic Configuration

Complete Configuration Example

High-Security SaaS Application

Consumer SaaS with Beta Launch

Open Consumer Product

Environment Configuration

Some security settings can also be configured globally via environment variables.

Note

Environment variables set global defaults. Per-tenant database settings take precedence and allow fine-grained control per organization.

Monitoring & Audit Logs

All security events are automatically logged for auditing and monitoring.

Best Practices

✓ Start Secure, Loosen Later

Begin with restrictive settings (RESTRICTED mode, strict lockout) and relax them based on user feedback and abuse patterns.

✓ Monitor Lockout Events

If you see many legitimate users getting locked out, consider increasing maxLoginAttempts or reducing lockoutDuration.

✓ Use Waitlist for Beta Launches

Waitlist mode creates urgency and allows you to control growth. Great for beta launches and building hype.

✓ Enable Bot Protection

Always enable bot protection in production. It blocks most automated attacks with minimal impact on real users.

✗ Don't Make Lockout Too Strict

A maxLoginAttempts of 2-3 may frustrate users. Start with 5 and adjust based on data.

✗ Don't Use Permanent Lockouts Lightly

Setting lockoutDuration: null means users can't unlock themselves. Only use for high-security scenarios with admin support.