There is a need to prevent logins coming from a particular client who is no longer using the service. Deleting the client would not stop the automated requests from hitting Auth0. Blocking an IP address is not possible because it is shared among other active clients. 

• Client requests
• Actions

To prevent login requests coming from a particular client that shares the same IP as other active clients, use an Action with api.access.deny in place. Create an if check, and if the event.client.name == blocked client name, then call the api.access.deny(“reason”) to deny the request.

In order to implement this, please follow the steps below:

1. Navigate to Auth0 Dashboard > Actions > Triggers.
2. Click on Post-Login Trigger.
3. Add Action > Use the template below as a reference and click Deploy.
4. Navigate back to the Post-login Trigger.
5. Then drag the action into the trigger and hit Apply.

  exports.onExecutePostLogin = async (event, api) => {
  if (event.client.name === "Unallowed Application") {
    return api.access.deny("Access denied for this application.");
  }
};

Related References

• Auth0 Actions
• API Object
• Write Your First Action