This article explains that attack protection rate limits, such as Suspicious IP Throttling, do not apply to identifier-first login flows where only the username or email is submitted. This occurs because no credential checking is involved on the initial page. The rate limits take effect only when a credential check happens.

• Suspicious IP Throttling
• Brute Force protection
• Identifier-first login flows

Attack protection rate limits are designed to prevent large-scale attacks that check many sets of credentials. In an identifier-first login flow, the /u/login/identifier page only collects the username or email. Since this action does not involve checking credentials, it does not trigger the attack protection rate limits.

Attack protection rate limits and checks, such as Suspicious IP Throttling or Brute Force protection, are activated when a credential check is performed. This typically occurs on the password submission page, for example, /u/login/password.

The Universal Login prompts have their own rate limits based on IP to help protect against users spamming the endpoint.

For more information, refer to Rate Limit Configurations.