Auth0's Brute Force Protection feature will block login attempts even if the user enters credentials that do not correspond to a user profile. This can be especially confusing in situations where custom database scripts are in use, because the user is blocked but not yet present in the tenant.

• Custom Databases
• Attack Protection

This is an intended security measure meant to protect a tenant from user enumeration.

In cases such as these, the user can be unblocked using the Management API, more specifically, the "Delete User Blocks" endpoint:

• Unblock by identifier