Hi, is it possible to configure client based/ IP based throttling for

oauth2/token

endpoint like Auth0? If not directly supported by platform, can it be configured using something like

before login

webhook but for M2M clients?

@wooden-manchester-52124, a webhook can be triggered when calling this endpoint to customize the JWT claims. You could use it and deny access by sending a 403 response. However, the schema does not mention an IP property. It might be worth asking the dev team if there is any objection to adding this property and eventually checking the Hydra codebase to see if the client IP is available in this flow.

@billowy-actor-35983 I am using the oauth2 webhook for setting custom claims and this webhook is only called if the client credentials in the token request are valid. I am trying to throttle access token requests if some malicious third party is continuously hitting the token endpoint with bad requests. So in this case of a bad request, Ory does not call the token hook endpoint so it does not give me the control to set any limitations on how to handle suspicious behavior.

If there is no such solution, it could be a good occasion to implement a new hook configuration under the

oauth2

field of Hydra configuration or update the current schema to mimic the one from the Kratos' self-service flows. You could throttle or cancel the request in the before hook and modify the claims in the after hook.