Ory Kratos does not currently provide a built-in, configurable login rate limiting feature in its self-hosted version. The Ory team has discussed the complexity of implementing such a feature directly in Kratos, especially in a scalable and concurrency-safe way. Instead, they recommend handling rate limiting and account lockout at the infrastructure level, such as using a Web Application Firewall (WAF) like Cloudflare or Akamai, which is how Ory Network (the managed service) provides these protections out of the box. There have been community proposals and discussions about adding login rate limiting and account lockout to Kratos, including tracking failed login attempts and locking accounts after a threshold is reached. However, these features are not part of the official release as of now. There is mention of a possible webhook for failed logins, which could allow you to implement custom logic (like disabling accounts or throttling) in your own service, but this is not a turnkey solution within Kratos itself. The Ory team is open to community contributions that address these concerns without adding excessive complexity to the project. For now, the recommended approach for self-hosted Kratos is to use external tools for rate limiting and brute-force protection, or to consider Ory Network for these features built-in [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037) [Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security). In summary: - Self-hosted Ory Kratos: No built-in login rate limiting; use a WAF or external service. - Ory Network (managed): Rate limiting and brute-force protection are included as part of the platform. If you need these features natively in Kratos, you may need to implement them yourself or follow ongoing community efforts.

To disable (deactivate) an account in Ory Kratos, you need to change the identity’s state to inactive. This can be done using the SDK or API, but not directly through the Ory Console at this time. The recommended approach is to use the patchIdentity or updateIdentity API endpoints to set the identity’s state to inactive. Once the identity is inactive, the user will not be able to authenticate. Here’s a summary from a relevant discussion: > You can do that by changing the identity‘s state to inactive using patchidentity or updateidentity > ... you can do it with the SDK/API [Disable User and Revoke all sessions](https://github.com/ory/network/issues/415) If you need to revoke all sessions for the user as well, you can use the session management APIs to terminate active sessions.