auth0 · bkiran6398 · Feb 26, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 12, 2026
@@ -8,6 +8,7 @@ Auth0 can detect attacks and stop malicious attempts to access your application
 
 ## Commands
 
+- [auth0 protection bot-detection](auth0_protection_bot-detection.md) - Manage bot detection settings
 - [auth0 protection breached-password-detection](auth0_protection_breached-password-detection.md) - Manage breached password detection settings
 - [auth0 protection brute-force-protection](auth0_protection_brute-force-protection.md) - Manage brute force protection settings
 - [auth0 protection suspicious-ip-throttling](auth0_protection_suspicious-ip-throttling.md) - Manage suspicious ip throttling settings

@@ -0,0 +1,14 @@
+---
+layout: default
+has_toc: false
+has_children: true
+---
+# auth0 protection bot-detection
+
+Bot detection protects your applications from automated attacks by detecting and blocking bot traffic. Auth0 can challenge suspicious requests with CAPTCHA or block them entirely. Configure detection sensitivity, CAPTCHA policies for different authentication flows, and allowlists for trusted IP addresses.
+
+## Commands
+
+- [auth0 protection bot-detection show](auth0_protection_bot-detection_show.md) - Show bot detection settings
+- [auth0 protection bot-detection update](auth0_protection_bot-detection_update.md) - Update bot detection settings
+
@@ -0,0 +1,47 @@
+---
+layout: default
+parent: auth0 protection bot-detection
+has_toc: false
+---
+# auth0 protection bot-detection show
+
+Display the current bot detection settings.
+
+## Usage
+```
+auth0 protection bot-detection show [flags]
+```
+
+## Examples
+
+```
+  auth0 protection bot-detection show
+  auth0 ap bd show --json
+  auth0 ap bd show --json-compact
+```
+
+
+## Flags
+
+```
+      --json           Output in json format.
+      --json-compact   Output in compact json format.
+```
+
+
+## Inherited Flags
+
+```
+      --debug           Enable debug mode.
+      --no-color        Disable colors.
+      --no-input        Disable interactivity.
+      --tenant string   Specific tenant to use.
+```
+
+
+## Related Commands
+
+- [auth0 protection bot-detection show](auth0_protection_bot-detection_show.md) - Show bot detection settings
+- [auth0 protection bot-detection update](auth0_protection_bot-detection_update.md) - Update bot detection settings
+
+
@@ -0,0 +1,55 @@
+---
+layout: default
+parent: auth0 protection bot-detection
+has_toc: false
+---
+# auth0 protection bot-detection update
+
+Update the bot detection settings.
+
+## Usage
+```
+auth0 protection bot-detection update [flags]
+```
+
+## Examples
+
+```
+  auth0 protection bot-detection update
+  auth0 ap bd update --bot-detection-level medium --json-compact
+  auth0 ap bd update --bot-detection-level low --challenge-password-policy never
+  auth0 ap bd update --monitoring-mode-enabled=true --allowlist "198.51.100.42,10.0.0.0/24"
+  auth0 ap bd update -l high -a "198.51.100.42" -m=false --json
+```
+
+
+## Flags
+
+```
+  -a, --allowlist strings                        List of comma-separated trusted IP addresses that will not have bot detection enforced against them. Supports IPv4, IPv6 and CIDR notations.
+  -l, --bot-detection-level string               The level of bot detection sensitivity. Possible values: low, medium, high.
+      --challenge-password-policy string         Determines how often to challenge users with a CAPTCHA for password-based login. Possible values: never, when_risky, always.
+      --challenge-password-reset-policy string   Determines how often to challenge users with a CAPTCHA for password reset. Possible values: never, when_risky, always.
+      --challenge-passwordless-policy string     Determines how often to challenge users with a CAPTCHA for passwordless login. Possible values: never, when_risky, always.
+      --json                                     Output in json format.
+      --json-compact                             Output in compact json format.
+  -m, --monitoring-mode-enabled                  Enable (or disable) monitoring mode. When enabled, logs but does not block.
+```
+
+
+## Inherited Flags
+
+```
+      --debug           Enable debug mode.
+      --no-color        Disable colors.
+      --no-input        Disable interactivity.
+      --tenant string   Specific tenant to use.
+```
+
+
+## Related Commands
+
+- [auth0 protection bot-detection show](auth0_protection_bot-detection_show.md) - Show bot detection settings
+- [auth0 protection bot-detection update](auth0_protection_bot-detection_update.md) - Update bot detection settings
+
+
@@ -7,6 +7,7 @@ require (
 	github.com/PuerkitoBio/rehttp v1.4.0
 	github.com/atotto/clipboard v0.1.4
 	github.com/auth0/go-auth0 v1.34.0
+	github.com/auth0/go-auth0/v2 v2.5.0
 	github.com/briandowns/spinner v1.23.2
 	github.com/charmbracelet/glamour v0.10.0
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e

@@ -22,6 +22,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/auth0/go-auth0/v2 v2.5.0 h1:IBfiYGsqFwOu4hsxV1JDtB6+ayRinybUIUCU/fRBE8Y=
+github.com/auth0/go-auth0/v2 v2.5.0/go.mod h1:XVRck9fw1EIw1z4guYcbKFGmElnexb+xOvQ/0U1hHd0=
 github.com/auth0/go-auth0 v1.34.0 h1:5rtel4yYbYp+NYlVf3ryxSRaDHWxJubtVc+cqdLMa7o=
 github.com/auth0/go-auth0 v1.34.0/go.mod h1:32sQB1uAn+99fJo6N819EniKq8h785p0ag0lMWhiTaE=
 github.com/aybabtme/iocontrol v0.0.0-20150809002002-ad15bcfc95a0 h1:0NmehRCgyk5rljDQLKUO+cRJCnduDyn11+zGZIc9Z48=

@@ -4,6 +4,8 @@ import (
 	"context"
 
 	"github.com/auth0/go-auth0/management"
+	managementv2 "github.com/auth0/go-auth0/v2/management"
+	"github.com/auth0/go-auth0/v2/management/option"
 )
 
 type AttackProtectionAPI interface {
@@ -64,3 +66,19 @@ type AttackProtectionAPI interface {
 		opts ...management.RequestOption,
 	) (err error)
 }
+
+type AttackProtectionBotDetectionAPIV2 interface {
+	// Get the Bot Detection configuration of tenant.
+	//
+	// Required scope: `read:attack_protection`
+	//
+	// See: https://auth0.com/docs/api/management/v2#!/attack-protection/get-bot-detection
+	Get(ctx context.Context, opts ...option.RequestOption) (*managementv2.GetBotDetectionSettingsResponseContent, error)
+
+	// Update the Bot Detection configuration of tenant.
+	//
+	// Required scope: `update:attack_protection`
+	//
+	// See: https://auth0.com/docs/api/management/v2#!/attack-protection/patch-bot-detection
+	Update(ctx context.Context, request *managementv2.UpdateBotDetectionSettingsRequestContent, opts ...option.RequestOption) (*managementv2.UpdateBotDetectionSettingsResponseContent, error)
+}
@@ -3,6 +3,7 @@ package auth0
 import (
 	"github.com/auth0/go-auth0"
 	"github.com/auth0/go-auth0/management"
+	managementv2 "github.com/auth0/go-auth0/v2/management/client"
 )
 
 // API mimics `management.Management`s general interface, except it refers to
@@ -76,6 +77,16 @@ func NewAPI(m *management.Management) *API {
 	}
 }
 
+type APIV2 struct {
+	AttackProtectionBotDetection AttackProtectionBotDetectionAPIV2
+}
+
+func NewAPIV2(m *managementv2.Management) *APIV2 {
+	return &APIV2{
+		AttackProtectionBotDetection: m.AttackProtection.BotDetection,
+	}
+}
+
 // Alias all the helper methods so we can keep just typing `auth0.Bool` and the
 // compiler can autocomplete our internal package.
 var (

@@ -1175,7 +1175,7 @@ func appsSessionTransferUpdateCmd(cli *cli) *cobra.Command {
 			}
 
 			// Set the flag if it was supplied or entered by the prompt.
-			if appSTCanCreateToken.IsSet(cmd) || shouldPromptWhenNoLocalFlagsSet(cmd) {
+			if appSTCanCreateToken.IsSet(cmd) || noLocalFlagSet(cmd) {
 				st.CanCreateSessionTransferToken = &inputs.CanCreateToken
 			}
 

@@ -19,6 +19,7 @@ func attackProtectionCmd(cli *cli) *cobra.Command {
 	cmd.AddCommand(breachedPasswordDetectionCmd(cli))
 	cmd.AddCommand(bruteForceProtectionCmd(cli))
 	cmd.AddCommand(suspiciousIPThrottlingCmd(cli))
+	cmd.AddCommand(botDetectionCmd(cli))
 
 	return cmd
 }