If guests cannot log in via the brand's website and/or mobile app, and the underlying login API calls to Punchh are returning 503 Service Unavailable errors, then it can mean that the IP address(s) used to make the login API calls to Punchh are temporarily blocked on Punchh's end. There are several reasons why this can occur:
- A new 3rd party app has just been launched for the brand and Punchh sees an increase in invalid logins due to high number of guests forgetting their passwords
- A high number of invalid login attempts are made in a short period of time. This is a major indicator of a credential stuffing attack.
In these scenarios, the IP addresses used by the brand to make login API calls to Punchh will be blocked by Punchh for 24 hours and automatically unblocked after the 24 hour period has passed. This is done for security and reliability purposes. If a brand is in this situation, please submit a ticket to Punchh Support with the following information:
-
Complete API endpoint URL(s) where guests can’t log in
-
All IP addresses used by the brand to send login traffic to Punchh
-
Where are logins blocked and is the issue continuing (e.g. website, mobile apps, etc.)?
-
Did you notice a high rate of login failures that would signify an attack was taking place since the issue started?
-
Do you have anti-bot protections in place for your websites that have integrations with Punchh (such as a reCaptcha or web application firewall)?
Disclaimer:
In an effort to supply information as quickly as possible, this article has been published prior to a formal technical review, and is subject to factual, grammatical, and various structural errors. Data may be incomplete, misordered, or incorrect.
This additional disclaimer will be removed upon formal review of this article. The standard Punchh Inc. KB Disclaimer still applies, and can be found at: https://support.punchh.com/hc/en-us/articles/360040100273-Punchh-Inc-Knowledge-Base-Disclaimer
If further assistance is required, submit a ticket to Punchh Support. (For help submitting a ticket, click here)