Rate limiting

• Limit send-email requests by IP
• Limit requests by target email
• Add backoff for repeated failures
• Prevent email bombing and token abuse

Account enumeration

• Passkeys in discovery mode avoid email input entirely
• Email login always returns success
• Existing accounts get a code email
• Missing accounts get a notification email instead

Signup safety

• Verify email ownership first
• Create the User record last
• Keep auth attempts purpose-specific
• Treat recovery and signup as first-class flows