I am running into a similar issue as #597 where I am using a Token Authentication Backend along side User-based authentication backends and I want to use Axes only for those User-based backends. I am running into an issue where my token based authentication will generate user_login_failed callbacks and as a result try and create AccessAttempt records with a username of "None" (a string).

I can work around this by setting AXES_ONLY_USER_FAILURES to True, however I really would like to do IP-based blocking (maybe AXES_LOCK_OUT_BY_USER_OR_IP or even just IP-based lockouts instead.

Hi @Kraust! This should now be resolved by version 6 release and the new AXES_LOCKOUT_PARAMETERS configuration flag that supersedes the old lockout parameter handling.

Please see: https://django-axes.readthedocs.io/en/latest/5_customization.html#customizing-lockout-parameters