max_attempts per-authorization workaround