Auth0 Home Blog Docs

About the invitation-only flow

We are currently considering the following flow, but I would like to hear your concerns and advice.
[ Flow ]

  1. Batch register users with /api/v2/jobs/users-imports
  2. Detect job completion with /api/v2/jobs/{id}
  3. Get user_id with /api/v2/users-by-email (1 request per user)
  4. Get password setting link with /api/v2/tickets/password-change (1 request per user)
  5. Include the link acquired in 4. in the email text and send the email
  6. Each user presses the link and sets the password on the password setting screen

Especially for 3.4., If 10,000 users are registered in bulk, a total of 20,000 requests will be required, are there any other options.

Hi @makoto-matsumoto

There are many ways to achieve the result of importing users and changing passwords. It is going to rely largely on your desired UX.

Regarding your current solution:

This can also be achieved using the user import/export extension. This allows you to upload a file and not have to interface with an API. Also allows you to monitor progress. Either option will work.

You will likely run into management api rate limits when making this many requests so rapidly. You need to be prepared for that or find another solution (see below).

Alternative solutions:

Automatic Migration:
You can use a automatic migration strategy. This strategy will go undetected by your users and happens over time. It requires a paid account, but you will need that if you have 10k users. It also requires you to have a user database currently set up, but that might not be a problem. The details are laid out below.


Bulk Migration and Password Reset Through Rules:
This solution is going to be similar to your current suggestion. You will require a password reset when a user tries to log in, rather than sending a large batch email and making 20k API requests.

  1. Import your users with the user import/export extension or using /api/v2/jobs/users-imports.
  2. Create a rule that checks if they have logged in, if they have not logged in since the migration, prompt to reset password before they can log in. The rule will look something like this:
function (user, context, callback) {
  if (!user.last_password_reset) {
    return callback(new UnauthorizedError('please change your password'));
  }
  callback(null, user, context);
}

You will be passed the error, and can make it a custom page with your own language if you desire.

Let me know if you have questions.

Thanks,
Dan

Hi @dan.woda

Thank you for valuable information such as management api rate limits!

I will try the solution from you. (=> Bulk Migration and Password Reset Through Rules)

Thanks,
Makoto

Let us know if you have further questions.

Thanks,
Dan