Actions access.deny message not showing in new universal login

Hi, i need help displaying error messages in passwordless auth with new universal login and identifier first.

Im trying to implement an action that prevent users to sign in/up with an email i dont want, i would like to check the email first and then move to the passwordless-email-challenge (send the code to their email), so i added an action on pre-user-registration and in the action im using api.access.deny(reason,usermsg).

Like this:

The thing is that no message is displayed to the user, and i see on the logs the errors:

  • Failed login → failed to send email notification (i dont understand why it continues and tries to send email with code i tried everything but always continues)
  • Failed signup → PreUserRegistrationError on pre-user-registration: email_no_habilitado (my action works but no message is displayed to user)

To the user feels like the email they input its valid and even says validate your account, and waits for the code even no code was sent.

Is there something im missing here?

Any help is appreciated.

Hi @aledev,

Welcome to the Auth0 Community!

I have just tested your Action script on my end and could not reproduce the same issue. Instead, I could see the error message that I define on my Action script on the login page.

See the screenshot below:

Now, could you please confirm if you see the same results?


Hi @rueben.tiow, thanks for your response.

Im using identifier first with passwordless using email only, i see no error message on the login but i see the errors in the logs. The login process is not stopped when the user inputs their email and clicks continue, it goes to the next step and waits for the code, even tho as you see on the logs the action indeed prevented the user from signup and the failed login also prevented the email with the code to be sent.

For the moment i change to custom html login and use the extensibility_error solution (found here) that indeed works, but that only let me show one error message for all actions errors.

I really would like to keep the New universal login.

If you need any other details let me know,

thank you!

1 Like

Hi @aledev,

Thank you for the clarification and update.

After looking into this, it seems that using Identifier First with Passwordless is leading to this behavior where the error is not shown. This is by design to prevent user enumeration attacks by not exposing a legitimate user’s email address.

Let me also add that you can check your Auth0 Logs to see what actually happens when a user is prevented from logging in. In this scenario, you should expect a Failed Login log event with the “Failed to send email notification” error description.

I hope the explanation was clear!

Please let us know if you have any additional questions.


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.