Like safaridan, we’re using the GET /api/v2/users endpoint to search case-insensitively, and we were bit by a scenario where a user logged in for the first time through an OAuth provider, and then 3.5 minutes later their manager attempted to add the user to our systems, and the user was not yet visible via the endpoint due to its eventual consistency. They also were not visible in the case-sensitive GET /api/v2/users-by-email endpoint because the OAuth provider happened to capitalize one segment of the local part of the user’s email address.
The lack of an immediately-consistent API for searching by case-insensitive email address makes it difficult to build a robust, reliable authentication system that works as users naturally expect.