Overview
This article explains why users whose accounts are associated with an Apple social connection receive an email notification after their account is deleted via the DELETE /api/v2/users/{id} Management API endpoint. The subject line of the email received is:
- {Service ID} has revoked your Sign in with Apple account
This notification is specific to Apple social connections and might not be sent when deleting users associated with other social identity providers, such as Google.
Applies To
- Apple Social Connection
- Management API
- DELETE Endpoint
Cause
The email notification from Apple is an expected behavior when a user account linked to an Apple social connection is deleted. The sequence of events is as follows:
- When a user deletion request is processed, Auth0 checks for and revokes any Apple refresh tokens associated with that user. This action is crucial to prevent unauthorized ongoing access to the account.
- Apple sends the email notification to the user when the relationship between the user’s application and their Apple ID connection is revoked. This email originates from Apple, not Auth0.
Therefore, while Auth0 initiates the process by revoking tokens, Apple sends the actual email notification.
Solution
This is expected behavior. The key aspects of this process are:
- Necessary revocation of refresh tokens upon user deletion to prevent continued account access
- Email notification sent directly by Apple (not Auth0) as confirmation of the token revocation
This email does not require action in response; it confirms that standard security procedures have been correctly executed.