Can we check if email already ecist in AUTH0 .Is there any exposed API?

Hey I am looking for a way to check if particular email exist or not in AUTH0
Is there any exposed API for that ?
By just using AUTH0 domain and creds can we find out for particular email if it exist or not ?
i know there are ways by using access token but without that is that possible?

Hello,

By default, the Use a generic response in public signup API error message is enabled in Tenant Settings.

Errors generated using the public signup API will return a generic response when enabled. This helps protect against user registration enumeration by preventing bad actors from being able to guess previously-registered email addresses or usernames from reading error response codes, such as user_exists

When disabled, you could use the Signup endpoint of Authentication API or attempt a login with the wrong password to check if the user exists.

This is not recommended due to the above-mentioned enumeration vulnerability.

The other approach is to use the Management API. There are two endpoints that can search users by email:

List or Search Users
Search Users by Email

I hope this helps!

1 Like

Hey,Thanks a ton for the quick response,
Token would be needed to use any of those AUTH0 Management API which you mentioned right? like search_by_email and search users? Correct me if i am wrong?
Also Regarding public signup API response i totally get your concern So Its achievable only if be disable the generic response right?

Hello,

Yes, to call these Management API endpoints, you will need an Access Token with read:users scope. You can get such a token in two ways:

For the public signup/login endpoint, yes, disabling the Use a generic response in public signup API error message will allow you to see if the user account exists or not.

1 Like

Thanks a ton!!,
Really appreciate the quick turn around and work !!
you guyz are making our life easy!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.