Change api token lifetime with Actions when user has no valid email

I currently only allow the token to be provided whenever a user has a valid email.
However I would like to change it so that if the email is not yet validated the user could still receive a token but with a very short session.

I currently used actions to deny access to the api, but could I make it so that access is granted but only for x amount of time?

Hi @joao.magalhaes,

Welcome to the Auth0 Community!

Unfortunately, it’s not possible to use Actions to grant a user access, but only for a certain amount of time.

For now, changing the API Token Lifetime settings is the only way to manipulate the token’s TTL.

In this case, I recommend changing your token’s expiration to be as short-lived as possible.

Then you can proceed with allowing your users to log in for a short period of time.

Let me also add that I would not advise allowing non-validated email address users to log in, as it could weaken your security posture and introduce fraudulent users.

I hope the explanation was clear!

Please let me know if you have any questions.

Thanks,
Rueben

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.