We are working on the implementation of a register flow where users need to validate their email using the verification email feature described in Customize Email Handling
After the email has been verified, we expected the user to have an active session in Auth0 so that they do not need to provide their credentials (email & password) again, making the sign-in process frictionless. However, we experienced that users are prompted the sign-in form when they visit Auth0 for the second time.
I would like to know if this use case is supported by Auth0, or we will need to request email & password login after going through the email verification process.
Hi @manuel.bustillo, if the user signed up in the same browser their original session will still be there, assuming they didn’t log out and the session timeout was not exceeded.
However, if the verification was done on a different browser, the user will not be automatically logged in. They will have to enter the credentials again. This is the expected behavior right now.
We are creating users via API and then sending them a link to verify their email address. They did not go through the sign-up process with Auth0 directly, but I assume they will have an active session in the same browser they used to validate their email address (which is their first interaction with Auth0). Is that correct?
Email verification does not create a session, so if they had not logged in earlier there will be no active session in the browser. If you expect the user to log in right after verification, they should be redirected to the login page.
On the other hand, if they had gone through a regular signup flow, they’d have been logged in automatically after signup - which would leave an active session in the browser.
This is a heads-up that we’re hosting an Ask Me Anything (AMA) session dedicated to Auth0 sessions, refresh tokens, and the Management API. Our product experts will be on hand February 12, 2025, from 8 AM to 10 AM PST to answer all your questions—no matter how basic or advanced they may be! You can submit your queries anytime from now until February 11, and we’ll provide detailed written answers during the live event.
This is a fantastic opportunity to learn best practices around session management, refresh token rotation, and the Management API. Plus, everyone who participates gets points and a special badge just for joining in on the fun.
If you have any burning questions (or even casual curiosities!), feel free to drop them in this thread. We can’t wait to see what you’re working on and how we can help you optimize your Auth0 setup. See you there!
