Create user from Management API with phone_number and email

I am trying to create a user through the management API (Auth0 Management API v2) which works fine. If I select “sms” as connection, I must add a phone_number to to request, and may also and an email.

However, if I select “email” as connection, add phone_number is invalid. This strikes me as a little inconsistent. Would be very happy to get an explanation why this is.

Hey there @spaceben!

Happy to find it out! I’ll get back to you as soon as I manage to get some info on that!

Thanks. Anything already?

I didn’t find anything in our docs. I created an internal request for that for our engineering team. Waiting for their response.

That’s how the system is expected to behave.

When using Auth0 Management API v2 API, three strategies can be used to create a user identifier:

  • database connection that supports both email and username fields (if requires username enabled)
  • passwordless sms connection that supports phone_number only
  • passwordless email connection that supports email only

The email, username and phone_number in root user profile are identifiers and depending on the connection strategy we don’t allow some of the attributes.

If you want to add extra attributes like an email in a sms connection, you can use app_metadata and the phone_number can be added in the IdToken in a rule if needed.

{
    "created_at": "2019-10-30T14:57:45.281Z",
    "email": "somebody@gmail.com",
    "email_verified": false,
    "identities": [
        {
            "connection": "sms",
            "user_id": "...",
            "provider": "sms",
            "isSocial": false
        }
    ],
    "name": "+441234567890",
    "nickname": "my_nickname",
    "phone_number": "+441234567890",
    "phone_verified": false,
    "picture": "...",
    "updated_at": "2019-10-30T14:57:45.281Z",
    "user_id": "...",
    "blocked_for": [],
    "guardian_authenticators": []
}

Thank you for the answer. It is incorrect however. I generated the above output by calling the API with the passwordless sms connection strategy.

The point I am making is that one would not be able to produce the same output which only differs in the identities array by choosing the passwordless email connection strategy.

Hmmmm… let me discuss those results again! Will get back to you shortly!

That’s expected as each connection strategy has different capabilities, even if they share the same API2 endpoint for user management.
phone_number is ONLY allowed in the root user profile when using SMS connection. It is not a simple change in the array.

I suggest you to add feedback here Auth0: Secure access for everyone. But not just anyone. so appropriate product manager can take a look at the request.