We’re actually on a Covid-19 relief plan but are unable to create tickets as we cannot access our master tenant for some unexplained reason, so I will post this here instead. I’ve messaged @James.Morrison about this, hopefully he can get this resolved.
Anyhow, we’re looking to create an auth flow where the first time a user uses an email address we immediately sign them up without the need for a password and without the need to confirm their email. If the same email is then used again in the future, they’ll have to verify their identity by confirming their email using the provided code using auth0’s passwordless widget.
So, if an email does not yet exist, we will use the Management API to create an account for them, and then respond with their access and ID token so the client can start making requests on behalf of the newly created user. The issue is that whenever we call the POST /api/v2/users endpoint the given email address receives an unwanted “confirm that you want to signin” email, even when the property verify_email is set to false.
Since we’re only creating a passwordless user here, why would an email be sent? We specifically do NOT want any user interactions to be necessary when an email is used for the first time. Only on subsequent authentication requests would we kickoff the passwordless email flow.
Note that if we set email_verified: true, the above does not happen, but that is not a real solution since the email hasn’t actually been verified. This is exactly why we set email_verified: false and verify_email: false. Your documentation also correctly states that verify_email overrides the behavior of the email_verified parameter, therefore this seems to be an issue on your side.
What you are seeing is the passwordless login email. This is not a verification email, but rather a login email.
Passwordless works on the basis that the end-user will enter either an OTP or click on a link that will log them in. It’s not intended as zero-interaction login, but rather as using the user’s email address as the verification for the login.
There is no way to achieve what you mentioned, as it would have the equivalent of someone being able to log in to your system by entering only a username and no password.
I found that setting verify_email to true or false makes no difference when creating a user with the “email” connection. The only to avoid sending the initial “Click and confirm that you want to sign in” email that I’ve found is to set email_verified, to true in the API call to create the user.
"email_verified": true,
Why Do I Need This?
We already have a user invite flow with emailing as part of our application. We have “Disable Sign Ups” set for our Passwordless connection. In our app, when an admin creates a user, the user is created in Auth0 via the management API and then the app emails the user with a link to the site so they can put in their email and decide when they want their 3 minute time limit to login to start rather seeing an invite email a few days later that says they have 3 minutes to login and says it’s from the “API Explorer Application”.