Creating passwordless connection user through v2 Management API results in user receiving signin confirmation email

Hey there,

We’re actually on a Covid-19 relief plan but are unable to create tickets as we cannot access our master tenant for some unexplained reason, so I will post this here instead. I’ve messaged @James.Morrison about this, hopefully he can get this resolved.

Anyhow, we’re looking to create an auth flow where the first time a user uses an email address we immediately sign them up without the need for a password and without the need to confirm their email. If the same email is then used again in the future, they’ll have to verify their identity by confirming their email using the provided code using auth0’s passwordless widget.

So, if an email does not yet exist, we will use the Management API to create an account for them, and then respond with their access and ID token so the client can start making requests on behalf of the newly created user. The issue is that whenever we call the POST /api/v2/users endpoint the given email address receives an unwanted “confirm that you want to signin” email, even when the property verify_email is set to false.

Here is a screenshot of the unwanted email:

Since we’re only creating a passwordless user here, why would an email be sent? We specifically do NOT want any user interactions to be necessary when an email is used for the first time. Only on subsequent authentication requests would we kickoff the passwordless email flow.

Note that if we set email_verified: true, the above does not happen, but that is not a real solution since the email hasn’t actually been verified. This is exactly why we set email_verified: false and verify_email: false. Your documentation also correctly states that verify_email overrides the behavior of the email_verified parameter, therefore this seems to be an issue on your side.

Hi, @tom14,

What you are seeing is the passwordless login email. This is not a verification email, but rather a login email.

Passwordless works on the basis that the end-user will enter either an OTP or click on a link that will log them in. It’s not intended as zero-interaction login, but rather as using the user’s email address as the verification for the login.

There is no way to achieve what you mentioned, as it would have the equivalent of someone being able to log in to your system by entering only a username and no password.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.