Hey there,
We’re actually on a Covid-19 relief plan but are unable to create tickets as we cannot access our master tenant for some unexplained reason, so I will post this here instead. I’ve messaged @James.Morrison about this, hopefully he can get this resolved.
Anyhow, we’re looking to create an auth flow where the first time a user uses an email address we immediately sign them up without the need for a password and without the need to confirm their email. If the same email is then used again in the future, they’ll have to verify their identity by confirming their email using the provided code using auth0’s passwordless widget.
So, if an email does not yet exist, we will use the Management API to create an account for them, and then respond with their access and ID token so the client can start making requests on behalf of the newly created user. The issue is that whenever we call the POST /api/v2/users endpoint the given email address receives an unwanted “confirm that you want to signin” email, even when the property verify_email is set to false.
Here is a screenshot of the unwanted email:
Since we’re only creating a passwordless user here, why would an email be sent? We specifically do NOT want any user interactions to be necessary when an email is used for the first time. Only on subsequent authentication requests would we kickoff the passwordless email flow.
Note that if we set email_verified: true, the above does not happen, but that is not a real solution since the email hasn’t actually been verified. This is exactly why we set email_verified: false and verify_email: false. Your documentation also correctly states that verify_email overrides the behavior of the email_verified parameter, therefore this seems to be an issue on your side.