Custom e-mail verification and silent auth

Hi, Auth0 users and admins.

We have the following scenario:

  • A web app using auth0-spa-js
  • Uses classic universal login
  • After a user signup, we have a custom built email verification flow
  • when this flow succeeds, we update the user with email_verified: true

The problem is that after the user patch, the web app’s session becomes invalid. This means that after the email verification, if the user refreshes the page, auth0-spa-js silent auth will fail.

I found this response by @marcus.baker which says:

Patching Email or Email_verified via the management API will invalidate the Auth0 session

I would like to know if there is any way to build a custom email verification like ours, but without logging out the user.
Requiring the user to login right after signing up and verifying their e-mail is certainly not a good UX.