Hook for email verification

I would like to have some aspects of an app available to non verified users but the full experience is unlocked once their email has been verified. I’ve seen a few posts suggesting the webhook extension for management api but does not seem like a particularly ‘responsive’ solution (minimum interval is 5 minutes?).

Does Auth0 expect me to block sign in until their account has been verified? Assuming i’m using universal login, what is meant to happen after logging in, I direct them back to the login page with some sort of message saying ‘verify email before logging in again’. That seems a bit jarring. I’m open to suggestions though of how to approach this flow. Thanks.

Hi @ike1

In your access token, add a custom field for “email verified”. Then for users who are not verified, your app will check the access token and disable the features they shouldn’t get.

You’ll need a rule to add that to the access token.

You may want a progressive profiling redirect rule, that detects when a user hasn’t verified their email and asks them to.

John

1 Like

Since I want the user to be able to explore a limited part of the app when logged in, there isnt a way to notify the app that the user has verified their email because that email verified flag is only retrieved when signing in through auth0. They would need to logout and login through auth0 again to retrieve the updated email verified flag.

Hi @ike1

There may be a way to do what you want: have the access token include the email verified flag as I suggested. When the user tries to access the premium part of the app, check the flag. If it is not verified, do a silent authentication (requiring no user interaction) to get a new access token, and recheck the flag. If it is still not verified, then inform them they have to verify the email before proceeding.

You are using SSO to get the token again, to see if the flag has changed.

John

1 Like