However, if a bad user sent a false email address, a record would be created in the Auth0 DB without a verification email, and the correct user with that email address could not register.
How do I implement the verification email flow before signup?
We unfortunately do not have an out-of-the-box way to prevent the creation of a user profile until an email is verified. I believe the best way to handle a scenario like this would be for your app to check for users with email_verified: false and if their created_at is too far in the past, then delete that user. You could also have your app notify users they have a certain amount of time to verify their email and then delete the account if they do not within the time limit.
If you would like to see something like this in a future release of Auth0, we would recommend submitting a feature request using this form. This is a direct line to our Product team and the best way to communicate your needs.
Thanks for your reply. I solved this by using the “Actions” feature to call my own email sending API and redirect to the my authentication code entry form.