How do I verify a new email address befor the system updates it

My users need to be able to update their email addresses (as is possible in every application). Because typos happen I want them to verify their email address before the email is updated.

I came to Auth0 because I do not want to implement anything security related myself. Having to handle claims of users that bricked their account because of a typo through customer support is unacceptable and having to implement this basic feature of sending out a verification email before using the Management API to update the email kind of defeats the purpose of using Auth0, especially since there’s a very similar flow already that enables users to change their password.

I’ve spent quite some time looking for the answer to this question and it seems that Auth0 has ignored developers on this topic for years now.

I would like to know how Auth0 recommends doing this and why Auth0 has been refusing to implement this flow even though developers have been asking for for this feature for years now. Is there something I’m missing?

Also: Why is there no Action that I can use to trigger a webhook after a user has been updated? This makes implementing this myself much much harder.

  1. User Requests Email Change: Capture new email in your app.
  2. Generate Token: Create a secure token linked to the new email.
  3. Send Email: Use Auth0 or your own system to send verification email with token.
  4. User Verifies: On click, validate the token.
  5. Update Email: Use Auth0 Management API to update the email.

Generate Token using Web Crypto API

async function generateToken() {
  const array = new Uint8Array(32);
  return Array.from(array).map(b => b.toString(16).padStart(2, '0')).join('');

const token = await generateToken();
// Store token with new email temporarily (DB or cache)

Update Email using Auth0 Management API

// Fetch API to update user
fetch('https://YOUR_DOMAIN/api/v2/users/user_id', {
  method: 'PATCH',
  headers: {
    'Authorization': `Bearer YOUR_MANAGEMENT_API_TOKEN`,
    'Content-Type': 'application/json'
  body: JSON.stringify({ email: '' })

I appreciate the effort, but as I stated initially, this is not something I want to implement myself. I am using Auth0 as an IDaaS provider explicitly because anything security related should be handled by experts.

I am loosing faith in Auth0 as they are showing a pattern of completely ignoring questions on this forum. It’s been three months.