Auth0 Home Blog Docs

How sign up gracefully with Username-Password-Authentication ("email_verified": true)

I’m learning JavaScript and think Auth0 will be very helpful.

In a nutshell I want to provide a way for users to register and enforce restrictions if their email address has not been validated. I’m not interested in Social Logins etc. because I need people to register using their work email addresses.

I’ve tried several sample apps but I’m getting stuck on (what I would have thought to one of the more trivial tasks) how do I check if the users email has been validated / verified?

The documentation states that:

This rule will only allow access users that have verified their emails. Note that it might be a better UX to make this verification from your application.

But there is no explanation that I can find of how to make the verification from the application, and I have no idea how to start searching for an answer (well I do, but I couldn’t find anything that helped me). It would be great if someone could provide a few baby steps.


Hello @stevo,

If the user’s email address has been validated, they will have user.email_verified: true in their user profile:

    "email": "",
    "email_verified": true,
    "nickname": "jane.doe",

If you wish to verify the email yourself, you can create an email verification ticket via the Management API.

1 Like

Hi @markd

[Edit - I had a look at the email verification ticket but that seems to be more to do with requesting the user verify their email as opposed to checking the status of "email_verified": true ]

Thank you - I was confused as I was working through these tutorials (I hadn’t noticed the list to the left), even so I’m still stuck :persevere:

The second tutorial “user profile” does not seem to include the information suggested by your reply, clicking on the [Profile] button in the example provides JSON as shown below:

  "sub": "auth0|5c3333333333333333333333",
  "nickname": "stevo",
  "name": "",
  "picture": "",
  "updated_at": "2019-01-29T20:51:20.032Z"

Clicking on the [Profile] button does not provide any mention of email_verified, however, when I look at the User Profile in the Dashboard I can see the Raw JSON…

So I guess my question is - how do I retrieve the Raw JSON?

Must I use the Management API?

Cheers, S

PS I’ve only completed Tutorials 1 & 2 so far (previously at time of OP Tutorial 1).

This is stretching my skills a bit I think, but I believe if you want to retrieve the entire user profile, then you do need to use the management API and a management API key.

You can add specific parts of the user profile to the user’s idToken using rules and custom claims.

I haven’t had a look at those tutorials in a while, but if I get a chance I might go through them again to see if updates are warranted.

:blush: this is stretching my skills a LOT

Much appreciated, I’ll have a look at the links you sent and see if I can make head or tail out of them.

To provide some context, I’m looking at making an Electron App and had anticipated everything running on the client… from what I understand the Management API should only be run from a secure environment.

This document describes the Auth0 Management API, which is meant to be used by back-end servers or trusted parties performing administrative tasks. Generally speaking, anything that can be done through the Auth0 dashboard (and more) can also be done through this API.

That’s correct, client-side is definitely not secure and should not be trusted. For the latest on securing client-side stuff, have a look at this post. One of the other pros around here may be able to offer some insight into building your app securely. That said, if you do need access to just some of the user’s profile attributes, custom claims should do what you want.


@markd thank you for your help.

I’ve been reading Auth0 documentation for a few days now and finally have a solution based of a SPA Tutorial for User Profile using Javascript. I ended up using a rule for enforcing email-validation and have modified the code in app.js (handleAuthentication) to provide a more pleasant user experience. It’s a bit ugly, but it works (for the moment).



This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.