How to configure /dbconnections/signup to send OTP for email verification?

I’m trying achieve a setup where users create an account using email/password and then verify their email address using a one-time password. Using a custom UI.

My initial approach was to hit the /dbconnections/signup route passing connection: email. On successful account creation, I would hit /passwordless/start passing connection: email. And then finally authenticate the user with their OTP, which sets the user record’s email_verified property to true.

What I found when trying to set this up is that upon creation of a user via the /signup route, auth0 automatically sends an email verification / authentication link to the email address used.

Is there any way to configure this so that it sends a code instead of a link?

Hello, @pgivens,

This would be considered Email MFA. Email MFA is currently supported only as a backup factor, and we do not support any other implementations.

Let me know if you have any other questions.

1 Like

I don’t want to force MFA for every authentication, I just want to use a code instead of a link for the one-time email verification. Can this be achieved through a rule or something?

Hello, @pgivens,

At the moment we only support email verification via a code, not a link. When users click the link the email would be verified. This is a very good idea, though, and I recommend that you reach out to our Product team directly here, to let them know about this:

Thanks in advance!

Thank you for the replies.

To go at this from a different angle, how might I disable the automatic email that gets sent upon user creation? When I post to the /signup/ route, upon successful user creation, an email gets sent to the user with a magic link and message saying it expires within 3 hours. I don’t have any rules in place to facilitate this, so I assume it’s default behavior. Can that behavior be changed?

Hey @pgivens,

This can be achieved here:

Select the Verification Email template, and turn the Status toggle off. That should deactivate it.

Let me know if this helped!


Just closing the loop on this for posterity’s sake.

What seems obvious to me now but didn’t when I posted this is that the user created by specifying connection: 'email' cannot ever be logged in with a username/password. The endpoint accepts those values but they are disregarded when the connection is set to ‘email.’ So my ideal flow was never going to work. I have resorted to using the new Universal Hosted Login experience.

Thanks for letting us know. Using that as a feedback for one of the teams!