I’m not sure if this would be an “invite flow” or “invite-only flow”, or what, but we have a web app (SPA Angular appwith a .Net Core Web API) where the main user (administrator) creates an account with our software package on our web app, and then our API creates an account on Auth0 using the Management API. The administrator then can create as many users as he likes for his staff/employees. Again, for each of these users, our API creates a user on Auth0 using the Management API. Since, as far as I’m aware, a user must be assigned a password at the moment of creation, the administrator must pick a password for each user he creates. Auth0 then automatically sends out an email to each of these users asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password. However, the user doesn’t know what his password is unless the administrator tells him.
My question is: is there no way at all to defer picking a password until the user logs in for the first time? Upon first logon, the user could pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,