How to deal with unverified users

Hi everyone,

I’m using a basic username - password flow, but I’m worried about spam bots clogging up my MAU count.

What would be the best way to deal with unverified users? Perhaps a cron job script that calls the API every week and deletes users that aren’t verified and who haven’t tried to login within x amount of time?

It would be great to hear feedback on this. Thanks!

Hi @raph90,

Thanks for reaching out to the Auth0 Community!

The best way to deal with unverified users is to set up a Post-Login Action that checks if the user has verified their email.

If so, they can continue onto the application as usual. Otherwise, this will prevent them from consuming your Monthly Active Users (MAU) count.

Below is the Post-Login Action script needed to accomplish this:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny(`Please verify your email address to continue onto ${}.`);

Please let me know if there’s anything else I can do to help.


Hi Rueben, thank you for your reply.

If I call api.redirect.sendUserTo instead of api.access.deny in that callback, will I still not be consuming my MAU count?

As it is, that callback is sending me back to my application with the error embedded in the URl.



1 Like

Calling “api.redirect.sendUserTo” instead of “api.access.deny” in that callback, will it account in MAU count?
Exactly same question to How to deal with unverified users - #4 by raph90

Hi @raph90 and @fhn,

Thank you for both of your responses.

To answer both of your questions, using the api.redirect.sendUserTo will consume your MAU count, whereas the api.access.deny will not consume your MAU count.

This is because the redirect call requires a /continue endpoint to be called to resume authentication, thus increasing your MAU count.

I hope this helps!

Please reach out if you have any additional questions.


Thanks for conforming.
Now question is how to redirect user to a page using “api.access.deny” .

My requirement is not use MAU and also redirect to a page showing blocker message in good UI etc.

Hi @fhn,

Thank you for your response.

When redirect users after denying them access, you will have to use a combination of both the api.access.deny() and api.redirect.sendUserTo() methods.

Allow me to clarify, the first step is to deny the user access by calling the api.access.deny() method, and then you can proceed with calling the api.redirect.sendUserTo() method to redirect them to your preferred page.

Please let me know if you have any additional questions.


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.