How to get updated email_verified value when using auth0-spa-js without logging out user

Our signup flow sends users to the Universal Signup page, after which they are redirected back to our site where we display a message indicating they need to check their email for a verification link.

At this point, on our site, the auth0-spa-js getUser function reports email_verified as false.

The user then checks their email, clicks on the link, and lands back on our site. At this point, on a fresh page load, getUser still reports email_verified as false.

What is the recommended way to get the updated email_verified state? I’ve tried ignoreCache but that requires a relogin which results in a poor user experience.

Heya @heyzk , welcome to the community!

The ignoreCache option on getTokenSilently should allow you to force the SDK to fetch new tokens rather than using the cache, and so getUser or getIdTokenClaims called after that has resolved should provide the updated email_verified value.
If users are bring prompted to login in again it may be a cookie issue, such as the browser dropping the cookies as they are considered 3rd party.

If you can set up a Custom Domain so your tenant resides on the same parent domain as your application, then this should stop browsers from dropping the Auth0 session cookies, and allow you to use getTokenSilently with ignoreCache enabled without causing the user to be prompted to log in again.

Failing that, you may need to call loginWithRedirect - this would redirect the user’s browser but the cookies should remain intact this way, thus the user should not be prompted to log in again upon reaching Auth0, and instead be immediately redirected back to your app with new tokens upon the flow’s completion:

Hi sgo, apologies, I clearly stated that I’ve tried using the ignoreCache option and while that did return the correct email_verified state, it was only after the user has logged in again which is not a good experience and overly complicated for what I’m trying to accomplish.

Also, setting ignoreCache requires prior knowledge on whether or not the user had just signed up, which requires a separate code path to send the user to after a sign up, which requires passing some state through the auth0 login / signup flow. So to do something which should be simple (give me the non-cached user state) I need to touch code across half the app.

This is not a good solution, am I missing something?