I am currently developing a feature for our project’s web application which restricts user registration only to be accessible when a currently existing user (an admin) sends an invitation with our internal backend. My general idea was:
Admin fill in form to send email for invitation. Email invitation may also include an URL for password change ticket if user account is created before.
The newly created user will be created with Auth0 Management API or the record can be cached temporarily with minimal until the invitee registers on their own and creates their own password.
After successful creation, they will be redirected to the main page. System creates the user on the application’s database.
I have some concerns:
I tried to use this password change API but currently not getting email. I received status 200 and the response said that “We’ve just sent you an email to reset your password.” (may it have to do something with the recent AWS outage?)
How should we apply the right email template? Do we need to modify in the email template in Branding because the password change API is only pertaining to that specific purpose only?
So far, I was referencing from the Guide: Customize → Send Email Invitations for Application Signup, I can’t seem to embed the link in the post here (sorry for any inconvenience).
Thank you for the help in advance. I would be glad to provide more context if needed.
Moreover, for development purpose, how can I set my current local web application server (Next.js 15+) to be running under TLS certificate so it can be set as a universal login URI (This URI needs to point to a route in your application that should redirect to your tenant’s /authorizeendpoint. quoted from the application setting).
I tried to use this password change API but currently not getting email. I received status 200 and the response said that “We’ve just sent you an email to reset your password.” (may it have to do something with the recent AWS outage?)
As long as the the correct client_id , connection and email of the user has been provided, it should send the appropriate change password email to the user. Unless the test email was hosted by a domain which experienced an outage or if the password change emails might be blocked on the providers end, the user should receive them normally.
I would recommend using different test emails, if the issue persists, let me know.
How should we apply the right email template? Do we need to modify in the email template in Branding because the password change API is only pertaining to that specific purpose only?
The email template must indeed be changed within the Auth0 Dashboard under Branding → Emails Templates → Change Password (Link). As mentioned in our documentation, you need to set up an external smtp provider in order to send customized emails, otherwise, a default template will be used.
Otherwise, the use case you have presented above is supported by Auth0 and you should not have further issues in implementing it.
If you have any other questions or issues, let me know!
Thank you for the reply. The password-change API works now, and we will be trying to implement the smtp email provider.
Another question from this invite-only flow is that once users are created, I am trying to write up a post-login Auth0 action to make call to check if the user’s metadata (userVerified, etc.) and make an HTTP call to my own hosted server to mark the user’s status in our database as ‘active’.
We are having a fetch() call which is supposed to return a Response-type object, but warning log showed that the object does not provide the full Fetch API Response object type with all properties like .ok, .status, .json(), etc., even though fetch is available. (I was trying to use response.ok or response.status for a try/catch flow). Would you be able to provide a good explanation for this?
Moreover, how do you think is a good way to mark your newly invited user to your own user resource database, who has just reset their password in order to get into using the application for the first time?
From what I understand, the response that is received by the action is different then what is expected. I will have to investigate the matter a little bit to provide more information. Otherwise, how are you trying to mark that property in your own database? Do you make an HTTP call to an external API linked to your database or are you declaring an instance inside the action and using the proper query to update the user?
As an alternative, I would suggest to append to the user profile some metadata like “userVerified = true” inside the token and then have your application handle the “mark” during their first login. You should be able to do that within a PostLogin Action like this:
I will currently mark the above answer as the solution to the topic which will make the topic close automatically in 14 days. However, if you reply back, it will prolong the period or you can unmark the reply as a solution to continue forward. If the topic closes and you still require assistance regarding the matter, you can post again on the community or just DM me to reopen it!
