Magic link being sent right before OTP mail on first login

I have an app setup with OTP passwordless login with sign-ups disabled. We create all users manually. Recently we found out that on the first login of any given user, two emails are sent, one with a magic link and another one with an OTP code. I believe this is a bug, can you guys look into it? Thanks!

Hi @akiratoma,

Welcome to the Auth0 Community!

What are you Auth0 Dashboard logs showing? It should be clear what is being sent from the logs.

My bad, the magic link email isn’t being sent on the first login, but rather on user creation. Whenever we create a new user manually via the API, a “Code/Link Sent” log is recorded before the “API Operation - Create a User” log. The email being sent corresponds to a magic link sign-in email stating: “Click and confirm that you want to sign in to {}. This link will expire in three minutes.”

Both the “Verification Email (using Link)” and “Welcome Email” templates are disabled.

If I create the user with the email_verified: true parameter, it won’t send the magic link email. This serves effectively as a workaround, but I still think something is going on.


Have you tried using the "verify_email":false parameter? This should prevent the verification email.

Nope, with "verify_email":false it still sends a sign-in magic link email, but with "email_verified":true, it doesn’t.

Could you provide a screenshot of the logs you are seeing in relation to the operation? Please make sure to obscure any sensitive data, you can also pass it in a DM if you prefer.

The following log is generated when I create a user via the API with the "verify_email":false option:

  "date": "2024-01-22T19:36:32.364Z",
  "type": "cls",
  "description": <email>,
  "connection": "email",
  "connection_id": <connection_id>,
  "client_id": <client_id>,
  "client_name": <client_name>,
  "ip": <ip>,
  "user_agent": <user_agent>,
  "details": {
    "link": "https://<domain>/passwordless/verify_redirect?scope=openid&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&verification_code=******&connection=email&client_id=<client_id>&email=<email>",
    "body": {
      "client_id": <client_id>,
      "tenant": <tenant>
      "email": <email>,
      "connection": "email",
      "is_signup": false
    "authentication_methods": [
  "user_id": "",
  "user_name": <email>,
  "strategy": "email",
  "strategy_type": "passwordless",
  "log_id": "90020240122193632454880000000000000001223372044170758233",
  "_id": "90020240122193632454880000000000000001223372044170758233",
  "isMobile": false,
  "id": "90020240122193632454880000000000000001223372044170758233"