Auth0 Home Blog Docs

Management vs "User" API?


I’m a bit confused about how all the APIs is documented.

I have managed to get a access_token to call the /userinfo endpoint to for example see if the users e-mail is verified.

What i want to do now is to be able to present a user with a non verified e-mail an option to resend this e-mail if they can’t find it.

Then i found various post that suggest me to use the management API to do that. But as far as i understood it i can’t give access to the management API to regular users that just logs in to my site and that i don’t know anything about? I also do not want the user to get some confusing questions when they log in if they will allow access to some API they doesn’t know anything about?

I guess i could do some setup to be able to do some machine-to-machine API calls (i.e my server side code calls the management API via a Token that my server has), but that requires me to use the “Developer Pro” plan and that is WAAAYY more expensive.

Or am i missing something? Should a logged in user be able to do stuff like resending an e-mail by themselves?

Or is there some API or some kind of setup i am missing here?


:wave: @olaj we could create a new Rule using the Force email verification template, and customize it to add logic for automatically sending email verification on a login attempt from a user with an unverified email address:

function (user, context, callback) {
  if (!user.email_verified) {
   // Combine with a call to our Management API, to trigger an email verification:

   // To avoid multiple email verification emails to be triggered in a short amount of time,
   // use user.app_metadata to store the last time you sent the email verification,
   // and don't automatically send a new one until a few minutes later

    return callback(new UnauthorizedError('Please verify your email before logging in.'));
  } else {
    return callback(null, user, context);

Would this work for you?