Managing Email Collection and Verification in Auth0 for SSO Across Multiple Projects

Get Help
,
1

I am using Auth0 for single sign-on (SSO), with three projects sharing the same tenant. In all these projects, having an email is mandatory. Users logging in via Auth0 in my projects should always have an email. However, I noticed that Facebook allows account binding via phone number, which means that users logging in through Facebook OAuth in Auth0 may not have an email. I want to enforce a process within the Auth0 login flow that requires users to provide an email if it is missing, rather than handling missing emails separately in each project. How can I achieve this?

Additionally, I want users to verify their email during the Auth0 registration and login process, so that when they are redirected to the project, there is no need to handle verification again. Currently, Auth0 sends a verification email during registration but does not block the redirection; users are redirected to the project URL immediately. If a user does not click the verification email, I still need to verify their email status in each project. I hope to integrate the email verification flow directly into Auth0, such that after registration, users are redirected to a “waiting for verification” page, or during login, if their email is unverified, they are sent to the same page, with the ability to resend the verification email.

These two requirements are related: when a user does not have an email, they should be prompted to provide one; once submitted, a verification email should be sent immediately, and the user should be redirected to the verification-waiting page with the option to resend the email.

So far, I have tried using Actions, Forms, and Flows to manage this, but unfortunately, I have not been successful. Ideally, I would like to handle everything within the Auth0 platform. I would like to know whether Actions, Forms, and Flows can accomplish all the points I mentioned. If it is possible, I would appreciate some references or examples. If not, are there alternative solutions? The only alternative I am aware of is redirecting users from Actions to a custom page to collect emails and handle verification (including resending), but this requires maintaining a separate project. I would prefer a solution that works entirely within Auth0.

I hope to get some guidance.
Thank you.

1 Like
3

Hi @isboyjc

Welcome to the Auth0 Community!

I am sorry about the delayed response to your questions.

You should be able to accomplish that respective flow using Auth0 Actions and Forms.
Within an Action, you will need to check if the respective user is logging in using the Facebook social connection and if their email address is populated as such:

exports.onExecutePostLogin = async (event, api) => {

  if(event.connection.name == "facebook" && event.user.email == " ") {

  api.prompt.render('{{form_ID}}');

  }
  
}

In your Form, you can create the following form structure:

image
image1624Ă—368 30.8 KB

The flow below does the following:

  • Retrieve email address from user
  • Send an Email Verification Ticket to the email address
  • Step informing the user to check their account
  • Flow which adds the email address to the user profile

Once the Form flow is completed, in the onContinuePostLogin you can check if your users have their email verified like this:

exports.onContinuePostLogin = async (event, api) => {

if(!event.user.email_verified)
{
  api.access.deny("Your email address is not verified. Please verify it and try to log in again");
}

}

If you have any other questions, let me know!

Kind Regards,
Nik

1 Like
4

Thank you very much for your reply. I now have a general understanding of the overall process.

However, since this is my first time using Auth0, I’m still not very familiar with it and have some questions. In the form flow you mentioned, after the user enters an email address and clicks continue, a verification email is sent. I see that you are calling the /v2/tickets/email-verification endpoint, which requires a provider parameter. But in this case, the user hasn’t bound an email yet. How can a verification email be sent to the email address provided by the user?

After the user receives the email and clicks the verification link, how can the verified email then be added to the user’s profile?

Or are there some similar templates to refer to?

I look forward to your clarification. Thank you.

5

Glad I could help!

However, I just noticed a fault in the flow I have proposed above.

Basically, after the user inputs their email address, you would need to switch the order of the flows above as such:

image
image2754Ă—542 57.4 KB

In this Form, the process will be as follows:

  • The user will enter their email in the first step

  • Using an Update User flow, you will update their email address of the user provided in the context as such:

    image
    image884Ă—834 18.6 KB

  • The Flow will retrieve the user ID from the context of the form by using {{context.user.user_id}} and update the email value of the user with the value that they entered in the email field (which is accessed by using {{fields.email}} // take note that email is the ID/Name you set on the specific field).

  • Use a Custom API Request Flow with the /v2/jobs/post-verification-email endpoint. Since the user will have had their email set previously, you will need to send the proper body request containing their user_id and connection used.

  • Once that is done, you will notify the user to check their email and also provide them the option to go back( in case they have set the wrong email address, to mitigate this, you can set the email to be visible inside the text as such: "Please check {{fields.email}} to verify your account.")

That is how the flow basically works, you set all the required information during the flow and using the new endpoint you will not need to configure an email provider in order to send an email using the generated email verification ticket.

Please keep in mind that the email address is added prior to it being verified. The user will need to verify it before ending the Form’s flow otherwise they will be denied access. In addition to denying access, you could also redirect them to the logout endpoint where they will be asked to re-authenticate.

If you have any other questions or need further clarification, let me know!

Kind Regards,
Nik

6

Hi, Nik
Thanks for your reply.

Unfortunately, I still haven’t succeeded.
I have some questions about using HTTP in a Flow to call the Management API to send verification emails. I checked the documentation and saw that calling the Management API requires generating Access Tokens, but I don’t quite understand how to generate them. Do I need to create a new Machine-to-Machine Application to obtain the Access Tokens? Then use these Access Tokens to call the Management API to send the email — are all these steps supposed to be done within the Flow? Are there any examples I can refer to?

Also, I noticed that in Flow there is an option called “Verify email address.” What is this for? It seems similar to what I need.

Additionally, I have already paid for Auth0, and the project is about to go live. I would like to inquire whether Auth0 offers technical support for paying users beyond the community resources.

Looking forward to your reply. Thank you.
Isboyjc

7

Hi again!

Regarding the management API access token, you can just retrieve it from the Dashboard under Applications → APIs → Auth0 Management API → API Explorer and add it as a header to the custom api request as Authorization for the name and Bearer {{token}} as the value. Unfortunately, there are no examples provided regarding implementing such a flow using Auth0 Forms. As an alternative, if you are using a custom email provider such as SendGrid, you also have the option to send an email using the Send SendGrid Email flow.

Otherwise, regarding the Verify Email Address flow, it does not send a verification email or set an email address as verified within the Auth0 context, it is used to perform a number of selected verification rules against a provided email address.

Finally, if your tenant is under a plan, you also have the option to open a support ticket in order to receive further and live assistance from our dedicated support engineers team.

Hope I was able to answer all of your questions and if I can help you with anything else, let me know!

Kind Regards,
Nik

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

10

Hi again!

I have reopened this topic due to some oversights regarding the previous answer to the issue at hand.

For users created using a Social Connection, you are unable to modify base attributes via the Management API (things such as email, username etc). In the flow presented above, instead of modifying the email attribute, you would need to add it inside the user metadata as such:

"user_metadata": {
   "user_email": "{{email added in form}}"
}

Otherwise, the continuation of the flow itself is not necessary due to the fact that the Management API cannot be used to send an verification email which is not set as the base attribute. In order to achieve the required flow, Auth0 does not have an out of the box solution and it would require a custom verification flow using an email provider in order to set a flag inside app_metadata that the email was verified.

If there are any other questions regarding the matter, please leave a reply!

Kind Regards,
Nik

11

Hi Nik,

Thanks for your reply.

Is it true that we can’t modify a user’s email address in Auth0 via API? That seems quite unreasonable. If I store the new email in user_metadata, does that mean when the system synchronizes user information, it has to handle both the original user data and the user_metadata data at the same time?

I’m also a bit confused about what you meant — do you mean we should temporarily store the new email in user_metadata, then use a custom service to send a verification email, and only after verification update the email in the core user data?

Additionally, here are my three main requirements:

  1. When a user logs in with Facebook and does not have an email address, they should be able to add one through Auth0.
  2. When a user logs in with a private or relay email (for example, Apple login without sharing their real email), the system should detect it and ask the user to provide a valid and secure email address.
  3. When a user registers or logs in through Auth0 but hasn’t verified their email, they should not be allowed to access the system. The interface should prompt them to verify their email and provide an option to resend the verification email.

Best regards,
isboyjc

12

Is it true that we can’t modify a user’s email address in Auth0 via API? That seems quite unreasonable. If I store the new email in user_metadata , does that mean when the system synchronizes user information, it has to handle both the original user data and the user_metadata data at the same time?

For an user which was created by Auth0 via Universal Login, the email property can be modified via the Management API, however, for external users created by social/enterprise connections, their identity is managed by a 3rd party and the Management API is unable to perform changed to their primary data (such as email/phone number/username). In the case you presented above, in order to have a facebook user without an email have one associated with their Auth0 identity, it needs to be set in their metadata.

I’m also a bit confused about what you meant — do you mean we should temporarily store the new email in user_metadata , then use a custom service to send a verification email, and only after verification update the email in the core user data?

You can store the email address in the user_metadata indefinitely in order to have it associated with their identity, however, since the email address will not be a primary attribute in user_metadata, it cannot be verified by Auth0’s system. Usually, social and enterprise connections would have their email_verified flag set to true automatically. If you wish to verify the email address set for these kind of users, you would need a custom flow outside of Auth0.

  1. When a user logs in with Facebook and does not have an email address, they should be able to add one through Auth0.

This is possible as mentioned above, you can set it in user_metadata using a Form after during the authentication flow.

  1. When a user logs in with a private or relay email (for example, Apple login without sharing their real email), the system should detect it and ask the user to provide a valid and secure email address.

In regards to detecting such email, you can check out this blog about the Email Verification API Signals. Depending on the score, you can render an form for users logging in through the apple connection and prompt them to add their real email.

  1. When a user registers or logs in through Auth0 but hasn’t verified their email, they should not be allowed to access the system. The interface should prompt them to verify their email and provide an option to resend the verification email.

This can be achieved for Auth0 users by going to the database connection that you are using for your application → Attributes → Email → Configure → Verify Email on Signup
and then check the value of email_verified and deny access if necessary. As mentioned before, for users logging in through social/enterprise connections, this flag is automatically true. As an alternative for all users, you can enforce email MFA in order to have them validate their email address during the login flow and set a custom attribute in their app_metadata (such as “verified_email”) to check in a Post Login Action.

Kind Regards,
Nik

13

OK, I’ll try again. Thank you for your reply.

15

hello

I initiated a work order, and the suggestions given to me by the work order are as follows:

Xnip2025-10-17_18-28-00
Xnip2025-10-17_18-28-001090Ă—215 16.3 KB

I think this is a reasonable solution, so I implemented it, but I encountered some problems. After I created the user and associated it, an error was reported when I clicked Next. How should I deal with it?

Xnip2025-10-17_18-28-32
Xnip2025-10-17_18-28-321530Ă—722 46 KB

image
image1155Ă—845 39.9 KB

16

I confirm that I have successfully created and linked the account, but I continue to get errors.

When the user logs in using Apple’s private email, I ask the user to provide the email password to create a main account and associate the Apple account to the main account. Is it because after the account is associated, the currently logged-in Apple account has changed after being associated, resulting in an error in the next step?

17

Hi!

As far as I have checked on the tenant, I could not find any errors inside the logs which would provide more information on this matter.

Is it because after the account is associated, the currently logged-in Apple account has changed after being associated, resulting in an error in the next step?

This might be the case, could you confirm that any future logins using the linked identity work as expected or encounter any other issues? If the new identity can log in just fine, I would recommend to force re-authentication after the form is executed in order for the transaction to keep the same user information.

Looking forward to your update.

Kind Regards,
Nik