I’m building a Web+ mobile app using Auth0 New Universal Login.
I do NOT want to build any custom hosted login/signup pages — I want to stay fully within Auth0 hosted UI.
My signup form collects:
Email
Password
Custom field: Last 4 SSN (or Last4 ID)
I’m validating Last4 + Email using a Pre-User Registration Action by calling my backend.
If validation fails, I show an error on the Auth0 signup page (this works fine).
If validation succeeds, user is created and Auth0 sends the email verification link.
My requirement:
User must NOT be able to login until they verify their email.
After the user clicks the email verification link, they should be able to login normally.
Current issue / confusion:
After successful signup, Universal Login moves away from the signup form to another screen.
I want the Auth0 UI to clearly show something like:
“We sent a verification email. Please verify before logging in.”
Questions:
Is it possible to show a confirmation message (“Verification email sent”) within Auth0 hosted Universal Login after signup success?
What’s the best Auth0-recommended way to block login until email is verified (especially for mobile apps)?
If I deny login in a Post-Login Action for unverified users, what is the correct UX / error handling approach?
Actions I’m using:
Pre-User Registration Action for backend validation
Post-Login Action to deny access if email_verified is false
I understand the flow that you are trying to achieve and you are definitely on the right track - in order to complete your desired flow, my recommendation would be to:
use our Forms feature within a Post-Login Action in order to check if the user’s email has been verified and deny access based if it has not;
in the Action you can then render a Form that displays your message to the user and they will not move forward with logging in until they verify their email.
It is also possible to not use Forms and simply display the error message within the Post-Login Action itself, although Forms could prove more useful in customizing the look of the error message.
You can use the following template to add to a Post-Login Action in order to deny access if email is not verified:
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
api.access.deny('Please verify your email before logging in.');
}
};
You can also use event.client within the Action in order to have it trigger according to which application the user is trying to access, more information can be found in our documentation on Actions Triggers: post-login - Event Object - Auth0 Docs.
Allow me to share some additional resources that can prove useful with your integration: