How can I enable Passwordless authentication (either email or SMS) where I create the users via the Machine-to-Machine APIs and Disable Self Signup? I’ve got my code working when the “Disable Signups” is not enabled, but as soon as I enable “Disable Signups” then I can no longer create a users via the APIs. The problem with leaving that disabled is that anyone can just come and put in their email address and they get a code emailed to them and then they’re into the system.
Hi @brad.younge,
Welcome to the Auth0 Community and thank you for your post.
Firstly, you are correct about creating new users when using this type of connection, since it is also mentioned in our Passwordless documentation that you can:
Create them directly from the Management API if signup is disabled
I am sorry for the inconvenience that you are encountering, but this behavior is actually the expected one, so when users try to login for the first time they will get a code and will be able to authenticate themselves into the application, as mentioned in this community post as well.
You can also check out this Knowledge Article if you are interested in a workaround that restricts only certain email domains for signing up.
However I believe this could be a great proposal for a Product Feedback since it might get multiple votes and our engineering will take this into consideration for a future implementation.
Thanks,
Remus
If the documentation says it is possible, but it doesn’t work, I would consider that a bug. Why are you stating that it is a feature request?
Hi @brad.younge,
Thank you for your reply.
Indeed creating a feedback request is not the most suitable direction in this case, so sorry for that.
I just tested this from my end as well, and what the documentation states is that in the case when users can not self-sign since the Disable Sign-Up option might be enabled for this specific reason, then they can be created using the Management Api. I was able to reproduce this, and even though the toggle in question was turned on or off, a user was still created when using a passwordless email connection.
So i would recommend making a POST request to the /api/v2/users endpoint using our Management API since that should works in your use case as well.
Hope this helped,
Remus