Passwordless connections - send params to PreUserRegistration action

I was able to send a code to auth0 using

          connection: "email",
          send: "code",
          email: email,
          authParams: authParams,
        (error: any): void => {


          error ? reject(error) : resolve();

in the authParams I have the following object

const authParams = {
      redirect_uri: redirUrl,
      organization: org_id,

how can I read this in the action?
I go to PreUserRegistration event and did not see that in the event object

Hi @roee,

Try using the event.request.query param in a Post-login Action.

If you want to have this run on first login, you can use a conditional statement with event.stats.logins_count.

Hope that helps!

well I am trying to user the pre registration event to verify some data that I want to pass from a link

Can it be done post login? There is currently a limitation and that would be the best approach.

I Can but I don’t want to do that there → I need to check some params from my app and check them in the pre registration action and if so - don’t create the user at all

Using params from a public client to prevent a signup is prone to manipulation by the end user.

If you provide some more context I can help figure out a more secure solution.

sure. this is actually a nice use case:

I sent an email to a new user with a link. this link contains a base64 hashed object with some data (name , email, role etc) and one spacial key with some of that data encrypted.
the link looks like this:


once I open the base64 string I get my obj:

  "code": "c29b7ae711fccf1d0cae87fc79e2ea295be7a2e0d16701d10f9d31955b477f1e",
  "email": "",
  "id": "XXX-XXX-437e-aa70-dd176952f6b6",
  "YYY": "XXX",
  "XXX": "XXXX",


On the passwordless page in my app I use the webAuth and send the fist email to the user. somthing like that:

          connection: "email",
          send: "code",
          email: email,
          // authParams: authParams,

and the authParams will contain my object

The main idea was to use the " Pre User Registration" flow to verify the the object was not changed on the way.
Something like:

const crypto = require("crypto");

      const base64Obj = // get my data from the request

      const stringToHash = base64Obj.XXX + base64Obj.YYY + +;

      // Calling createHash method
      const hash = crypto.createHmac('sha256', event.secrets.PASSWORDLESS_SECRET)
        // updating data
        // Encoding to be used

      if (hash !== base64Obj.code) {

              api.access.deny('some error msg', event);


in this case I prevent the creation of the user .

Unfortunately, I was unable to pass parameters to this action, or read anything from there. I tried to use redirect_url or additional parameters defined in the connection but without successץ

now I have to sign him up. and make this validation in the Post Login flow, and delete the user if something went wrong.
This is bad in a lot of ways, since I dont want to create the user in the first place (if someone is trying to attack me), and since I am using so auth0 management scripts this also cost me with rate limit

is that making sense now?

Thanks for reading all of this, and for taking the time to help

Thanks for sharing the additional info.

Just to be clear, this object is encoded, not hashed.

The code param in the object is hashed, not encrypted.

If I understand this correctly, you’re essentially creating a signed token, similar to a JWT and confirming it matches the token sent with the magic link.

Can I propose an alternative?

Turn off signups in your passwordless connection and then create users via the management API. You can store the required info in the user profile metadata properties.

Doing this will prevent unwanted signups, and also doesn’t require any passing of tokens, no Actions, and no rolling your own encryption/tokens.

Hi !
Thanks again for your response! I will look into this with the PO and see how this working with the flow

1 Like

Sounds good! Let me know if you have any questions.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.