While struggling with updating- and verifying a paswordless user’s email address, I was wondering what the best practices are around this topic.
I couldn’t find any documented best practices for passwordless email update + verification.
I was hoping that I could just update the
true using the management API . And that Auth0 would send a verification email, which would “automagically” update the user’s
email_verified property to
true, after the user clicked the email verification link.
But I’m also wondering:
- Should I manually update the
email_verifiedproperty with a custom API endpoint and verification link?
- Should a user even be able to update their email using passwordless? Or should something like account linking be applied with a different email?
- What’s the best way to prevent a user using passwordless from “locking themselves out”? If they update the email with one they don’t have access to (either by mistake or on purpose). And then log out without being able to verify the new email or receive any email for that matter.
Any advice would be greatly appreciated!