Passwordless email update & verification best practices


While struggling with updating- and verifying a paswordless user’s email address, I was wondering what the best practices are around this topic.

I couldn’t find any documented best practices for passwordless email update + verification.
I was hoping that I could just update the email , set email_verified to false and verify_email to true using the management API . And that Auth0 would send a verification email, which would “automagically” update the user’s email_verified property to true, after the user clicked the email verification link.

But I’m also wondering:

  • Should I manually update the email_verified property with a custom API endpoint and verification link?
  • Should a user even be able to update their email using passwordless? Or should something like account linking be applied with a different email?
  • What’s the best way to prevent a user using passwordless from “locking themselves out”? If they update the email with one they don’t have access to (either by mistake or on purpose). And then log out without being able to verify the new email or receive any email for that matter.

Any advice would be greatly appreciated!

Hey there!

Sorry for such a delayed response! We’re doing our best in providing you with the best developer support experience out there but sometimes our bandwidth is just not enough for all the questions coming in. Sorry for the inconvenience!

Can you let us know if you still require further assistance from us?

Hi Konrad, that’s okay, I imagine you’re all quite busy.

I stopped using passwordless and switched to email + password strategy, because I couldn’t figure this out.

But I think it would be quite useful if you could answer my questions (please also see the linked issue) in case other community members find this while struggling with the same problem. And to be honest, I’m still curious how one would Implement this properly.

Additionally, (at the time) I couldn’t find a solution in the documentation either. If it’s still not documented, it might also be a good idea to include it in the docs one way or another.

Sure! I’ll dig into that!

1 Like

Hey there!

Sorry for the delay in response once again but it must have got trapped in between the question coming into community + I just got some guidance from our engineering teams.

We advise to use PATCH /api/v2/users/:id { email: ‘new_email’, email_verified: false, verify_email: true }?

More info:!/Users/patch_users_by_id