Auth0 Home Blog Docs

Passwordless email update & verification best practices

Hi,

While struggling with updating- and verifying a paswordless user’s email address, I was wondering what the best practices are around this topic.

I couldn’t find any documented best practices for passwordless email update + verification.
I was hoping that I could just update the email , set email_verified to false and verify_email to true using the management API . And that Auth0 would send a verification email, which would “automagically” update the user’s email_verified property to true, after the user clicked the email verification link.

But I’m also wondering:

  • Should I manually update the email_verified property with a custom API endpoint and verification link?
  • Should a user even be able to update their email using passwordless? Or should something like account linking be applied with a different email?
  • What’s the best way to prevent a user using passwordless from “locking themselves out”? If they update the email with one they don’t have access to (either by mistake or on purpose). And then log out without being able to verify the new email or receive any email for that matter.

Any advice would be greatly appreciated!