Patching a User's Email with the Same Email Causes 'email_verified' Attribute to Become 'false'

Overview

When using the Management API’s ‘Update a User’ endpoint, the payload included the user’s email address with capitalization along with some other attributes. For example, the payload looked like the following:

{
  "email": "User@example.com",
  "app_metadata": { attr1: value }

}

After making the request the user’s profile unexpectedly had the ‘email_verified’ attribute switched to false from true. This may seem unexpected since the PATCH request was for the same email address but in all lowercase (e.g., “user@example.com”).

This article clarified whether this is expected behavior for this endpoint.

Applies To

  • Management API
  • email_verified

Cause

This is by design. If a user updates their email, Auth0 cannot confirm whether the new email is verified.

Solution

The recommended approach is to incorporate emails that have a lowercasing prior to making the request, and ideally, do not include the email attribute if there is no intention of updating it.