Last Updated: Jul 10, 2025
Overview
This article explains how to configure a flow that blocks a new user from logging in until the user resets their password for the first time.
Applies To
- New Users
- Change Password
Solution
To block a user from accessing an application until they complete a password change, use a Post-Login Action to deny a login attempt based on the user’s email_verified attribute. When a user is created, the email_verified field is false. When the user completes the password change flow via the link sent to their email, the email_verified attribute is automatically updated to true. This is because accessing the password reset link proves ownership of the email address.
A Post Login Action could be used to send the password reset email on login, create a Regular Web Application that can be used to access the Auth API e.g:
exports.onExecutePostLogin = async (event, api) => {
const { AuthenticationClient } = require('auth0');
const auth = new AuthenticationClient({
domain: "TENANT_DOMAIN",
clientId: "REGULAR WEB APP CLIENT",
clientSecret: "REGULAR WEB APP SECRET"
});
if (!event.user.email_verified) {
var data = {
email: event.user.email,
connection: event.connection.name
};
await auth.database.changePassword(data);
api.access.deny("Please check your mail and reset your password")
}
};
The deny message will be delivered to the application’s callback URL which can be monitored and handled by the application. (for example, if custom messaging needs to be shown to the user)