Auth0 Home Blog Docs

Resend email verification without revealing client_secret in the client?


Hi Everyone, any help is greatly appreciated! Basically i am looking to have a button on my app which will re-send the email verification to a user. The problem is that it seems we need to use the management api to do this with endpoint /api/v2/jobs/verification-email and to get a management API token, i need to send the client_secret.

  1. I can send a call to my own api which then calls the send email verification on the management api, thus using my api as a “middleman” so that the client secret isn’t exposed.

  2. I tried adding myauth0domain/api/v2 as an audience when i create my auth0 object, however the email verification requires “update:users” as a scope, and according to the documentation it only allows me to add the following scopes:

  • read:current_user
  • update:current_user_identities
  • create:current_user_metadata
  • update:current_user_metadata
  • delete:current_user_metadata
  • create:current_user_device_credentials
  • delete:current_user_device_credentials

Option2 is ideal but as stated above, it doesn’t allow the correct scope according to the documentation. I just want the easiest way to accomplish this without having to expose my client_secret. Would be great if there was a management token that only affected that one user and allowed me to define any scopes i wanted etc.

Thank you ahead of time to whomever decides to save me from continuing to bang my head on the wall with this.