Auth0 Home Blog Docs

Setting user password after email verification

password
change-password
verify

#1

This is a follow up to this thread: https://auth0.com/forum/t/authenticate-with-email-password-through-the-api/5680, where @jmangelo was helping me

I have another problem, that I couldn’t find answer for, would be great if you could help!

Is it possible to verify the user using the API, by using your default verification email? e.g. the user clicks on the link and is redirected to our web page, after that I’m calling the API to set the user’s password and verify the account.

The thing here is that sometimes we register users programmatically and they set the password after verifying their email address.


#2

For a database connection user you can update the email_verified attribute of a user through a Management API call. However, have in mind that this is independent of the verification emails functionality. More specifically, a verification email is a way the end-users themselves have to update that attribute to true while the Management API call should be used when you (the developer) are sure the email is correct for a given user; the way you decide the email is verified would be up to you.

Also note that even though you can state that the user should be redirected to your application after clicking the verification email this does not include any sort of user authentication. This redirect is useful to provide a custom user interface with the result of the verification process, but your application should not allow the user to then proceed to change their password based solely on the email parameter it receives as part of the redirect as this would be insecure.

If you want to provision users programatically you should be sending them a reset password email; this way they can click the link and change their password securely, be redirected to your application and perform a login with the password they just set. Have in mind that if you created the user with email_verified=false the reset/change password would not update this value for you; however, you could do so yourself upon first login of these users because if they are logging in it means that they had access to the change password email and as such the email could be considered implicitly verified.


#3