Hi @john.noble. Welcome!
There’s one main setting that governs public signup, and it’s per-database connection:
What this does is prevent usage of the (public) /dbconnections/signup endpoint, meaning that no unauthorized party will be able to create a user. Lock (the widget login UI) and other parts of Auth0 will pick that up, and stop offering a “Signup” alternative to users.
If there are no public signups, it’s applications that are supposed to handle the flow, via the Management API v2’s Create User endpoint.
So going back to your questions:
Options:
User could enter the code first into our service, we validate, then allow them to pass on to Auth0 to sign up (not sure how to protect sign up so only those who have validated their code could progress).
Once you validate the code in your app, the app itself should own the rest of it: ask the user for the details (email, password and so on) and create the user using Management API v2
Add a custom field to the sign up form for the code. We somehow validated that code via a callback to a service we provide to validate the code. If not valid, sign up fails.
I guess you could make it work using custom signup fields and pre-registration hooks , but it will be less than ideal. The built-in signup UIs in Auth0 (Lock and the new Universal Login) are not really design for these kind of validations, so doing your own signup UI (the other option) will be a wiser choice.
Hope that helps!