Update user email the right way


I’d like to have a safe and secure way for my users to change their email address.

By safe and secure, I mean that an user shouldn’t be able to set an email that s-he does not control, in order to avoid:

  1. account squatting
  2. users getting locked out of their account, without any usable mean to recover it

With a PATCH on /users/ endpoint of the management API, the new email erases the old one, even if it’s not verified yet. This means the user can potentially be in a state where her-his account has no verified methods for recovery.

There’s been a similar request from another user on the old forum :

The desired workflow was :

1. User changes his email
2. A verification email is sent to the new email address
3. The user will only be able to login with his old email and password until the new email is verified
4. Once the new email is verified the user can only login using the new email address

But the provided answer (link a new identity and delete the old one) doesn’t seem to be completely satisfying and is potentially dangerous.

A malicious user could block others from signing up by attempting to change its email to one that he doesn’t control, thereby linking a new identity to its account, and that unverified email would stay there, preventing the legitimate owner of the email address to sign up.

This angle of attack would be mitigated by the ability of the legitimate user to connect to the malicious account and remove itself from the identities (assuming that a full identity management interface is implemented), but that’s far from a simple and zero-friction scenario.

Can someone please tell me if there is a recommended sane way to update an user’s email with auth0 ?


As stated in the answer to the linked post the change between verified emails is not available out of the box, but there’s sufficient extensibility points to provide a couple of options with different characteristics depending on the exact scenario.

How do you currently handle the signup process for new users? Is it invite only so you know the email is verified, do you prune new users with unverified emails on a regular basis, etc?

The main reason we’re considering to use auth0 in my company is that we’re changing the signup model of our app from invite to open subscription, so there’s no existing process as of now. I was kind of hoping to find well-proven and battle-tested processes implemented in auth0.

One solution I can think of is to avoid user migration to auth0’s store, keep a custom database connection, and manage the verification process on our side (except email), but this means implementing these processes myself, which is quite the opposite of well-proven and battle tested.


This functionality is not available in Auth0 out of the box. One way which you could implement this is to use the Force Email Verification rule:

The flow would work as follows:

  1. User changes email address
  2. You trigger the Post Verification Email job via Management API v2
  3. If they try logging in without having verified the email, they will be blocked by the Rule. If they have verified the email, they can login.
1 Like

Would this be possible only for those users that have changed their email address? If you implement this rule, wouldn’t it apply to ALL users, including those that are signing up for the first time? I am curious about this topic as well because generally we do not force email verification on sign up. Once the user sign up we want them to be logged in right away. However in the case where a logged in user wants to change their email address we would want them to verify the new email address before we actually change it for the user (like the above commenter describes)


In case this is still of interest, and for anyone else that maybe comes across this post, here’s some guidance which can be used to help build out Verified Email Address Change workflow using Auth0: https://youtu.be/RMza7El7IwE