User Update via management API seems to invalidate all in-flight JWTs -- Is this expected/intentional?

We are using the management API via HTTP to update the email_verified status of a previously authenticated user. Upon update, it seems the user’s in-flight/existing token is invalidated and we are forced to reauthenticate.

Is this expected behavior?



In case more clarity would be helpful, this is a step-by-step of this scenario:

  • We are running a react SPA using the auth0 react SDK
  • User registers with our website (via Auth0 sign-up)
  • User is redirected to our website and we silently retrieve a token which generates a consent prompt
  • User presumably accepts the consent for our requested scopes and lands on our website
  • We detect the user has verified their email or not (via user profile API GET to auth0)
  • If user has not verified their email address (username) we send them a confirmation email.
  • (Out of band) User clicks a link they received in email and is redirected back to our website.
  • Website parses link in route that was embedded in the link and flags the email verification request as consumed and updates email_verified state of auth0 user via management API

At this point we are noticing that subsequent “get token silently” SDK calls are returning the “Login required” error in our react application. It seems that updating a user’s profile is invalidating existing authentication sessions. Would just like to confirm if this is the case. We have not experienced this when updating a user’s metadata however, so it seems very strange that there is a difference in update behavior.