Hi @gavin1
Welcome to the Auth0 Community!
Thank you for posting your question. The Post‑Login Action that links only when both identities have the same, verified e‑mail and come from trusted IdPs is the recommended approach that we can propose at this time for the account linking. The high-level overview you find under this link → https://auth0.com/docs/manage-users/user-accounts/user-account-linking, and if you want the check the use case on the client-side implementation you can find it here → https://auth0.com/docs/manage-users/user-accounts/user-account-linking/user-initiated-account-linking-client-side-implementation. You can find the code snippet for the action in the Action Templates Library → https://auth0.com/docs/customize/actions/actions-templates
In terms of the precautions, for both manual and automatic account links, your tenant should request authentication for both accounts before linking occurs.
In addition, every manual account link should prompt the user to enter credentials.
Additional Sources:
- Account Linking Using Post-Login Actions
- Account Linking Considerations for Email Case Sensitivity
- How to Implement Client-Side User Initiated Account Linking
Thanks
Dawid