It is extremely annoying that we get daily complaints from new users that they meet a “Error page” when they click on the verify email button in their inbox. Even though you explain the reason behind it is that they click the button twice it is still a very present issue that we cannot handle on our side and you at Auth0 have to handle. This has become extremely frustrating for both us and our users.
I am sorry about the issue that you are experiencing, I understand that this can be infuriating since the error page or message does not indicate a clear reason.
Some of the most common causes for this would be:
Link-scanning software: Security software that scans links can sometimes prematurely “click” the verification link, invalidating it before the legitimate user can interact with it. → Is your application a B2C one or a B2B which would explain this possibility?
Incorrect user identification: If email verification is being integrated with non-unique email configurations, the system needs to correctly identify the user from the verification link. If this process fails, it could manifest as a “state error”. → How are you sending the email verification emails? Are these the default ones from Auth0 by requiring verification on sign-up or do you use any other configuration? Also, do you use the default Auth0 email provider a custom one configured on your tenant?
The verification link might be expired or invalid, and the system may not log these specific failure cases clearly in tenant logs. This can make it appear as a generic state-related issue. → If you are using the default email templates, what is the URL Lifetime configured under the Verification Email (Link) template?
Additionally, can you reproduce this behaviour by following the usual Universal Login Sign-up flow? If not, can you provide me a brief explanation on how is your sign-up flow configured and how are the verification emails sent?
Also, I noticed that your tenant is under a Start-up plan, you should be able to submit a support ticket regarding the matter so that our engineers can have an in-depth look at your logs and configuration.
Thanks for the detailed response. Happy to clarify our setup and findings.
Application type: This is a B2B application. A large portion of our users sign up using corporate email domains, which strongly suggests the presence of enterprise email security and link-scanning solutions.
Email verification flow: We are using Auth0’s default email verification flow, with Require Email Verification enabled on the database connection.
Verification emails are automatically triggered on sign-up
We use the default Auth0 email template
Sign-up is done via Universal Login
Email provider: We are using Auth0’s built-in email provider, with no custom SMTP or custom redirect handling.
Verification link lifetime: The default TTL is configured. This issue is reported by users immediately after sign-up, so link expiration does not appear to be a factor.
Observed behaviour:
Users report landing on an error page when clicking the verification link
Despite this, the user is often already marked as verified in Auth0
This happens on the first perceived click by the user
Initially we suspected double-clicking, but given the B2B context and the high frequency of corporate domains, link-scanning / safe-link tooling pre-consuming the verification link now seems like the most likely explanation.
That said, this results in a very poor end-user experience: users are told to verify their email, then immediately see an error page stating something went wrong – even though verification has actually succeeded. From our side, there is no way to intercept or improve this UX when using the default verification flow.
This has become a recurring onboarding issue for us, generating daily user complaints and support overhead. Even if the root cause is link-scanning or repeated clicks, the current behaviour and messaging are not acceptable for B2B users, and we believe this needs to be addressed at the Auth0 platform level (e.g. idempotent verification links or a clearer “already verified” success state).
We’re happy to open a support ticket and provide tenant details if this helps your engineers investigate further, but at this point we’d really appreciate guidance on how Auth0 recommends handling this scenario, or whether there is a roadmap item addressing it.
Thanks for the detailed information about the configuration on your end, it was indeed helpful.
As we have both stated, this indeed might be caused by some kind of security and link-scanning software on their end.
At this time, there is a backlog item regarding implementing scanner resistant links, however, there is no ETA at this time regarding the feature. Even though you are not able to handle this kind of behaviour directly within Auth0 at this time, there is a possible workaround to prevent this from happening.
You can try setting up a custom domain within Auth0 in order to customize the Verification Email (Link) template to include a Redirect To URL which will take the user to either the login page directly or to a custom page which will inform them that the email was verified and that they should log in.
If you think that you will need to additional information or troubleshooting regarding the matter, you can open a support ticket in order for our support engineers to take a closer look at the activity within the tenant.
Hope this information was helpful, if you have any other questions, let me know!