Invite-Only Applications

Many SaaS apps allow self-service provisioning, where users can register themselves and begin using the app. Other types of apps, however, do not allow such signups. Instead, the customer (typically an organization of some type) pay upfront for a number of users, and only the end user with the appropriate credentials may sign up and access the app. In such cases, you can use an invite-only workflow for authorization purposes.

Example Scenario: ExampleCo

In this tutorial, we will work through a sample setup for the fictional company, ExampleCo.

ExampleCo is a multi-tenant SaaS solution offering cloud-based analytics. Customers purchasing licenses send ExampleCo lists of users whom they want to access the application.

You can handle this requirement in Auth0 using an Enterprise Connection (using federation) with the individual customers using ADFS, SAML-P, and so on. This allows the customer to authenticate users with their own Active Directory specifying who gets access to the app.

The invite-only authorization flow includes the following steps:

  1. Creating new users in ExampleCo and bulk importing the same users into Auth0
  2. Triggering the email verification process via Auth0
  3. Triggering the password reset process via Auth0

Setup your Application

You can store all ExampleCo end users in a single database, since everyone will provide their unique corporate email addresses.

To prevent users from signing themselves up and adding themselves to the database connection, be sure to select the Disable Sign Ups option on the connection to make sure users can only be created on the backend.

You will need to create an application in the Dashboard with the correct parameters:

  • Name: give your application a clear name as this will be used in the emails being sent out during the invite-only workflow
  • Application Type: this will be a regular web application.
  • Allowed Callback URLs: this should be the URL of your app

Since this application needs to access the Management API, you'll need to authorize it and set its scopes as follows:

  • Go to the APIs section of the Dashboard.
  • Select Auth0 Management API.
  • Click over to the Machine to Machine Applications tab.
  • Find the application you just created, and set its toggle to Authorized.
  • Use the down arrow to open up the scopes selection area. Select the following scopes: read:users, update:users, delete:users, create:users, and create:user_tickets.
  • Click Update.

Authorize Application

Import Users

Every user that exists in ExampleCo should be created in your Auth0 database connection as well. Auth0 offers a bulk user import functionality for this purpose.

Email Verification

Once you've created the user in Auth0, you'll send the appropriate POST call from your app to the Create an Email Verification Ticket endpoint to trigger an email that verifies the user's email.

Be sure to update the following placeholder values:

  • MGMT_API_ACCESS_TOKEN: replace with your API Access Token
  • YOUR_APP_CALLBACK_URL: replace with the callback/return URL for your app
  • USER_ID: replace with the Auth0 user ID for the end user

Password Reset

Once you've verified the user's email, you will need to initiate the password change process. To do so, your app should make a POST request to Auth0's Management API.

Be sure to replace the placeholder values for your API Access Token, as well as those within the body of the call, including the callback/return URL for your app and the user's details.


This tutorial walked you through implementing an invite-only sign-up flow using the Management API to customize the sign-up process and the email handling.