Verify Emails using Auth0

When using an email address supplied by a user, it is important to verify the user has access to that email. This is true anytime you send an email to a user or if you use email as an index for search. Auth0 does not recommend using an email address as a way to validate that a user is who they say they are.

Email verification is crucial for applications that:

  • use email addresses as one the primary ways to index users

  • send out emails to users

  • use email addresses to recommend account linking

  • let users create accounts connected to an email address

Auth0 provides several ways to add email verification to your application.

While email verification lowers the risk of accounts being compromised, it is not a perfect solution. Your application may also need other security measures.

Choose the right approach

There are several ways to mark emails as verified or unverified. To figure out which method is right for you, here are a few questions to ask yourself or your team:

  • Am I storing (or planning to store) usernames and passwords in Auth0 (or in a database connected through Auth0)?

  • Do I have special email verification requirements that prevent me from using Auth0's built in verify email flow?  

  • Do I need to bulk set a large number of users to email verified?

  • Do I have users coming from Azure AD, ADFS, or other enterprise connections that will need their emails verified?

If you are storing usernames and passwords in Auth0 or using a custom DB connection to store users in your own system then you can likely use Auth0's built-in email verification flow.

If you have requirements preventing you from using Auth0's built in flow or you need to bulk set a large number of users, we have API endpoints to help.

Lastly, if you have users from enterprise connections, some of those connections have special email verification workflows. To learn more, read Special Verification Support.

A common way to verify emails with Auth0 is to email a magic link, or verification link, to the user. When the user clicks the link, the user's email_verified flag is set to true.

By default, Auth0 emails magic links to users when they sign up.

You can also customize when Auth0 sends verification emails. For example, if you need to verify emails in bulk or if you want to delay verification until the user performs an action requiring a verified email.

There are two ways to control when the user gets the verification email :

  • Use the email verification job. This triggers Auth0 to send the verification email using the verify email template

  • Create an email verification ticket and send the email yourself, including the ticket the user should click to verify their email

Custom or bulk verification with the Management API

This works for social and database connections but does not work for enterprise connections. Keep in mind, the email_verified field may be overwritten by the social identity provider if the data comes from them.

In some cases you may want to verify email through other means. For example, you have a list of users to verify in bulk or you have some other means for verifying a user's email through a custom workflow you've built yourself.

In these cases you can use the PATCH /api/v2/users endpoint to set email_verified to true.

Special verification support

For Azure AD and ADFS enterprise connections, Auth0 supports some custom email verification workflows. This can help you ensure users coming from other systems have verified emails in an accurate and secure way. To learn more, read Email Verification for Azure AD and ADFS.

Learn more