Verify Emails using Auth0
When using an email address supplied by a user, it is important to verify the user has access to that email. This is true anytime you send an email to a user or if you use email as an index for search. Auth0 does not recommend using an email address as a way to validate that a user is who they say they are.
Email verification is crucial for applications that:
use email addresses as one the primary ways to index users
send out emails to users
use email addresses to recommend account linking
let users create accounts connected to an email address
Auth0 provides several ways to add email verification to your application.
Choose the right approach
There are several ways to mark emails as verified or unverified. To figure out which method is right for you, here are a few questions to ask yourself or your team:
Am I storing (or planning to store) usernames and passwords in Auth0 (or in a database connected through Auth0)?
Do I have special email verification requirements that prevent me from using Auth0's built in verify email flow?
Do I need to bulk set a large number of users to email verified?
Do I have users coming from Azure AD, ADFS, or other enterprise connections that will need their emails verified?
If you are storing usernames and passwords in Auth0 or using a custom DB connection to store users in your own system then you can likely use Auth0's built in email verification flow.
If you have requirements preventing you from using Auth0's built in flow or you need to bulk set a large number of users, we have API endpoints to help.
Lastly, if you have users from enterprise connections, some of those connections have special email verification workflows, please read more about that to see if you need to take advantage of those features.
A common way to verify emails with Auth0 is to email a magic link, or verification link, to the user. When the user clicks the link, the user's
email_verified flag is set to
By default, Auth0 emails magic links to users when they sign up.
You can also customize when Auth0 sends verification emails. For example, if you need to verify emails in bulk or if you want to delay verification until the user performs an action requiring a verified email.
If you need to customize when the user gets the verification email you can either:
use the email verification job, this will trigger Auth0 to send the verification email using the verify email template
create an email verification ticket and send the email yourself, including the ticket the user should click to verify their email
Custom or bulk verification with the Management API
In some cases you may want to verify email through other means. For example, you have a list of users to verify in bulk or you have some other means for verifying a user's email through a custom workflow you've built yourself.
In these cases you can use the PATCH
/api/v2/users endpoint to set
Special verification support
For Azure AD and ADFS enterprise connections, Auth0 supports some custom email verification workflows. This can help you ensure users coming from other systems have verified emails in an accurate and secure way. Check out Email Verification for Azure AD and ADFS for more information.