When using an email address supplied by a user, it is important to verify the user has access to that email. This is true anytime you send an email to a user or if you use email as an index for search. Auth0 does not recommend using an email address as a way to validate that a user is who they say they are. Email verification is crucial for applications that:
  • Use email addresses as one of the primary ways to index users
  • Send out emails to users
  • Use email addresses to recommend account linking
  • Let users create accounts connected to an email address
Auth0 provides several ways to add email verification to your application, as well as a Marketplace extension that requires users to verify their emails before signing in.
While email verification lowers the risk of accounts being compromised, it is not a perfect solution. Your application may also need other security measures.

Choose the right approach

There are several ways to mark emails as verified or unverified. To figure out which method is right for you, here are a few questions to ask yourself or your team:
  • Am I storing (or planning to store) identifiers and passwords in Auth0 (or in a database connected through Auth0)?
  • Do I have special email verification requirements that prevent me from using Auth0’s built in verify email flow?
  • Do I need to bulk set a large number of users to email verified?
  • Do I have users coming from Azure AD, ADFS, or other enterprise connections that will need their emails verified?
If you are storing identifiers and passwords in Auth0 or using a custom DB connection to store users in your own system then you can likely use Auth0’s built-in email verification flow. If you have requirements preventing you from using Auth0’s built in flow or you need to bulk set a large number of users, we have API endpoints to help. Lastly, if you have users from enterprise connections, some of those connections have special email verification workflows. To learn more, read Special Verification Support. A common way to verify emails with Auth0 is to send an email verification link to the user. When the user clicks the link, the user’s email_verified flag is set to true. By default, Auth0 emails verification links to users when they sign up. You can also customize when Auth0 sends verification emails. For example, if you need to verify emails in bulk or if you want to delay verification until the user performs an action requiring a verified email. There are two ways to control when the user gets the verification email :
  • Use the email verification job. This triggers Auth0 to send the verification email using the verify email template
  • Create an email verification ticket and send the email yourself, including the ticket the user should use to verify their email

One-time passwords

One-time passwords (OTPs) can be emailed to each new user at the time of account creation to ensure every user has an verified email. Because email verification links can lead to accidental verification by email scanners or the users themselves, OTPs ensures each user actively verifies an existing email address. To use OTPs, your tenant must have Universal Login, Flexible Identifiers, and Identifer-First login enabled.
OTP tokens for phone and email identifier verification have a lifetime of 900 seconds.
To set up OTPs, go to Authentication > Database and select the connection to change, then pick Attributes, locate Email, choose the menu button,and enable One-Time Password (OTP).

Custom or bulk verification with the Management API

This works for social and database connections but does not work for enterprise connections. Keep in mind, the email_verified field may be overwritten by the social identity provider if the data comes from them.
In some cases you may want to verify email through other means. For example, you have a list of users to verify in bulk or you have some other means for verifying a user’s email through a custom workflow you’ve built yourself. In these cases you can use the PATCH /api/v2/users endpoint to set email_verified to true.

Special verification support

For Azure AD and ADFS enterprise connections, Auth0 supports some custom email verification workflows. This can help you ensure users coming from other systems have verified emails in an accurate and secure way. To learn more, read Email Verification for Azure AD and ADFS.

Learn more