This article provides two methods for implementing email verification with the Auth0 DB Connections. The first method uses a Post-Login Action to prevent users from signing in until their email is verified. The second method uses a One-Time Password (OTP) to prevent the user's account from being created until the email address is verified.

• Auth0 Actions
• Email Verification
• One-Time Password (OTP)
• Universal Login

Two solutions are available for enforcing email verification, each offering a different user experience. The first uses a custom Action to deny access to existing users with unverified emails, while the second uses a native OTP flow to verify the email address before the account is created. The second solution helps prevent users from being created.

Method 1: Deny Access to Unverified Users with a Post-Login Action

This approach is best for forcing existing, unverified users to verify their email on their next login or for database connections that use a verification link. A custom Post-Login Action checks the user's verification status and denies access if the email is not verified, resending the verification email in the process.

1. Navigate to Actions > Library in the Auth0 Dashboard.
2. Select Build Custom to create a new Action.
3. Name the action (for example, Enforce Email Verification), set the trigger to PostLogin, and select Create.
4. In the editor, insert the following code. This script requires a Machine-to-Machine (M2M) application with the update:users scope on the Management API. The domain, clientId, and clientSecret must be stored as secrets in the Action.
5. Select Deploy to save the Action.
6. Navigate to Actions > Flows and select the Login flow.
7. Drag the newly created Action into the flow and select Apply.

   exports.onExecutePostLogin = async (event, api) => {
     // Only run this logic for Auth0 database connections
     if (event.connection.strategy === 'auth0') {
       // Check if the user's email is already verified
       if (!event.user.email_verified) {
         const ManagementClient = require('auth0').ManagementClient;
         const management = new ManagementClient({
           domain: event.secrets.domain,
           clientId: event.secrets.clientId,
           clientSecret: event.secrets.clientSecret,
         });
   
         const params = {
           user_id: event.user.user_id,
           client_id: event.client.client_id,
         };
   
         // Asynchronously send the verification email
         management.jobs.verifyEmail(params, function (err) {
           if (err) {
             console.log("Error sending verification email:", err);
           } else {
             console.log("Verification email sent successfully.");
           }
         });
   
         // Deny access and inform the user
         return api.access.deny("Access denied. Please check your inbox to verify your email address before logging in.");
       }
     }
   };

Method 2: Prevent User Creation with One-Time Password Verification

This out-of-the-box solution ensures that a user profile is created only after the email is verified with an OTP. This synchronous process prevents the creation of accounts with fake or mistyped emails.

• Prerequisites:

  • The tenant must use Universal Login. 

  • The database connection must have Flexible Identifiers enabled. 

  • The Identifier First authentication profile must be active. 

1. Navigate to Authentication > Database in the Auth0 Dashboard.

2. Select the desired database connection.

3. Select the Attributes tab.

4. In the Email section, enable Email verification during signup with OTP.

5. Set Allow Signup with Email to either optional or required.

6. Enable the Verify email on sign up option.

With this configuration, any user signing up will be prompted to enter an OTP sent to their email address to complete the registration process.