Enforce Email Verification Using a Post-Login Action or One-Time Password in Auth0
Last Updated:
Overview
This article provides two methods for implementing email verification with the Auth0 DB Connections. The first method uses a Post-Login Action to prevent users from signing in until their email is verified. The second method uses a One-Time Password (OTP) to prevent the user's account from being created until the email address is verified.
Applies To
- Auth0 Actions
- Email Verification
- One-Time Password (OTP)
- Universal Login
Solution
Two solutions are available for enforcing email verification, each offering a different user experience. The first uses a custom Action to deny access to existing users with unverified emails, while the second uses a native OTP flow to verify the email address before the account is created. The second solution helps prevent users from being created.
Method 1: Deny Access to Unverified Users with a Post-Login Action
This approach is best for forcing existing, unverified users to verify their email on their next login or for database connections that use a verification link. A custom Post-Login Action checks the user's verification status and denies access if the email is not verified, then resends the verification email.
- Navigate to Actions > Library in the Auth0 Dashboard.
- Select Build Custom to create a new Action.
- Name the action (for example, Enforce Email Verification), set the trigger to PostLogin, and select Create.
- In the editor, insert the following code. This script requires a Machine-to-Machine (M2M) application with the
update:usersscope on the Management API. Thedomain,clientId, andclientSecretmust be stored as secrets in the Action. - Select Deploy to save the Action.
- Navigate to Actions > Flows and select the Login flow.
- Drag the newly created Action into the flow and select Apply.
exports.onExecutePostLogin = async (event, api) => { // Only run this logic for Auth0 database connections if (event.connection.strategy === 'auth0') { // Check if the user's email is already verified if (!event.user.email_verified) { const ManagementClient = require('auth0').ManagementClient; const management = new ManagementClient({ domain: event.secrets.domain, clientId: event.secrets.clientId, clientSecret: event.secrets.clientSecret, }); const params = { user_id: event.user.user_id, client_id: event.client.client_id, }; await management.jobs.verificationEmail.create(params); // Deny access and inform the user return api.access.deny("Access denied. Please check your inbox to verify your email address before logging in."); } } };
Method 2: Prevent User Creation with One-Time Password Verification
This out-of-the-box solution ensures that a user profile is created only after the user verifies their email with an OTP. This synchronous process prevents the creation of accounts with fake or mistyped emails.
Prerequisites
-
-
The tenant must use Universal Login.
-
The database connection must have Flexible Identifiers enabled.
-
The Identifier First authentication profile must be active.
-
-
Navigate to Authentication > Database in the Auth0 Dashboard.
-
Select the desired database connection.
-
Select the Attributes tab.
-
In the Email section, enable Email verification during signup with OTP.
-
Set Allow Signup with Email to either optional or required.
-
Enable the Verify email on sign up option.
With this configuration, any user signing up will be prompted to enter an OTP sent to their email address to complete registration.