This article explains how to programmatically mark a user's email as verified during the login process using an Auth0 Action. This method requires calling the Auth0 Management API from within a Post-Login Action to update the user's profile.

• Auth0 Actions
• Auth0 Management API
• Email Verification

When verifying users after creation, there are two scenarios to consider while the Verification Email template is enabled.

Scenario 1: Verifying the user immediately after user creation or sign-up and preventing login.

In this scenario, the user gets a Verification Email sent to them automatically. More details on this can be found in the Verify Emails using Auth0 documentation.

To prevent unverified users from accessing the app, a Post-Login Action needs to be implemented to block them. Only after the user has verified their email address are they allowed to proceed to the app.

//Post-Login Action blocking script
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny(`Access to ${event.client.name} is not allowed.`);
  }
};

Scenario 2: Verifying the user at a later point in the flow.

In this scenario, a user must be created with verify_email: false to prevent the automatic Verification Email from being sent to the user.

Then, at a later point, use the Management APIs Send an email address verification email endpoint to send the user a Verification Email. It is possible to set the email_verified at the root level to true using the Update a User endpoint of the Management API.

Blocking the user from accessing the application with the Post-Login Action blocking script should be considered.

NOTE: This scenario works only for user creation and not sign-ups.