How to call Management API v2 to send verification mail from within a rule?

Question

I'm writing a rule in Auth0 to trigger a verification email if a certain condition is met. To make the example small I have included the code which I am using to send the verification mail (I have removed out the unwanted code).

var url = 'https://myname.au.auth0.com/api/v2/jobs/verification-email';
var token = 'Bearer {{token}}'; //This is where the problem is how do I get the token
var userId = user.user_id;
request.post({
  url: url,
  headers: {
    Authorization: 'Bearer {{token}}',
  },
  json: {
    "user_id": user.user_ID
  },
  timeout: 5000
},   
function(err, res, body) { 
  console.log(err); 
  console.log(res);
});

In the body I get the following error

{ statusCode: 400,
  error: 'Bad Request',
  message: 'Bad HTTP authentication header format',
  errorCode: 'Bearer' }

I guess I need to pass in the access token or something like that in the header. How do I get this done?

I also saw the following article (https://auth0.com/docs/email/custom), however I'm not sure what secretToken is?

Answer 1

_{Starting from the bottom, the article (https://auth0.com/docs/email/custom) is aimed at users that want additional flexibility and use their own custom email handling. The secretToken on that example it's just to illustrate a possible - and very simple - way that their own custom email API could validate that they were being called from Auth0; in conclusion it would work almost as an API key.}

If you only need to trigger a verification email through the system provided by Auth0 you're using the correct approach (Management API v2). You have more than one way to obtain a token that allows you to call this API:

1. Using the client credentials grant
2. Using the Auth0 Management API v2 Explorer

The second option would be the easiest to get started, but do take in consideration that there's a deprecation notice for that one.

Once you obtain the token, you also need to correctly pass it to the API. The code you showed may be only sample code, but make sure that you don't end up including the Bearer scheme twice, more specifically var token = 'Bearer {{token}}'; should instead just be var token = '{{token}}'; and then you would use the token variable when creating the HTTP header.

Answer 2

I received the same error when using the wrong token, though for a different api call. I recreated your issue by using a user's access_token obtained by calling {{api-audience}}users/{{user_id}}. That token should look something like this: A1bCd2efg34IJkl5

Try using a client's access_token obtained by making this call:

curl --request POST \
  --url https://{{domain}}/oauth/token \
  --header 'content-type: application/json' \
  --data '{
        "client_id":"{{client_id}}",
        "client_secret":"{{client_secret}}",
        "audience":"{{audience}}",
        "grant_type":"client_credentials"
    }'

That token will be a full JWT.

Answer 3

Just created the below empty rule that will get called when user tries to login and email is not yet verified and it works like a charm :D

function (user, context, callback) {
    if (!user.email_verified) {
        console.log("User is: " + user.user_id);
        var ManagementClient = require('[email protected]').ManagementClient;
        var management = new ManagementClient({
            token: auth0.accessToken,
            domain: auth0.domain
        });
        var new_userobj = {user_id:user.user_id};
        management.sendEmailVerification(new_userobj,callback(new UnauthorizedError('Please click on the link in the email we have sent you to continue to login.')));
    } else {
        return callback(null, user, context);
      }
    }