We have an in-house auth system (email + password based) we’re looking to move to Stytch. In our current system, any user if allowed to change their email to a different email (as long as that different email doesn’t already have an account), even if the current email is unverified. This is because sometimes a user might sign up and accidentally mistype their email or type in an old email an then find out they don’t have access to it anymore. So they need to be able to change it to their actual working email. If a user finds that someone else maliciously used their email to create an account, they can simply request password reset with their email and gain access to that account.
Looking around in Stytch, I see in this doc it says
you can still allow access to certain logged-in content before the user completes email verification, though some functionality (like the user’s ability to change their email address) will be limited during this time period.
Is it true that users need to verify their email before they are allowed to change it? That doesn’t seem to make a lot of sense to me.