Do users need to verify their email before they can change it? If so, why?

We have an in-house auth system (email + password based) we’re looking to move to Stytch. In our current system, any user if allowed to change their email to a different email (as long as that different email doesn’t already have an account), even if the current email is unverified. This is because sometimes a user might sign up and accidentally mistype their email or type in an old email an then find out they don’t have access to it anymore. So they need to be able to change it to their actual working email. If a user finds that someone else maliciously used their email to create an account, they can simply request password reset with their email and gain access to that account.

Looking around in Stytch, I see in this doc it says

you can still allow access to certain logged-in content before the user completes email verification, though some functionality (like the user’s ability to change their email address) will be limited during this time period.

Is it true that users need to verify their email before they are allowed to change it? That doesn’t seem to make a lot of sense to me.

Hi John - thanks for posting!

Is it true that users need to verify their email before they are allowed to change it?

This was true before we introduced our Exchange Primary Factor backend API endpoint, which allows a user to swap out one email address for another in the scenario you mention where a user mistypes their email address!

It looks like the guide you referenced was written before the introduction of that endpoint; I’ll flag this internally.

Does the Exchange Primary Factor endpoint sound like it might fit that use case?

Hey Matt,

Thanks for the clarification, yeah it looks like Exchange Primary Factor solves this for us!