Skip to main content
When a user authenticates via OAuth, we only add an email address to the resulting Stytch User when we receive an email address from the OAuth provider that the provider guarantees has been verified by the user. This email address will be marked as verified: true. If the OAuth provider does not guarantee that the returned email address has been verified, we cannot safely make account deduplication decisions and protect against potential account takeover vectors, so we will not add the email address to the resulting Stytch User and cannot automatically deduplicate accounts even if the user has previously authenticated using a matching email address. You can leverage our Attach OAuth factor functionality to explicitly associate an OAuth factor with an existing Stytch User when a user is already logged into your application. When a user completes an OAuth flow initiated with an oauth_attach_token, we will add the new OAuth factor to the specified Stytch User. Note that this flow cannot be used to merge two existing Stytch users; the OAuth factor being attached must not already be associated with any other Stytch Users. Additionally, if using an unverified email address is acceptable in the context of your application, you can retrieve a user’s email addresses by either parsing the JWT contained within the idp object we return in our Authenticate OAuth token response or by querying most OAuth providers’ APIs with the access_token that we also return in the idp object.

Email address support across OAuth providers