Email address behavior

When a user authenticates via OAuth, we only add an email address to the resulting Stytch User when we receive an email address from the OAuth provider that the provider guarantees has been verified by the user. This email address will be marked as verified: true.

If the OAuth provider does not guarantee that the returned email address has been verified, we cannot safely make account deduplication decisions and protect against potential account takeover vectors, so we will not add the email address to the resulting Stytch User and cannot automatically deduplicate accounts even if the user has previously authenticated using a matching email address.

You can leverage our Attach OAuth factor functionality to explictly associate an OAuth factor with an existing Stytch User when a user is already logged into your application. When a user completes an OAuth flow initiated with an oauth_attach_token, we will add the new OAuth factor to the specified Stytch User. Note that this flow cannot be used to merge two existing Stytch users; the OAuth factor being attached must not already be associated with any other Stytch Users.

Additionally, if using an unverified email address is acceptable in the context of your application, you can retrieve a user's email addresses by either parsing the JWT contained within the idp object we return in our Authenticate OAuth token response or by querying most OAuth providers' APIs with the access_token that we also return in the idp object.

Email address support across OAuth providers

  • Amazon | We do not return email addresses provided by Amazon. Amazon does not explicitly state that they verify user email addresses, and they suggest linking accounts only after verifying "local credentials" (or, in other words, after verifying that the user owns the target account by other means).
  • Apple | We do return email address when Apple marks them as verified.
  • Bitbucket | We do return email address when Bitbucket marks them as verified.
  • Coinbase | We do not return email addresses provided by Coinbase. Coinbase does not explicitly state that they verify user email addresses.
  • Discord | We do return email address when Discord marks them as verified.
  • Facebook | We do not return email addresses provided by Facebook. Facebook states that applications that use email addresses returned by Facebook should verify the email addresses themselves.
  • Figma | We do return email address returned by Figma.
  • Github | We do return email address when Github marks them as verified.
  • Gitlab | We do return email address when Gitlab marks them as verified.
  • Google | We do return email addresses when Google marks them as verified.
  • Linkedin | We do return email addresses provided by Linkedin.
  • Microsoft | We do not return email addresses provided by Microsoft. Microsoft does not attest to email ownership, and recommends against using them for authentication purposes.
  • Slack | We do return email addresses when Slack marks them as verified.
  • Snapchat | We do not return email addresses for Snapchat users. Snapchat does not return user email addresses.
  • Spotify | We do not return email addresses provided by Spotify. Spotify explicitly states that they do not verify user email addresses.
  • Tiktok | We do not return email addresses for Tiktok users. Tiktok does not return user email addresses.
  • Twitch | We do return email addresses when Twitch marks them as verified.
  • Twitter | We do not return email addresses for Twitter users. Twitter does not return user email addresses.
  • Yahoo | We do return email addresses when Yahoo marks them as verified.