/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links

    • Email Magic Links

        • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing

    • Embeddable Magic Links

        • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth

    • Identity providers

        • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with MCP servers
    Passcodes
      Getting started with the API
      Getting started with the SDK

    • Toll fraud

        • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn

    • Passkeys

        • Passkeys overview
        Set up Passkeys with the frontend SDK

    • WebAuthn

        • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy

    • Email verification

        • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK

    Authorization

    Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

OAuth

/

Email address behavior

Email address behavior

When a user authenticates via OAuth, we only add an email address to the resulting Stytch User when we receive an email address from the OAuth provider that the provider guarantees has been verified by the user. This email address will be marked as verified: true.

If the OAuth provider does not guarantee that the returned email address has been verified, we cannot safely make account deduplication decisions and protect against potential account takeover vectors, so we will not add the email address to the resulting Stytch User and cannot automatically deduplicate accounts even if the user has previously authenticated using a matching email address.

You can leverage our Attach OAuth factor functionality to explictly associate an OAuth factor with an existing Stytch User when a user is already logged into your application. When a user completes an OAuth flow initiated with an oauth_attach_token, we will add the new OAuth factor to the specified Stytch User. Note that this flow cannot be used to merge two existing Stytch users; the OAuth factor being attached must not already be associated with any other Stytch Users.

Additionally, if using an unverified email address is acceptable in the context of your application, you can retrieve a user's email addresses by either parsing the JWT contained within the idp object we return in our Authenticate OAuth token response or by querying most OAuth providers' APIs with the access_token that we also return in the idp object.

Email address support across OAuth providers

  • Amazon | We do not return email addresses provided by Amazon. Amazon does not explicitly state that they verify user email addresses, and they suggest linking accounts only after verifying "local credentials" (or, in other words, after verifying that the user owns the target account by other means).
  • Apple | We do return email address when Apple marks them as verified.
  • Bitbucket | We do return email address when Bitbucket marks them as verified.
  • Coinbase | We do not return email addresses provided by Coinbase. Coinbase does not explicitly state that they verify user email addresses.
  • Discord | We do return email address when Discord marks them as verified.
  • Facebook | We do not return email addresses provided by Facebook. Facebook states that applications that use email addresses returned by Facebook should verify the email addresses themselves.
  • Figma | We do return email address returned by Figma.
  • GitHub | We do return email address when GitHub marks them as verified.
  • GitLab | We do return email address when GitLab marks them as verified.
  • Google | We do return email addresses when Google marks them as verified.
  • LinkedIn | We do return email addresses provided by LinkedIn.
  • Microsoft | We do not return email addresses provided by Microsoft. Microsoft does not attest to email ownership, and recommends against using them for authentication purposes.
  • Slack | We do return email addresses when Slack marks them as verified.
  • Snapchat | We do not return email addresses for Snapchat users. Snapchat does not return user email addresses.
  • Spotify | We do not return email addresses provided by Spotify. Spotify explicitly states that they do not verify user email addresses.
  • TikTok | We do not return email addresses for TikTok users. TikTok does not return user email addresses.
  • Twitch | We do return email addresses when Twitch marks them as verified.
  • Twitter | We do not return email addresses for Twitter users. Twitter does not return user email addresses.
  • Yahoo | We do return email addresses when Yahoo marks them as verified.