Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

core 3: fix custom flows#3036

Draft
alexisintech wants to merge 8 commits intocore-3from
aa/fix-email-pass-custom-flow
Draft

core 3: fix custom flows#3036
alexisintech wants to merge 8 commits intocore-3from
aa/fix-email-pass-custom-flow

Conversation

@alexisintech
Copy link
Member

@alexisintech alexisintech commented Feb 4, 2026
edited
Loading

TODO:

  • sign-in-or-up
  • email-phone-otp
  • enterprise connections
  • oauth connections
  • passkeys

/email-password

the email-password custom flow guide examples are using totp (auth app) or backup codes. a few issues with this:

  • that guide doesn't have any of the copy regarding configuring MFA
  • this guide is meant to be more for basic usage. you have to manually enable under "multi-factor auth" in the dash, so most users won't have MFA enabled unless they've manually chosen to enable it - and in this case, they'd probably go to the MFA guide, not this guide.

email codes are probably a better route here instead of TOTP or backup codes, because email codes are the default second factor when you enable email address.

I've updated the examples to use email codes, and to point to the MFA guide if the user wants to see how to support other second factor strategies.

this led me to revamping the MFA guide, which is now called the second factor guide.

/email-password-mfa --> /second-factor

there are two ways that a second factor can be required for signing in: mfa, or client trust. this is why i've updated the introductory paragraph of the doc to read:

If you have Client Trust or multi-factor authentication (MFA) (or both) enabled for your application, the sign-in attempt will return a status of needs_second_factor. Your custom sign-in flow needs to support handling whichever second factor strategy you have enabled in the Clerk Dashboard.

the guide goes on to explain that if the user has both enabled, client trust will use whatever mfa strategies are enabled (TOTP, SMS verification code). if mfa is not enabled, client trust will fallback to whatever verification strategy is enabled for the application (email code, email link, or SMS verification code).

I've revamped this guide in a way to explain that. and to cover all the different strategies that a user may have enabled for second factor verification.

@alexisintech alexisintech requested a review from a team as a code owner February 4, 2026 01:26
@vercel
Copy link

vercel bot commented Feb 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-docs Error Error Feb 13, 2026 8:15pm

Request Review

@alexisintech alexisintech mentioned this pull request Feb 4, 2026
Open
8 tasks
@alexisintech alexisintech requested review from dstaley and removed request for a team February 4, 2026 01:27
@dstaley
Copy link
Member

dstaley commented Feb 4, 2026

My thinking here was that with client trust enabled (which is the default for new instances I believe), signing in with email and password on a new client requires the handling of the needs_second_factor status. So if you follow the guide as this PR details you actually won't be able to sign in for the first time; you'd need to also incorporate the logic from the MFA guide. Since this is a default and not something you can turn off I think it makes sense to show that logic in the guide.

@alexisintech
Copy link
Member Author

alexisintech commented Feb 4, 2026
edited
Loading

My thinking here was that with client trust enabled (which is the default for new instances I believe), signing in with email and password on a new client requires the handling of the needs_second_factor status. So if you follow the guide as this PR details you actually won't be able to sign in for the first time; you'd need to also incorporate the logic from the MFA guide. Since this is a default and not something you can turn off I think it makes sense to show that logic in the guide.

ahhh if its for client trust, two things:

  1. the examples are using totp (auth app) or backup codes, both you have to manually enable under "multi-factor auth" in the dash. whereas email codes are probably a better route, because they are auto-enabled if email is enabled, which brings me to point two:
  2. the dash says if the user hasn't configured a second factor, email code (default), phone code, or email link will be used
Screenshot 2026-02-04 at 12 06 05

which is why i believe if we are going to add support for client trust to the custom flows, it should be using email code!
so i'm cool to keep the handling of needs_second_factor, and can add a comment about doing this due to client trust (with a link to that doc), and then using email code there

@alexisintech alexisintech force-pushed the aa/fix-email-pass-custom-flow branch from 1dbe98d to cfac443 Compare February 9, 2026 22:09
@alexisintech alexisintech mentioned this pull request Feb 9, 2026
Closed
@alexisintech alexisintech marked this pull request as draft February 9, 2026 22:18
alexisintech
alexisintech commented Feb 10, 2026
View reviewed changes
docs/guides/development/custom-flows/authentication/email-password.mdx Outdated
})

await signUp.verifications.sendEmailCode()
if (!error) {
Copy link
Member Author

@alexisintech alexisintech Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is if the user has "verify at sign up" and "email verification code" enabled
they can have email link enabled - will need to think about this

@alexisintech alexisintech changed the title core 3: fix email pass custom flow core 3: fix custom flows Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstaley dstaley Awaiting requested review from dstaley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexisintech @dstaley