<!-- llms.txt: https://workos.com/llms.txt -->

# Email Changes

## Introduction

When a user's email address changes at their Identity Provider (IdP), AuthKit can propagate that change to the [User object](https://workos.com/docs/reference/authkit/user) so it stays in sync with the authoritative source.

A user is **domain-managed** when their email domain matches one of the [organization's verified domains](https://workos.com/docs/authkit/domain-verification). For enterprise identity sources (Directory Sync and SSO), email changes propagate only to domain-managed users. Social login (OAuth) follows separate rules, described in the [precedence rules](#precedence-rules) below.

## Precedence rules

When multiple identity sources are linked to the same AuthKit user, the following determines which source can update the email:

| Source | Can update email? | Condition |
| --- | --- | --- |
| Directory Sync | Yes | User is domain-managed |
| Enterprise SSO (SAML/OIDC) | Yes | User is domain-managed, organization has verified domain, and user is not directory-managed |
| Social login (OAuth) | Yes | User has no enterprise SSO profile or directory user linked |

Directory Sync takes precedence over SSO. If a user has both a directory user and an SSO profile linked, only the directory can update the email; an SSO login will not overwrite a directory-sourced email.

## Collision handling

If the new email address already belongs to another AuthKit user in the same environment, the email change is **skipped**. The AuthKit user retains its current email and all other attribute updates (name, etc.) still apply.

This prevents unintended account merging when two users at the same IdP happen to swap or share email addresses.

## Directory ownership

For domain-managed users, the first directory to link to a user owns that user, and a second directory can only take ownership if its organization has [domain capture](https://workos.com/docs/authkit/domain-verification) enabled for the email domain. See [directory provisioning](https://workos.com/docs/authkit/directory-provisioning) for the full ownership rules.

## Side effects of email changes

When an email change propagates successfully:

- **OAuth profiles are unlinked**: Any linked OAuth identity (Google, GitHub, etc.) is removed from the user, since the OAuth identity was verified against the old email
- **Sessions remain active**: Existing sessions are not revoked by an email change alone
- **Email verification**: The new email is considered verified because it comes from a trusted enterprise source (directory or SSO with a verified domain)

## Frequently asked questions

### Can a user's email be changed through the API?

Only for users who are not managed by an enterprise identity source. The [update user](https://workos.com/docs/reference/authkit/user/update) API endpoint rejects email changes for users linked to a directory or an enterprise SSO connection, because the identity provider is the authoritative source for those users' emails.

### How do email changes interact with identity linking?

Email changes are applied after [identity linking](https://workos.com/docs/authkit/identity-linking). First, the correct AuthKit user is identified (via existing link or email match). Then, if the source's email differs from the AuthKit user's email, the precedence rules determine whether to update it.
