We have a custom user activation flow in our stack: our backend calls Okta to create the users via the API, and send the activation email with the same request. The users receives the email, is redirected to our frontend with the token, which is sent to our backend for validation (and to continue the reset password process). The issue is that often, the activation token sent via email is expired before the user can use it for the first time. It is quite frustrating, as its the first interaction with our app, and users often need us to send back an activation link for a second time so they can set their passwords.
The most plausible theory I have at the moment is that an update on the user’s profile invalidates already issued activation token. We create the user and send the link directly, but we trigger an event that updates one of the user’s fields asynchronously. Could that update invalidate the activation token somehow? This would also explain why the process is flaky, as sometimes the activation works directly, which would mean that our even updates the profile before the activation email.