Custom Activation Flow : What's the best practice?

I’m using okta-auth signIn() & session.setCookieAndRedirect() in my front-end client and OIDC on the back-end. I have a custom login form and I want to build a custom registration flow.

My user registration flow begins in a separate external e-commerce system that notifies me when a user has paid to gain access to my app with a secure transfer of the user’s email address and a few other optional things.

It seems like I should be able to create a user at the point of callback from the e-commerce system and notify the user via email to hit my custom activation page and create his own password to log in.

I’d like the flow to go something like this:

  1. Create and activate the user when the e-commerce system tells me he paid
  2. User clicks on activation link in the email
  3. [Would like to end up on my activation page]
  4. [Unsure what my activation page is supposed to do at this point]

What’s the safest way to go about doing this? How can I get my custom activationToken in the email? I have some brute-force thoughts in mind that all feel hacky and unsafe.

I would be very grateful for some guidance on this. Something tells me this should be easy, but I just can’t find the dang door! :slight_smile:


I read that I can use the activationToken to create a custom activation link but I don’t know what to do with the link (#4 above):

In customizing the activation email, template I couldn’t find the variable that represents the activationToken :

Related post:

Found this recent post:

In it, @tom says:

We have some APIs in development that will help with this.

In the meantime, you will need to modify the email template to point to your application, handle the activation token and issue a 302 redirect by hand.

The API call is below:

I’ll take a look and report back.


Gave a little more information here: