I’m jumping in here because your original question was one I had on my to-do list to verify (pun intended).
First to address your last thing, “/users/me” works if either the session cookie or the API access token is passed with the request (from the org authorization server, not a custom authorization server including default). So, if you capture cookies with the Postman interceptor and Postman sends the session cookie with the request it should work. I verified the API call over the weekend. I think maybe something is amiss in your interceptor configuration. Maybe you’re not hanging on to the session cookie?
Number two, just FYI developer accounts for me don’t seem to ever send an email to the secondEmail address now. This changed about a year ago. Production accounts still do. So if you are using a developer account for testing that could be an issue. @Andrea, any thoughts on that?
Number three: I want to refer Andrea back to the original question about generating a confirmation email. As I said earlier, this was on my list because when you change the email or secondEmail via “me” using POST it just changes them blindly. If there is a way to force a confirmation email I’d love to know it because I too have not found that in the API. Maybe it’s a developer vs production tenant thing?
Number four: FYI, if you change the email address it changes the login too. If you don’t want that, you have to specify both “email” and “login” in the data to the POST call to “me”. But I’m guessing for your circumstances this is not an issue.