From e119053cc873a29093f3b436ab29bd7d6518f90a Mon Sep 17 00:00:00 2001
From: Justin Angel <justinangel86@gmail.com>
Date: Wed, 5 Nov 2025 13:08:35 -0500
Subject: [PATCH] add use_unverified_email setting to the config

---
 config-example.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config-example.yaml b/config-example.yaml
index ec14dc03..0ce702cf 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -361,6 +361,18 @@ unix_socket_permission: "0770"
 #   # required "openid" scope.
 #   scope: ["openid", "profile", "email"]
 #
+#   # Enable this setting to accept the user's email address regardless
+#   # if "email_verified: true" is sent by identity provider.
+#   #
+#   # By default, "email_verified: true" must appear in claims or user info
+#   # before Headscale will accept the principal's email address as the user
+#   # account is created after successful authentication.
+#   #
+#   # This setting is useful when claims and their mapping can't be controlled,
+#   # such as when using Cloudflare One-time pin for authentication.
+#
+#   use_unverified_email: false
+#
 #   # Provide custom key/value pairs which get sent to the identity provider's
 #   # authorization endpoint.
 #   extra_params: