We noticed that the email field in the Update User API request has been marked as deprecated "due to security reasons."

This change would greatly impact our systems ; our user are enabling and updating their GHL access and informations from our main platform, which then syncs to GHL via the API. Any changes they do on their profile is propagated via API -- including their email addresses.

Removing the ability to update an email address would require substantial changes to our codebase and workflows, and impact the smooth integration we have between our system and GHL.

Updating a user's email is a fairly standard feature in most user-management systems and should not disappear.

Could you clarify what specific security risks this change would address?

(Especially since the email+password fields are still available in the Create User request, and the password field is still allowed in the Update User request, which seems to carry even more sensitive implications than a simple email address).

Ideas -->

Would the GHL team consider adding maybe some verification steps or safeguards on a user's login after an email-updated-event rather than removing this feature plainly?

What alternative(s) would be available for updating an email address via API once this deprecation is enforced (endpoint, processes, scopes)?