diff --git a/management/server/account.go b/management/server/account.go
index ddbc41f3f..7ed09615a 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -600,7 +600,7 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 		return status.Errorf(codes.NotFound, "user %s not found in the IdP", userID)
 	}
 
-	if user.AppMetadata.WTPendingInvite {
+	if user.AppMetadata.WTPendingInvite != nil && *user.AppMetadata.WTPendingInvite {
 		log.Infof("redeeming invite for user %s account %s", userID, account.Id)
 		// User has already logged in, meaning that IdP should have set wt_pending_invite to false.
 		// Our job is to just reload cache.
diff --git a/management/server/idp/auth0.go b/management/server/idp/auth0.go
index b7b8e012e..d90e0ade2 100644
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -416,12 +416,13 @@ func (am *Auth0Manager) UpdateUserAppMetadata(userID string, appMetadata AppMeta
 }
 
 func buildCreateUserRequestPayload(email string, name string, accountID string) (string, error) {
+	invite := true
 	req := &createUserRequest{
 		Email: email,
 		Name:  name,
 		AppMeta: AppMetadata{
 			WTAccountID:     accountID,
-			WTPendingInvite: true,
+			WTPendingInvite: &invite,
 		},
 		Connection:  "Username-Password-Authentication",
 		Password:    GeneratePassword(8, 1, 1, 1),
@@ -556,7 +557,7 @@ func (am *Auth0Manager) GetUserByEmail(email string) ([]*UserData, error) {
 	if err != nil {
 		return nil, err
 	}
-	reqURL := am.authIssuer + "/api/v2/users-by-email?email=" + email
+	reqURL := am.authIssuer + "/api/v2/users-by-email?email=" + url.QueryEscape(email)
 	body, err := doGetReq(am.httpClient, reqURL, jwtToken.AccessToken)
 	if err != nil {
 		return nil, err
@@ -698,7 +699,7 @@ func (am *Auth0Manager) downloadProfileExport(location string) (map[string][]*Us
 					Email: profile.Email,
 					AppMetadata: AppMetadata{
 						WTAccountID:     profile.AccountID,
-						WTPendingInvite: profile.PendingInvite,
+						WTPendingInvite: &profile.PendingInvite,
 					},
 				})
 		}
@@ -729,13 +730,12 @@ func doGetReq(client ManagerHTTPClient, url, accessToken string) ([]byte, error)
 			log.Errorf("error while closing body for url %s: %v", url, err)
 		}
 	}()
-	if res.StatusCode != 200 {
-		return nil, fmt.Errorf("unable to get %s, statusCode %d", url, res.StatusCode)
-	}
-
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("unable to get %s, statusCode %d", url, res.StatusCode)
+	}
 	return body, nil
 }
diff --git a/management/server/idp/idp.go b/management/server/idp/idp.go
index f43540b31..5d9cf67a4 100644
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -51,7 +51,7 @@ type AppMetadata struct {
 	// WTAccountID is a NetBird (previously Wiretrustee) account id to update in the IDP
 	// maps to wt_account_id when json.marshal
 	WTAccountID     string `json:"wt_account_id,omitempty"`
-	WTPendingInvite bool   `json:"wt_pending_invite"`
+	WTPendingInvite *bool  `json:"wt_pending_invite"`
 }
 
 // JWTToken a JWT object that holds information of a token
diff --git a/management/server/user.go b/management/server/user.go
index d256238f9..300fe897a 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -68,7 +68,7 @@ func (u *User) toUserInfo(userData *idp.UserData) (*UserInfo, error) {
 	}
 
 	userStatus := UserStatusActive
-	if userData.AppMetadata.WTPendingInvite {
+	if userData.AppMetadata.WTPendingInvite != nil && *userData.AppMetadata.WTPendingInvite {
 		userStatus = UserStatusInvited
 	}