[369548684892826]

I'm not sure about SOC2 compliance, but I'd be surprised if it's compliant for you to be generating user's passwords for them. Users should be the only person to know their password.

You could email out a password that only allows the user to change their password, nothing else. Their account won't be accessible until they choose and set their own password. If the initial password is intercepted it doesn't matter (probably, depends on your app) because the account won't have any user data in it yet.

[oseibonsu]

I should be more broad. Any type of secret that needs to be sent to a user.

[_448]

How are the users going to access the password? Via mobile app, browser, desktop app?

One way is to generate a temporary public-private key on the user-agent. Let the user-agent send the public key to the server. The server encrypts the data with the public key, sends the encrypted data to the user-agent and then deletes the public key. The user-agent then decrypts the received encrypted data using the private key. Once the data is decrypted, the user-agent deletes the public and private keys.