Skip to main content

Overview

Email verification is a two-step process:
  1. Resend verification notification (if needed)
  2. Verify email address via signed URL

Resend Verification Notification

Endpoint

method
string
default:"POST"
HTTP Method
endpoint
string
default:"/email/verification-notification"
API Endpoint

Authentication

This endpoint requires authentication (uses auth middleware).

Rate Limiting

  • Maximum 6 requests per minute per user
  • Throttle key: User ID

Request Body

No request body parameters required.

Response

status
string
Status message indicating the verification link was sent.

Example Request

cURL
curl -X POST https://your-api.com/email/verification-notification \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "Cookie: laravel_session=your-session-cookie"
Next.js
const response = await fetch('http://localhost:8000/email/verification-notification', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Accept': 'application/json',
  },
  credentials: 'include',
});

const data = await response.json();
console.log(data.status); // "verification-link-sent"

Success Response

{
  "status": "verification-link-sent"
}

Error Responses

Already Verified (302)

If the email is already verified, redirects to dashboard: 
HTTP/1.1 302 Found
Location: /dashboard

Unauthenticated (401)

{
  "message": "Unauthenticated."
}

Rate Limit Exceeded (429)

{
  "message": "Too Many Attempts."
}

Verify Email Address

Endpoint

method
string
default:"GET"
HTTP Method
endpoint
string
default:"/verify-email/{id}/{hash}"
API Endpoint

Authentication

This endpoint requires:
  • Authentication (auth middleware)
  • Signed URL (signed middleware) - URL must be valid and not expired

Rate Limiting

  • Maximum 6 requests per minute
  • Throttle window: 1 minute

URL Parameters

id
string
required
The user’s ID.
hash
string
required
SHA256 hash of the user’s email address.

Query Parameters

expires
integer
required
Unix timestamp when the signed URL expires.
signature
string
required
HMAC signature to verify the URL hasn’t been tampered with.

Response

redirect
string
Redirects to the frontend dashboard with verification status.

Example Request

cURL
# This is typically accessed via email link
curl -X GET "https://your-api.com/verify-email/1/abc123?expires=1234567890&signature=xyz..." \
  -H "Cookie: laravel_session=your-session-cookie" \
  -L  # Follow redirects
Next.js
// In your frontend, handle the redirect from the verification link
// The user clicks the link in their email, which goes to your API
// The API verifies and redirects back to your frontend

// Example: Checking verification status after redirect
const searchParams = new URLSearchParams(window.location.search);
if (searchParams.get('verified') === '1') {
  // Email successfully verified
  console.log('Email verified successfully!');
}

Success Response

Redirects to frontend with verification confirmation: 
HTTP/1.1 302 Found
Location: https://your-frontend.com/dashboard?verified=1

Error Responses

Already Verified (302)

If already verified, still redirects to dashboard: 
HTTP/1.1 302 Found
Location: https://your-frontend.com/dashboard?verified=1

Invalid Signature (403)

Returned when the signed URL is invalid or expired: 
{
  "message": "Invalid signature."
}

Unauthenticated (401)

{
  "message": "Unauthenticated."
}

Rate Limit Exceeded (429)

{
  "message": "Too Many Attempts."
}

Notes

Verification Notification

  • A verification email is automatically sent when a user registers
  • Users can request a new verification email if the original expires or is lost
  • The endpoint checks if the email is already verified before sending
  • Rate limited to prevent abuse (6 requests per minute)

Email Verification

  • Uses Laravel’s signed URLs for security
  • URLs expire after a configured time period (default: 60 minutes)
  • Upon successful verification, a Verified event is dispatched
  • The email_verified_at timestamp is set on the user model
  • Users are redirected to the frontend dashboard after verification
  • Frontend URL is configured via config('app.frontend_url')

Integration with Next.js

  • Configure FRONTEND_URL in Laravel’s .env file to match your Next.js app URL
  • Verification links in emails will point to your Laravel API
  • After verification, users are redirected back to your Next.js frontend
  • Check for the ?verified=1 query parameter to show success message

Build docs developers (and LLMs) love

Get started for freeTalk to us