Skip to main content
POST
/
api
/
auth
/
verify
Verify Email
curl --request POST \
  --url https://api.example.com/api/auth/verify \
  --header 'Content-Type: application/json' \
  --data '
{
  "verificationToken": "<string>"
}
'
{
  "verified": true,
  "user": {
    "email": "<string>",
    "username": "<string>"
  }
}

Overview

Verifies a user’s email address using the verification token provided during registration. Once verified, the user’s emailVerified field is set to true and the verification token is removed from their account.
Email verification is required to confirm the user owns the email address they registered with. The verification token is generated during sign-up and should be sent to the user’s email.

Request

Body Parameters

verificationToken
string
required
The 32-byte hex verification token that was generated during user registration and sent to the user’s email.

Response

verified
boolean
Indicates whether the verification was successful (always true in success responses).
user
object
The verified user’s basic information.
email
string
The verified user’s email address.
username
string
The verified user’s username.

Status Codes

  • 200 OK - Email successfully verified
  • 400 Bad Request - Invalid or missing verification token, or user not found

Examples

curl -X POST https://your-domain.com/api/auth/verify \
  -H "Content-Type: application/json" \
  -d '{
    "verificationToken": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
  }'

Success Response (200)

{
  "verified": true,
  "user": {
    "email": "[email protected]",
    "username": "Alice Johnson"
  }
}

Error Responses (400)

Invalid or Missing Token 
{
  "error": "Invalid verification token"
}
User Not Found 
{
  "error": "No User found."
}
General Verification Error 
{
  "error": "Error Verifying email."
}

Error Cases

Token Validation: Verification tokens are single-use. Once a user’s email is verified, the token is set to null and cannot be reused.

Common Error Scenarios

  1. Missing Verification Token
    • Status: 400
    • Message: “Invalid verification token”
    • Cause: verificationToken not provided in request body or is empty
  2. Invalid Token
    • Status: 400
    • Message: “No User found.”
    • Cause: No user exists with the provided verification token (token may be incorrect, already used, or expired)
  3. Already Verified
    • Status: 400
    • Message: “No User found.”
    • Cause: User has already verified their email (token was set to null after verification)
  4. Database Error
    • Status: 400
    • Message: “Error Verifying email.”
    • Cause: Exception during database query or update operation

Implementation Details

Verification Process

  1. Token Lookup: System searches for a user with the matching verificationToken
  2. User Update: If found, updates the user record:
    • Sets emailVerified to true
    • Sets verificationToken to null
  3. Response: Returns verification status and user information

Database Changes

When verification succeeds, the User model is updated: 
{
  emailVerified: true,      // Changed from false
  verificationToken: null   // Cleared to prevent reuse
}

Integration Example

Complete Registration Flow

// Step 1: Sign up
const signupResponse = await fetch('/api/auth/signup', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    email: '[email protected]',
    name: 'Alice Johnson',
    password: 'SecurePass123!',
  }),
});

const { verificationToken } = await signupResponse.json();

// Step 2: Send verification email (implement your email service)
await sendVerificationEmail('[email protected]', verificationToken);

// Step 3: User clicks verification link, extract token from URL
const urlParams = new URLSearchParams(window.location.search);
const token = urlParams.get('token');

// Step 4: Verify email
const verifyResponse = await fetch('/api/auth/verify', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ verificationToken: token }),
});

const result = await verifyResponse.json();
if (result.verified) {
  // Step 5: Redirect to sign in
  window.location.href = '/signin';
}

Best Practices

  • Email Delivery: Implement a reliable email service to send verification links to users
  • Link Format: Include the verification token as a URL parameter for easy user experience
  • Token Security: Tokens are cryptographically random (32 bytes) and should be treated as secrets
  • User Experience: Provide clear feedback when verification succeeds or fails
  • Resend Option: Consider implementing a “resend verification email” feature for expired or lost tokens

Next Steps

After successful email verification:
  1. User can now sign in with full account access
  2. The isEmailVerified flag in their session will be true
  3. Access to email-verified-only features is granted

Build docs developers (and LLMs) love

Get started for freeTalk to us