Best Practice of Enforcing Email Verification

Problem Statement

I am working on implementing email verification to prevent users from proceeding after registration and from signing in. Additionally, we aim to display a user-friendly message that explains the reason and provides instructions. What is considered the best practice in this scenario?


If you wish to enforce email verification before granting users access to your application, you can create a Post-Login Action (see the example below) that examines the email_verified property during the login process. If a user doesn’t meet this verification check, they will be redirected to your application’s callback endpoint. Here, you can configure the endpoint to interpret the error and display an appropriate message to these users.

Example post-login Action:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny(`Please verify your email before logging in.`);

Related References:

Video Tutorial