Best Practice of Enforcing Email Verification

Overview

This article provides steps to implement email verification, preventing users with unverified emails from proceeding post-registration or sign-in. It also covers displaying informative messages to these users.

Applies To

  • Email Verification
  • Best Practice

Solution

For a demonstration, refer to the following video.

For a demonstration, refer to the following video.

The following methods can be used to enforce email verification. The methods are presented starting with a commonly used approach.

  1. Use a Post-Login Action to Deny Access: This approach checks the email_verified property after a user logs in. If the email is not verified, access to the application is denied.
    1. Create a post-login Action.
    2. Within the Action, access the event.user.email_verified property.
    3. If event.user.email_verified is false, use the api.access.deny() method. Provide a message that informs the user to verify their email. This action redirects the user back to the application’s callback endpoint. This endpoint must be configured to parse the error and display a user-friendly message.
      Example post-login Action:
exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny('Please verify your email before logging in.');
  }
};

Send Verification Email Using Forms For Actions: The Forms For Actions feature provides a template for the email verification process.

  • A SendGrid account is a prerequisite for this method.
  • This feature sends a verification email each time the user logs in and the specific Form is invoked.
  • It remains effective even if an initial verification email expires.

Related References