I currently only allow the token to be provided whenever a user has a valid email.
However I would like to change it so that if the email is not yet validated the user could still receive a token but with a very short session.
I currently used actions to deny access to the api, but could I make it so that access is granted but only for x amount of time?
Unfortunately, it’s not possible to use Actions to grant a user access, but only for a certain amount of time.
For now, changing the API Token Lifetime settings is the only way to manipulate the token’s TTL.
In this case, I recommend changing your token’s expiration to be as short-lived as possible.
Then you can proceed with allowing your users to log in for a short period of time.
Let me also add that I would not advise allowing non-validated email address users to log in, as it could weaken your security posture and introduce fraudulent users.