This article clarifies how to implement email verification, which prevents users whose emails are unverified from continuing after registration or sign-in. It also describes how to display an informative message to the user.

• Enforce Email Verification
• Denied Access
• Forms

Refer to the following video for a demonstration.

The following methods can be used to enforce email verification. The methods are presented starting with a commonly used approach.

Use a Post-Login Action to Deny Access

This approach checks the email_verified property after a user signs in. If the email is not verified, access to the application is denied.

1. Create a post-login Action.

2. Within the Action, access the event.user.email_verified property.

3. If event.user.email_verified is false, use the api.access.deny() method. Provide a message that informs the user to verify their email.

   • This action redirects the user back to the application's callback endpoint.

   • The callback endpoint must be configured to parse the error and display a user-friendly message.

Example post-login Action:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny('Please verify your email before logging in.');
  }
};

Send Verification Email Using Forms For Actions:

The Forms For Actions feature provides a template for the email verification process.

• A SendGrid account is a prerequisite for this method.

• This feature sends a verification email each time the user signs in and the specific Form is invoked.

• It remains effective even if an initial verification email expires.  

Related References

• Connection Level Email Verification
• Enforce Email Verification by Sending the Email Verification after Each Denied Access
• Verify Emails Using Auth0 
• Login Flow 
• Forms