Verify Email Address
Endpoint
Request Body
User’s email address to verify
6-digit verification code sent to email (must match exactly)
Response
Upon successful verification, the user is automatically logged in and receives authentication tokens.JWT access token valid for 15 minutes. Use this token in the Authorization header for authenticated requests.
The refresh token is automatically set as an HTTP-only cookie and is not returned in the response body.
Verification Code Details
- Format: 6-digit numeric code
- Expiration: Codes expire after 10 minutes
- Generation: Automatically sent upon registration
- Resend: Use
/auth/resend-codeendpoint to request a new code
Auto-Login on Verification
When email verification succeeds:- User account is marked as verified (
isVerified = true) - Verification code is cleared from database
- JWT tokens are generated (access + refresh)
- Refresh token stored in HTTP-only cookie
- Access token returned in response
Security Features
- Rate Limiting: Standard rate limits apply (60 requests per minute)
- Code Expiration: Prevents use of old verification codes
- Single Use: Verification codes cannot be reused
- Secure Cookies: Refresh token stored in HTTP-only, secure cookie
Common Error Scenarios
| Error | Cause | Solution |
|---|---|---|
| Invalid code | Wrong code or expired | Request new code via /auth/resend-code |
| User not found | Email doesn’t exist | Check email spelling or register |
| Code expired | More than 10 minutes passed | Request new code |
Example Workflow
Related Endpoints
- Register - Create new user account
- Resend Code - Request new verification code
- Login - Login with verified account