Verify email with code or link

curl --request POST \
  --url https://api.example.com/api/auth/email/verify \
  --header 'Content-Type: application/json' \
  --data '
{
  "otp": "123456",
  "email": "[email protected]"
}
'

{
  "user": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "email": "[email protected]",
    "profile": {
      "name": "<string>",
      "avatar_url": "<string>"
    },
    "metadata": {},
    "emailVerified": true,
    "providers": [
      "<string>"
    ],
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z"
  },
  "accessToken": "<string>",
  "csrfToken": "<string>",
  "refreshToken": "<string>",
  "redirectTo": "<string>"
}

Client

Verify email with code or link

Verify email address using the method configured in auth settings (verifyEmailMethod):

Code verification: Provide both email and otp (6-digit numeric code)
Link verification: Provide only otp (64-character hex token from magic link)

Successfully verified users will receive a session token.

The email verification link sent to users always points to the backend API endpoint. If verifyEmailRedirectTo is configured, the backend will redirect to that URL after successful verification. Otherwise, a default success page is displayed.

POST

api

auth

verify

Verify email with code or link

curl --request POST \
  --url https://api.example.com/api/auth/email/verify \
  --header 'Content-Type: application/json' \
  --data '
{
  "otp": "123456",
  "email": "[email protected]"
}
'

{
  "user": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "email": "[email protected]",
    "profile": {
      "name": "<string>",
      "avatar_url": "<string>"
    },
    "metadata": {},
    "emailVerified": true,
    "providers": [
      "<string>"
    ],
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z"
  },
  "accessToken": "<string>",
  "csrfToken": "<string>",
  "refreshToken": "<string>",
  "redirectTo": "<string>"
}

Query Parameters

client_type

enum<string>

default:web

Client type determines how refresh tokens are returned:

web: Refresh token stored in httpOnly cookie, csrfToken returned in response
mobile/desktop: refreshToken returned directly in response body

Available options:

web,

mobile,

desktop

Body

application/json

otp

string

required

Either a 6-digit numeric code or a 64-character hex token from magic link

Example:

"123456"

string<email>

Required for numeric code verification, omit for magic link verification

Example:

"[email protected]"

Response

Email verified successfully, session created

user

object

Show child attributes

accessToken

string

JWT authentication token

csrfToken

string | null

CSRF token for use with refresh endpoint (web clients only)

refreshToken

string | null

Refresh token for mobile/desktop clients (null for web clients)

redirectTo

string<uri>

Optional URL to redirect user after verification (only present if configured)

Send email verification (code or link based on config)Send password reset (code or link based on config)

⌘I

Tables

Authentication

Records

Storage

AI Integration

Functions

Realtime

Email

Secrets

Logs

Metadata

Health

Verify email with code or link

Query Parameters

Body

Response