Email verification after password creation

In this email verification flow, your users will first be asked to create a password and will then be prompted to verify their email address. One benefit of this flow is that you can still allow access to certain logged-in content before the user completes email verification, though some functionality (like adding a second factor) will be limited during this time period. If you’re more interested in a flow where email verification occurs before the user creates a password, see our Email verification before creating a password guide instead. Stytch’s email verification flows are intentionally flexible so that you can choose the combination of products that best fits your use case. In this guide, we’ll be using our Email OTP product in order to verify email addresses, but you may choose to use Email Magic Links instead by replacing the below Email OTP endpoints with Email Magic Links endpoints.

Before you start

Create a Stytch Consumer project via the Stytch Dashboard if you don’t have one already. To do so, click on your existing project name in top left corner of the Dashboard, click Create Project, and then select Consumer Authentication.Copy your project_id and secret for the Test environment you would like to use. These values can be accessed from the Project ID & API keys section of the Project Overview. You’ll need to include these values in every backend Stytch API call.

Create a User with a password

First, prompt your user for their email address and ask them to create a password. Then, call our Create User with Password endpoint with that information in order to create a new Stytch User.Be sure to add a session_duration_minutes parameter to that call so that a new Stytch session is started. We’ll use 30 minutes for the purposes of this guide, but feel free to tailor the session length to your own use case:

curl --request POST \
  --url https://test.stytch.com/v1/passwords \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "email": "USER_EMAIL_ADDRESS",
    "password": "NEW_PASSWORD_FROM_USER",
    "session_duration_minutes": 30
  }'

Save the session_token from the Create User with Password response for use in the next steps.

Send a verification email

At this point, you’ll have a new Stytch User with a password and an unverified email address, along with a newly-created Stytch session.Send a verification email by calling our Send one-time passcode by email endpoint. Include the session_token from the previous step – otherwise, the user will be required to reset their password in order to prevent an account takeover attack vector:

curl --request POST \
  --url https://test.stytch.com/v1/otps/email/send \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "email": "USER_EMAIL_ADDRESS",
    "session_token": "SESSION_TOKEN_FROM_STEP_1"
  }'

Save the email_id from the Send one-time passcode by email response for use in the next step.

Authenticate the one-time passcode

Once your user submits the one-time passcode from the email that they received, call our Authenticate one-time passcode endpoint with the code and the email_id from the previous step (known in this next call as the method_id). As in the previous step, include the session_token from Step 1 in your API call:

curl --request POST \
  --url https://test.stytch.com/v1/otps/authenticate \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "method_id": "EMAIL_ID_FROM_STEP_2",
    "code": "ONE_TIME_PASSCODE_FROM_USER",
    "session_token": "SESSION_TOKEN_FROM_STEP_1"
  }'

What’s next

Upon receiving a successful Authenticate one-time passcode response, your Passwords signup flow with email verification is complete! You’ll have a new Stytch User with both a verified email address and a password that your user will be able to use to authenticate in the future.

​What’s next

​See also

What’s next

See also