> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Email verification after password creation

> Verify email addresses after users create a password.

In this email verification flow, your users will first be asked to create a password and will then be prompted to verify their email address. One benefit of this flow is that you can still allow access to certain logged-in content before the user completes email verification, though some functionality (like adding a second factor) will be limited during this time period.

If you're more interested in a flow where email verification occurs *before* the user creates a password, see our [Email verification before creating a password](/consumer-auth/authentication/passwords/email-verification/before-password-creation) guide instead.

Stytch's email verification flows are intentionally flexible so that you can choose the combination of products that best fits your use case. In this guide, we'll be using our [Email OTP product](/api-reference/consumer/api/otp/via-email/send) in order to verify email addresses, but you may choose to use [Email Magic Links](/api-reference/consumer/api/magic-links/via-email/send-magic-link) instead by replacing the below Email OTP endpoints with Email Magic Links endpoints.

<Steps>
  <Step title="Before you start">
    Create a Stytch Consumer project via [the Stytch Dashboard](https://stytch.com/dashboard) if you don't have one already. To do so, click on your existing project name in top left corner of the Dashboard, click **Create Project**, and then select **Consumer Authentication**.

    Copy your `project_id` and `secret` for the **Test environment** you would like to use. These values can be accessed from the [Project ID & API keys](https://stytch.com/dashboard) section of the Project Overview. You'll need to include these values in every backend Stytch API call.
  </Step>

  <Step title="Create a User with a password">
    First, prompt your user for their email address and ask them to create a password. Then, call our [Create User with Password endpoint](/api-reference/consumer/api/passwords/create) with that information in order to create a new Stytch User.

    Be sure to add a `session_duration_minutes` parameter to that call so that a new Stytch session is started. We'll use 30 minutes for the purposes of this guide, but feel free to tailor the session length to your own use case:

    ```curl theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/passwords \
    	-u 'PROJECT_ID:SECRET' \
    	-H 'Content-Type: application/json' \
      -d '{
        "email": "USER_EMAIL_ADDRESS",
        "password": "NEW_PASSWORD_FROM_USER",
        "session_duration_minutes": 30
      }'
    ```

    Save the `session_token` from the Create User with Password response for use in the next steps.
  </Step>

  <Step title="Send a verification email">
    At this point, you'll have a new Stytch User with a password and an unverified email address, along with a newly-created Stytch session.

    Send a verification email by calling our [Send one-time passcode by email endpoint](/api-reference/consumer/api/otp/via-email/send). Include the `session_token` from the previous step – otherwise, the user will be required to reset their password in order to prevent an account takeover attack vector:

    ```curl theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/otps/email/send \
    	-u 'PROJECT_ID:SECRET' \
    	-H 'Content-Type: application/json' \
      -d '{
        "email": "USER_EMAIL_ADDRESS",
        "session_token": "SESSION_TOKEN_FROM_STEP_1"
      }'
    ```

    Save the `email_id` from the Send one-time passcode by email response for use in the next step.
  </Step>

  <Step title="Authenticate the one-time passcode">
    Once your user submits the one-time passcode from the email that they received, call our [Authenticate one-time passcode](/api-reference/consumer/api/otp/authenticate) endpoint with the code and the `email_id` from the previous step (known in this next call as the `method_id`). As in the previous step, include the `session_token` from **Step 1** in your API call:

    ```curl theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/otps/authenticate \
    	-u 'PROJECT_ID:SECRET' \
    	-H 'Content-Type: application/json' \
      -d '{
        "method_id": "EMAIL_ID_FROM_STEP_2",
        "code": "ONE_TIME_PASSCODE_FROM_USER",
        "session_token": "SESSION_TOKEN_FROM_STEP_1"
      }'
    ```
  </Step>
</Steps>

## What's next

Upon receiving a successful Authenticate one-time passcode response, your Passwords signup flow with email verification is complete! You'll have a new Stytch User with both a verified email address and a password that your user will be able to use to authenticate in the future.

## See also

Check out our [Passwords API reference](/api-reference/consumer/api/passwords/create) and our [One-time passcodes API reference](/api-reference/consumer/api/otp/via-email/send), which also include sample code for all of our backend SDKs.