Email verification after password creation

In this email verification flow, your users will first be asked to create a password and will then be prompted to verify their email address. One benefit of this flow is that you can still allow access to certain logged-in content before the user completes email verification, though some functionality (like the user's ability to change their email address) will be limited during this time period.

If you're more interested in a flow where email verification occurs before the user creates a password, see our Email verification before creating a password guide instead.

Stytch's email verification flows are intentionally flexible so that you can choose the combination of products that best fits your use case. In this guide, we'll be using our Email OTP product in order to verify email addresses, but you may choose to use Email Magic Links instead by replacing the below Email OTP endpoints with Email Magic Links endpoints.

Before you start

Create a Stytch Consumer project via the Stytch Dashboard if you don't have one already. To do so, click on your existing project name in top left corner of the Dashboard, click Create a new project, and then select Consumer authentication.

Copy your project_id and secret from the Test environment tab in the API keys section of the Stytch Dashboard. You'll need to include these values in every backend Stytch API call.

Step 1: Create a User with a password

First, prompt your user for their email address and ask them to create a password. Then, call our Create User with Password endpoint with that information in order to create a new Stytch User.

Be sure to add a session_duration_minutes parameter to that call so that a new Stytch session is started. We'll use 30 minutes for the purposes of this guide, but feel free to tailor the session length to your own use case:

curl --request POST \
  --url https://test.stytch.com/v1/passwords \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "email": "USER_EMAIL_ADDRESS",
    "password": "NEW_PASSWORD_FROM_USER",
    "session_duration_minutes": 30
  }'

Save the session_token from the Create User with Password response for use in Step 2 and Step 3.

Step 2: Send a verification email to your user

At this point, you'll have a new Stytch User with a password and an unverified email address, along with a newly-created Stytch session.

Next, send a verification email to your user by calling our Send one-time passcode by email endpoint. Include the session_token from Step 1 in your request – otherwise, the user will be required to reset their password in order to prevent an account takeover attack vector:

curl --request POST \
  --url https://test.stytch.com/v1/otps/email/send \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "email": "USER_EMAIL_ADDRESS",
    "session_token": "SESSION_TOKEN_FROM_STEP_1"
  }'

Save the email_id from the Send one-time passcode by email response for use in Step 3.

Step 3: Authenticate the one-time passcode

Once your user submits the one-time passcode from the email that they received, call our Authenticate one-time passcode endpoint with the code and the email_id from Step 2 (known in this next call as the method_id). As in the previous step, include the session_token from Step 1 in your API call:

curl --request POST \
  --url https://test.stytch.com/v1/otps/authenticate \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
  -d '{
    "method_id": "EMAIL_ID_FROM_STEP_2",
    "code": "ONE_TIME_PASSCODE_FROM_USER",
    "session_token": "SESSION_TOKEN_FROM_STEP_1"
  }'

What's next

Upon receiving a successful Authenticate one-time passcode response, your Passwords signup flow with email verification is complete! You'll have a new Stytch User with both a verified email address and a password that your user will be able to use to authenticate in the future.

See also

Check out our Passwords API reference and our One-time passcodes API reference, which also include sample code for all of our backend SDKs.