Email account verification is enabled by default. After signing up, a user will be asked to verify their email using a time-sensitive link sent to their registered email address.

Until verified, the JWT token issued to a user will contain an unverified flag, and access to protected API endpoints will be disabled.

You can override this behaviour by passing an unverified permission to an API route as the third parameter.

api.get('/api/account', auth.verify('owner', 'account.read', 'unverified'), use(accountController.get));

When a user verifies their account by making a POST request to /api/user/verify a new JWT token will be issued that does not contain an unverified flag, unlocking the API access.

Disable Email Verification

To disable the default behaviour and automatically verify all new users, you can set the following config flag to false:

"email": {
  "user_verification": false
 }