# Email Verification

Email account verification is enabled by default. After signing up, a user will be asked to verify their email using a time-sensitive link sent to their registered email address.

Until verified, the JWT token issued to a user will contain an `unverified` flag, and access to protected API endpoints will be disabled. 

You can override this behaviour by passing an `unverified` permission to an API route as the third parameter.

<pre class="language-javascript"><code class="lang-javascript"><strong>// node.js
</strong><strong>api.get('/api/account', auth.verify('owner', 'account.read', 'unverified'), use(accountController.get));
</strong><strong>
</strong><strong>// next.js
</strong>export const GET = withApiRoute('owner', 'account.read', accountController.get, { allowUnverified: true });
</code></pre>

When a user verifies their account by making a POST request to `/api/user/verify` a new JWT token will be issued that does not contain an unverified flag, unlocking the API access.

### Disable Email Verification

To disable the default behaviour and automatically verify all new users, you can set the following config flag to false:

```javascript
"email": {
  "user_verification": false
 }
```