POST /v1/auth/email/verify
Consume a verification token from the user's email and mark them verified.
::: tip Auth Required: none. The token IS the credential. :::
Request
POST /v1/auth/email/verify
| Header | Required | Notes |
|---|---|---|
Content-Type: application/json | yes | — |
Body
{ "token": "abc...32_byte_base64" }
Response
204 No Content
The user's email_verified flag is now true.
If the user changed their email after the token was issued (so the token is stale-but-not-malicious), the endpoint silently no-ops and still returns 204.
Error responses
| Status | Code | When |
|---|---|---|
| 400 | invalid_input | Token missing. |
| 401 | authentication_required | Token doesn't match, already consumed, or expired. |
| 404 | not_found | The user the token belongs to no longer exists. |
Notes
- Tokens are single-use; the row is marked
consumed_at = now()on success. - An audit entry (
users.email_verified) is recorded.