Skip to content
NuxtBase logo NuxtBase Docs

Email Verification

Email verification is a core requirement in NuxtBase, not an optional extra.

The template uses verified-session checks in both client-side route protection and server-side helpers. That means an unverified user may exist, but cannot use protected product areas as if they were fully active.

Verification Is Required

Section titled “Verification Is Required”

Two important defaults are enabled in the auth configuration:

  • verification emails are sent on sign-up
  • verification emails are also sent on sign-in when needed

The credential auth config also requires email verification before the user is treated as fully verified.

The Verification Flow

Section titled “The Verification Flow”

For a new email/password account, the intended path is:

  1. user registers on /register
  2. app redirects to /auth/confirm?mode=verify-email&email=...
  3. verification email is sent
  4. user opens the verification link
  5. app processes the token on /auth/callback
  6. if a session exists, the user can continue to /dashboard

The E2E suite explicitly tests this flow end to end.

The Confirmation Page

Section titled “The Confirmation Page”

/auth/confirm is not a dead-end waiting room. It is an active part of the UX.

It handles two auth confirmation modes:

  • verify-email
  • reset-password

For verification mode, the page can:

  • explain what happened
  • show the target email address
  • resend the verification email
  • return the user to login

The Callback Page

Section titled “The Callback Page”

/auth/callback is where verification token handling is surfaced back into the UI.

The callback page distinguishes between:

  • successful verification with session ready
  • successful verification but user still needs to sign in
  • invalid token
  • generic failure

That makes the verification flow much easier to support than a silent redirect.

Verified Session Enforcement

Section titled “Verified Session Enforcement”

Verified access is enforced in two important places:

Client Route Middleware

Section titled “Client Route Middleware”

Unverified users trying to open protected routes are redirected to:

/auth/confirm?mode=verify-email

Server Route Protection

Section titled “Server Route Protection”

Some server-side flows call requireVerifiedSession(), which rejects users whose emailVerified flag is not true.

That means verification affects not just navigation, but also API access.

Resend Behavior

Section titled “Resend Behavior”

The confirmation page supports resending the verification email. This is also covered by the E2E tests, so it is part of the expected shipped behavior.

What To Test

Section titled “What To Test”
  1. register a new account
  2. confirm the verification email is generated
  3. verify that unverified login redirects back to /auth/confirm
  4. use the mailed verification link
  5. confirm /auth/callback reaches the success state
  6. open the dashboard successfully