How Email Verification Flows Work (and Why Apps Send Confirmation Links)

Why Apps Verify Email Ownership

Verification answers a single question: does the person who typed this address actually control that inbox? Anyone can type [email protected] into a form. Until the app confirms that the real owner received a message and acted on it, the address is just an unverified claim. Four practical concerns drive this:

A subtle but important point: email verification proves control of an inbox, not the identity of a human. It tells you the signup reached a real, reachable mailbox. It does not tell you the person is who they say they are. That is a job for separate identity checks.

Single vs. Double Opt-In

The two broad approaches to handling a freshly submitted address are single opt-in and double opt-in.

Single opt-in treats the address as usable the moment it is submitted. The user types an email, the app starts sending to it immediately, and no confirmation step stands in the way. It is frictionless, but it accepts typos, fake addresses, and people who sign others up without consent.

Double opt-in adds one verification step. After the address is submitted, the app sends a confirmation message and marks the address as verified only after the user clicks the link or enters a code. This proves the person controls the inbox. The cost is a small amount of friction and the risk that some users never complete the step.

Most modern signup flows lean toward double opt-in for anything that involves an account, billing, or recurring email. Single opt-in still appears in low-stakes contexts, but for deliverability and consent reasons, the confirmation step is the default for serious applications.

Anatomy of a Confirmation Link

A confirmation link is just a URL that carries enough information for the server to recognise the request as legitimate. A typical one looks like this:

https://app.example.com/verify?token=8f2c...e91a

The interesting part is the token. There are two common ways to design it, and they trade off statefulness against control.

Opaque token with a database lookup

The server generates a long random string, stores a hash of it in a database row alongside the user ID and an expiry timestamp, and emails the raw value. When the link is opened, the server hashes the incoming token, looks up the matching row, checks that it has not expired or been used, and then marks the account verified. The token itself carries no meaning—it is only a pointer. Revoking it is trivial: delete or invalidate the row.

Signed (stateless) token

Alternatively, the token can encode the data it needs—such as the user ID and an expiry time—and a cryptographic signature created with a secret key the server holds. A JSON Web Token (JWT) is the common format. On the way back in, the server verifies the signature and checks the embedded expiry without a database read. This avoids storing one row per pending verification, but revoking a single token before it expires is harder, because there is no stored record to delete. Many teams add a server-side check (for example, a "verified at" timestamp) so a signed token cannot be replayed after it has already been used.

Either way, the link should resolve to a single, narrow action: confirm this address. It should not be a general-purpose credential or grant a logged-in session beyond what verification requires.

Magic Links vs. Code-Based Verification

Verification (and passwordless sign-in) usually takes one of two user-facing forms.

Neither is universally better. Magic links optimise for the fewest taps; codes optimise for working reliably across devices and email clients. Some apps offer both and let the user pick.

Security Considerations

A verification token is effectively a temporary key. A few principles keep it from becoming a liability:

• High entropy. Random tokens should be generated with a cryptographically secure random source and be long enough that guessing is infeasible—commonly 128 bits or more of randomness. Short codes are the exception and must lean on rate limits instead.
• Short expiry. A token that lives forever is a permanent backdoor if it ever leaks. Window sizes from a few minutes (for codes) up to roughly 24 hours (for confirmation links) are typical.
• One-time use. Once a token is redeemed, it should be invalidated so a captured link cannot be replayed. With database-backed tokens this means deleting or flagging the row; with signed tokens it means recording that the action has already happened.
• Store hashes, not raw tokens. If a token is kept server-side, store a hash of it. Then a database leak does not hand attackers working tokens, much as you would never store plaintext passwords.
• Keep secrets out of the URL where you can. URLs end up in browser history, server access logs, proxy logs, and referrer headers. The token in a link is unavoidable, which is exactly why it must be single-use and short-lived—but do not pile additional secrets (session tokens, passwords, API keys) into query strings.
• Rate-limit and throttle. Limit how many codes can be requested and how many attempts can be made, to blunt both spamming a victim’s inbox and brute-forcing a code.
• Use constant-time comparison. Compare tokens and signatures with a function that does not leak length or content through timing, avoiding subtle side-channel attacks.

The Typical Backend Flow, Step by Step

Putting it together, here is how a token-based confirmation-link flow usually runs from the moment someone submits the signup form:

Good flows also handle the unhappy paths: a "resend" option for emails that never arrive, a clear message when a link has expired (with a one-click way to get a fresh one), and idempotent handling so that clicking an already-used link shows "already verified" rather than an error.

Frequently Asked Questions