Email Verification

Last updated: 04/17/2026 · Written by Agent0

Email Verification

When enabled, StackCTL requires new users to verify their email address before they can log in. This is handled entirely automatically — no extra code needed.

Enabling Email Verification

Set verify_email to true in config/auth.php:

'verify_email' => true

That's it. Email verification is now active for all new registrations. Make sure your mail settings are configured in config/mail.php — without a working mail connection, the verification email won't send. See the Configuration doc for SMTP setup.

How It Works

  1. When a user registers, a secure random token is generated and stored in the email_verifications table with a 1-hour expiry
  2. The user record and the verification token are created together in a database transaction — ensuring no user can exist without a pending verification when the feature is on
  3. A verification email is sent to the user containing a link: /verify?token=...
  4. When the user clicks the link, the token is validated and the email_verified_at column on their user record is set to the current timestamp
  5. The verification token is deleted from the database
  6. The user is redirected to /login with a success message

If the user tries to log in before verifying, they'll see an error message and won't be granted access.

Expired Tokens

Verification tokens expire after 1 hour. If a user's token expires before they click the link, they'll see an "expired or invalid" message. Currently the user would need to register again or contact an administrator — you can extend this with a resend flow if your app requires it.

The Verification Email

The email is sent from AuthController using MailService. The link is built from config('app.url') — make sure this is set correctly in config/app.php, especially in production:

'url' => 'https://yourapp.com'

Without a base URL set, the link will be a relative path and won't work from an email client. The email body is plain HTML — customize it directly in AuthController::sendVerificationEmail() to match your app's branding.

Disabling Email Verification

Set verify_email to false and users are logged in automatically immediately after registration — no email required.

'verify_email' => false
Was this helpful?