Email Verification in Next.js: Complete Implementation Guide
Why email verification matters
Email verification serves two critical purposes: confirming the user owns the email address they signed up with, and building a clean email list from day one. Without verification, your user base fills with typos (user@gmial.com), disposable addresses, and fake signups. These invalid addresses bounce when you send transactional emails, damaging your sender reputation and reducing deliverability for your legitimate users. Double opt-in (sending a verification email with a confirmation link) is the gold standard. It's required by GDPR for marketing emails and strongly recommended for transactional email senders. Implementing it in Next.js with AISend is straightforward.
Generating secure verification tokens
When a user signs up, generate a cryptographically secure random token using crypto.randomBytes(32).toString('hex'). Store the token in your database alongside the user ID and an expiration timestamp (typically 24 hours from creation). Never use predictable tokens like sequential IDs, timestamps, or user IDs — these can be guessed by attackers. The token should be single-use: delete it from the database after successful verification. For additional security, hash the token before storing it (using SHA-256) and only send the unhashed version in the email. This way, even if your database is compromised, the tokens can't be used.
Sending the verification email
Create a server action or API route handler that sends the verification email through AISend. The email should include a clear call-to-action button linking to your verification endpoint with the token as a query parameter: https://yourapp.com/verify?token=abc123. Keep the email simple and focused — subject line: 'Verify your email address', body: a brief explanation and a prominent verification button. Send the email immediately after signup for the best user experience. If the API call fails, queue a retry rather than showing an error to the user. The verification email is your first impression — make sure it arrives quickly and looks professional.
Building the verification endpoint
Create a Next.js page or API route at /verify (or /api/verify) that handles the verification. When a user clicks the verification link, extract the token from the query parameters, look it up in your database, check that it hasn't expired, mark the user's email as verified, delete the token, and redirect to a success page or the main application. Handle edge cases: if the token is invalid or expired, show a helpful error message with an option to resend the verification email. If the user is already verified, redirect them to the app rather than showing an error. Always use HTTPS for verification links to prevent token interception.
Handling re-sends and edge cases
Users will lose or miss verification emails. Provide a 'Resend verification email' button on the login page for unverified users. Rate-limit resends to prevent abuse — maximum 3 resends per hour per email address. When resending, invalidate the previous token and generate a new one. For users who signed up with a typo in their email, allow them to update their email address and send a new verification to the corrected address. Consider sending a reminder email 24 hours after signup if the user hasn't verified — this recovers a significant percentage of signups that would otherwise be lost. Track verification rates in your analytics to identify friction points in your signup flow.
Ready to Send Smarter Emails?
1,000 emails/month free. No credit card required.