Use Case 012: Email Verification Process
Overview
| Property | Value |
|---|---|
| Use Case ID | UC-012 |
| Use Case Name | Email Verification Process |
| Module | Identity Management - Email Verification |
| Priority | Medium |
| Status | Implemented (Optional Feature) |
| Version | 1.0 |
| Last Updated | January 30, 2026 |
Description
This use case describes the email verification process that can be enabled for trial user registration. When enabled, trial users must verify their email address before receiving access credentials and being able to login to Riptide applications. The system generates verification tokens, sends verification emails, validates token expiration and status, manages resend requests with rate limiting, and provides administrator override capabilities for manual verification.
Actors
| Actor | Description | Role |
|---|---|---|
| Trial User | A prospective customer who has registered for a trial account | Primary |
| System | Application Manager platform | Supporting |
| Email Service | SMTP or AWS SES for sending verification emails | Supporting |
| Administrator | System admin who can manually verify users or troubleshoot | Secondary |
Preconditions
- Application Manager is running and accessible
- Email service (SMTP or AWS SES) is configured and operational
- Email verification is enabled in configuration (
RequireEmailVerification: true) - Trial user has completed initial registration (UC-001)
- Verification token expiration period is configured (default: 24 hours)
- Rate limiting settings are configured for resend operations
Postconditions
Success Postconditions
- User's
EmailVerifiedflag set totruein database - Welcome email with credentials sent to verified user
- User can now create sessions and login to applications
- Verification token marked as used/consumed
- Verification timestamp recorded (
VerifiedAt) - Activity logged in audit trail
Failure Postconditions
EmailVerifiedremainsfalseif verification fails- User cannot login until verified
- Error messages logged for troubleshooting
- Admin notification triggered for persistent failures
Triggers
- User completes trial registration (UC-001) with verification enabled
- User clicks verification link in email
- User requests verification email resend
- Verification token expires
- Administrator manually verifies user
Basic Flow (Happy Path)
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
participant Email as Email Service
Note over User,Email: Registration Phase
User->>API: POST /api/v1/trial-users (registration)
API->>API: Validate input data
API->>DB: Create user with EmailVerified=false
DB->>API: User created
API->>API: Generate verification token (GUID)
API->>API: Set token expiration (now + 24h)
API->>DB: Store verification token
DB->>API: Token stored
API->>Email: Send verification email with link
Email->>User: Verification email delivered
API->>Web: 201 Created (pending verification)
Web->>User: "Check email to verify your account"
Note over User,Email: Verification Phase
User->>User: Check email inbox
User->>Email: Click verification link
Email->>Web: GET /verify-email?token=abc123
Web->>API: POST /api/v1/trial-users/verify-email
API->>DB: Find user by verification token
DB->>API: User found
API->>API: Validate token not expired
API->>API: Check EmailVerified not already true
API->>DB: Update EmailVerified=true, VerifiedAt=now
API->>DB: Mark token as used
DB->>API: User verified successfully
API->>Email: Send welcome email with credentials
Email->>User: Welcome email delivered
API->>Web: 200 OK (verification successful)
Web->>User: "Email verified! Check inbox for credentials."
Note over User,Web: User can now login
User->>Web: Login with credentials from welcome email
Web->>API: POST /api/v1/sessions/create
API->>DB: Validate user & credentials
DB->>API: User valid, EmailVerified=true
API->>Web: Session created
Web->>User: Redirect to dashboard
Detailed Steps
System Generates Verification Token
- Generate cryptographically secure GUID token
- Calculate expiration:
CreatedAt + 24 hours - Store token in
EmailVerificationTokenstable or user record - Link token to trial user ID
System Sends Verification Email
- Compose email with:
- Clear subject line: "Verify Your Riptide Trial Account"
- Prominent verification button/link
- Token expiration notice (24 hours)
- Resend instructions if email not received
- Support contact information
- Generate verification URL:
https://app-manager.riptide.com/verify-email?token={token} - Send via configured email provider
- Log email delivery attempt with timestamp
- Compose email with:
User Receives Verification Email
- User checks email inbox (may check spam/junk folder)
- User sees verification email
- User reviews email content
- User clicks "Verify Email" button/link
System Receives Verification Request
- Web UI intercepts verification URL
- Extract token from query parameter
- Call API endpoint:
POST /api/v1/trial-users/verify-email - Pass token in request body
System Validates Verification Token
- Query database for user with matching token
- If token not found: Return 404 Not Found
- If token found: Proceed with validation
- Check token expiration date against current time
- If expired: Return 400 Bad Request (token expired)
- If not expired: Proceed with verification
System Checks User Status
- Retrieve user's current
EmailVerifiedstatus - If already verified: Return 200 OK with message "Email already verified"
- If trial expired while awaiting verification: Handle gracefully (optional: extend trial)
- If user is inactive: Return 400 Bad Request
- Retrieve user's current
System Marks Email as Verified
- Begin database transaction
- Update trial user record:
EmailVerified = trueVerifiedAt = Current UTC timestamp
- Update verification token:
UsedAt = Current UTC timestampIsUsed = true
- Commit transaction
- Log verification event in audit trail
System Sends Welcome Email
- Compose welcome email with:
- Congratulations message
- Login token (32 characters)
- API token (64 characters)
- Direct links to authorized applications
- Trial expiration date
- Getting started guide
- Support contact information
- Send email to verified address
- Log email delivery
- Compose welcome email with:
System Returns Success Response
- Return 200 OK to web UI
- Include success message in response body
- Web UI displays confirmation message
- Redirect to login page after 5 seconds (optional)
User Receives Credentials
- User checks email for welcome message
- User saves/bookmarks credentials securely
- User proceeds to login using provided token
- User accesses trial applications
Alternative Flows
Alt Flow 1: Verification Token Expired
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
participant Email as Email Service
User->>Web: Click verification link (expired token)
Web->>API: POST /api/v1/trial-users/verify-email
API->>DB: Find user by token
DB->>API: User found
API->>API: Check token expiration
API->>API: Token expired (> 24 hours old)
API->>Web: 400 Bad Request (token expired)
Web->>User: "Verification link expired. Click to resend."
User->>Web: Click "Resend Verification Email"
Web->>API: POST /api/v1/trial-users/resend-verification
API->>DB: Find user by email
DB->>API: User found, EmailVerified=false
API->>API: Check rate limit (max 3 per day)
API->>API: Generate new verification token
API->>DB: Store new token, invalidate old token
DB->>API: Token stored
API->>Email: Send new verification email
Email->>User: New verification email delivered
API->>Web: 200 OK (email resent)
Web->>User: "Verification email resent. Check inbox."
User->>User: Check email and click new link
User->>Web: Click new verification link
Web->>API: POST /api/v1/trial-users/verify-email
API->>API: Validate new token (not expired)
API->>DB: Update EmailVerified=true
DB->>API: Success
API->>Email: Send welcome email
Email->>User: Welcome email delivered
API->>Web: 200 OK
Web->>User: "Email verified successfully!"
Steps:
- User clicks expired verification link (token > 24 hours old)
- System detects token expiration during validation (step 5)
- System returns 400 Bad Request with error code
VerificationTokenExpired - Web UI displays user-friendly message: "Your verification link has expired. Verification links are valid for 24 hours."
- Web UI offers "Resend Verification Email" button
- User clicks resend button
- System checks rate limit (max 3 resends per day per user)
- System generates new verification token
- System invalidates old token in database
- System sends new verification email
- User receives new email and completes verification
Alt Flow 2: Email Already Verified
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
User->>Web: Click verification link (already verified)
Web->>API: POST /api/v1/trial-users/verify-email
API->>DB: Find user by token
DB->>API: User found
API->>API: Check EmailVerified status
API->>API: EmailVerified=true (already done)
API->>Web: 200 OK (already verified)
Web->>User: "Your email is already verified. You can login now."
Web->>Web: Show "Go to Login" button
User->>Web: Click "Go to Login"
Web->>User: Redirect to login page
Steps:
- User clicks verification link for already-verified account
- System finds user by token during step 4
- System checks
EmailVerifiedstatus during step 6 - System detects
EmailVerified = true - System returns 200 OK with message: "Email already verified"
- Web UI displays: "Your email has already been verified. You can login to your account."
- Web UI provides "Go to Login" button
- User clicks button and is redirected to login page
- No email is sent (credentials already delivered previously)
Alt Flow 3: Verification Email Not Received
flowchart TD
A[User registers] --> B[Verification email sent]
B --> C{User receives email?}
C -->|No| D[Wait 5 minutes]
D --> E[User requests resend]
E --> F{Rate limit check}
F -->|Under limit| G[Generate new token]
F -->|Exceeded limit| H[Show error: Too many requests]
G --> I[Send new verification email]
I --> J{Email delivered?}
J -->|Yes| K[User clicks link]
J -->|No| L[Check spam folder]
L --> M{Found in spam?}
M -->|Yes| K
M -->|No| N[Contact support]
K --> O[Verify email]
H --> P[Wait 24 hours to retry]
C -->|Yes| K
Steps:
- User completes registration but doesn't receive verification email within 5 minutes
- User navigates to registration confirmation page or clicks "Resend" link
- User clicks "Resend Verification Email" button
- System checks resend rate limit:
- Maximum 3 resends per user per 24 hours
- Minimum 2 minutes between resend requests
- If rate limit exceeded:
- Return 429 Too Many Requests
- Display: "Too many resend attempts. Please wait 24 hours or contact support."
- If rate limit OK:
- Generate new verification token (invalidate previous)
- Send new verification email
- Return 200 OK
- Display: "Verification email resent successfully. Check your inbox and spam folder."
- User checks spam/junk folder if still not received
- User contacts support if email persistently not received
- Administrator can investigate email logs and manually verify user
Alt Flow 4: Invalid or Malformed Token
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
User->>Web: Click malformed verification link
Web->>API: POST /api/v1/trial-users/verify-email (invalid token)
API->>API: Validate token format
alt Token format invalid
API->>Web: 400 Bad Request (invalid format)
Web->>User: "Invalid verification link. Please request a new one."
else Token format valid but not found
API->>DB: Find user by token
DB->>API: Token not found
API->>Web: 404 Not Found (token not found)
Web->>User: "Verification link not found. Please request a new one."
end
Web->>User: Show "Resend Verification Email" button
User->>Web: Click resend button
Web->>API: POST /api/v1/trial-users/resend-verification
Note over API: Continue with resend flow
Steps:
- User receives or clicks on malformed verification link (corrupted, incomplete, etc.)
- Web UI extracts token parameter
- API receives invalid token format
- System validates token format (GUID expected):
- If format invalid: Return 400 Bad Request
- If format valid: Query database
- If token not found in database:
- Return 404 Not Found
- Message: "Verification link is invalid or has expired"
- Web UI displays error message and "Resend Verification Email" option
- User requests resend and receives new valid link
Alt Flow 5: Admin Manual Verification
sequenceDiagram
actor Admin as Administrator
participant AdminUI as Admin Panel
participant API as Application Manager API
participant DB as Identity Database
participant Email as Email Service
actor User as Trial User
Admin->>AdminUI: Search for trial user
AdminUI->>API: GET /api/v1/admin/trial-users?email=user@example.com
API->>DB: Query trial user
DB->>API: User found (EmailVerified=false)
API->>AdminUI: Return user details
AdminUI->>Admin: Display user with "Verify Email" button
Admin->>AdminUI: Click "Verify Email Manually"
AdminUI->>API: POST /api/v1/admin/trial-users/{id}/verify-email
API->>API: Validate admin permissions
API->>DB: Update EmailVerified=true, VerifiedAt=now
API->>DB: Add admin action note: "Manually verified by admin"
DB->>API: Success
API->>Email: Send welcome email with credentials
Email->>User: Welcome email delivered
API->>AdminUI: 200 OK (verified)
AdminUI->>Admin: "User verified successfully"
User->>User: Receive welcome email
User->>User: Login with credentials
Steps:
- Administrator identifies user needing manual verification (support ticket, email delivery issue, etc.)
- Administrator logs into admin panel
- Administrator searches for trial user by email
- System displays user details showing
EmailVerified: false - Administrator clicks "Verify Email Manually" button
- System prompts for confirmation: "Manually verify this user's email? They will receive credentials immediately."
- Administrator confirms action
- System validates admin has appropriate permissions
- System updates user record:
EmailVerified = trueVerifiedAt = Current timestampVerificationMethod = "Manual"VerifiedByAdminId = Admin ID
- System sends welcome email with credentials
- System logs admin action in audit trail
- System displays success message to administrator
- User receives credentials and can login
Alt Flow 6: Rate Limit Exceeded on Resend
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
User->>Web: Click "Resend Verification Email" (4th time today)
Web->>API: POST /api/v1/trial-users/resend-verification
API->>DB: Get user's verification email history
DB->>API: 3 emails sent in past 24 hours
API->>API: Check rate limit (max 3 per 24h)
API->>API: Rate limit exceeded
API->>Web: 429 Too Many Requests
Web->>User: "Rate limit exceeded. Max 3 resends per day."
Web->>User: Display support contact information
alt User contacts support
User->>User: Contact support via email/chat
Note over User: Admin can manually verify
else User waits
User->>User: Wait for 24h reset
User->>Web: Retry resend after 24 hours
Web->>API: POST /api/v1/trial-users/resend-verification
API->>API: Rate limit OK (reset after 24h)
Note over API: Continue with normal resend flow
end
Steps:
- User attempts to resend verification email for 4th time within 24 hours
- System queries verification email send history from database
- System counts resend attempts in past 24 hours
- System detects rate limit violation (3 attempts already made)
- System returns 429 Too Many Requests
- Response includes:
- Error code:
RateLimitExceeded - Message: "You have reached the maximum number of verification email resend attempts (3) for today."
RetryAfterheader with seconds until rate limit resets
- Error code:
- Web UI displays error message
- Web UI provides support contact information
- User options:
- Wait for 24-hour rate limit reset
- Contact support for manual verification
- Check spam folder again
Alt Flow 7: Trial Expired During Verification Delay
sequenceDiagram
actor User as Trial User
participant Web as Web UI
participant API as Application Manager API
participant DB as Identity Database
participant Email as Email Service
Note over User,Email: User registered 30 days ago, never verified
User->>Web: Click verification link (trial period expired)
Web->>API: POST /api/v1/trial-users/verify-email
API->>DB: Find user by token
DB->>API: User found
API->>API: Validate token (not expired)
API->>API: Check trial expiration
API->>API: Trial expired (TrialExpirationDate < now)
alt Policy: Extend trial on verification
API->>DB: Update EmailVerified=true
API->>DB: Extend trial: TrialExpirationDate = now + 30 days
DB->>API: Success
API->>Email: Send welcome email (trial extended)
Email->>User: "Email verified! Trial extended for 30 days."
API->>Web: 200 OK (verified + extended)
Web->>User: "Email verified! Your trial has been extended."
else Policy: Do not extend
API->>Web: 400 Bad Request (trial expired)
Web->>User: "Trial expired. Contact sales to upgrade."
Web->>User: Show "Contact Sales" button
end
Steps:
- User registered but didn't verify email for extended period
- Trial expiration date passes (e.g., 30 days from registration)
- User finally clicks verification link
- System validates token (still within 24-hour token expiration from last resend)
- System checks trial expiration status
- System detects trial has expired
- Business rule applied based on configuration:
- Option A (Lenient): Auto-extend trial by 30 days, send welcome email
- Option B (Strict): Reject verification, display "Trial expired" message
- If Option A:
- Mark email as verified
- Update
TrialExpirationDate = Current date + 30 days - Send welcome email noting trial extension
- Log extension in audit trail
- If Option B:
- Return error message
- Provide contact information for sales/support
- User must request trial extension or upgrade
Business Rules
| Rule ID | Description | Enforcement |
|---|---|---|
| BR-001 | Verification tokens must be cryptographically secure GUIDs | Token generation logic |
| BR-002 | Verification tokens expire after 24 hours | Token validation logic |
| BR-003 | Maximum 3 verification email resends per user per 24 hours | Rate limiting middleware |
| BR-004 | Minimum 2 minutes between resend requests for same user | Rate limiting middleware |
| BR-005 | Users cannot login until EmailVerified=true (if verification enabled) | Session creation validation |
| BR-006 | Each verification token can only be used once | Token usage tracking |
| BR-007 | Verification tokens must be invalidated after successful use | Database update logic |
| BR-008 | Welcome email with credentials sent only after verification | Email service logic |
| BR-009 | Administrators can bypass verification with manual override | Admin API authorization |
| BR-010 | Expired tokens cannot be reused; user must request resend | Token validation logic |
| BR-011 | Email verification feature can be disabled via configuration | Configuration setting check |
| BR-012 | Verification links must use HTTPS in production | URL generation logic |
Data Requirements
Note: For complete TrialUser data model including inheritance structure, see UC-001 Data Requirements section.
Email Verification Token Record
{
"Id": "uuid-v4",
"TrialUserId": "uuid-v4 (foreign key)",
"Token": "uuid-v4 (unique, indexed)",
"CreatedAt": "datetime (UTC)",
"ExpiresAt": "datetime (UTC, CreatedAt + 24h)",
"IsUsed": "boolean (default: false)",
"UsedAt": "datetime (UTC, nullable)",
"IpAddress": "string (optional, for security audit)",
"UserAgent": "string (optional, for security audit)"
}
Trial User Record Updates
{
"EmailVerified": "boolean (default: false)",
"VerifiedAt": "datetime (UTC, nullable)",
"VerificationMethod": "string ('Email' | 'Manual', nullable)",
"VerifiedByAdminId": "uuid-v4 (nullable, foreign key to admin user)"
}
Verification Email Send History
{
"Id": "uuid-v4",
"TrialUserId": "uuid-v4 (foreign key)",
"SentAt": "datetime (UTC)",
"EmailAddress": "string",
"TokenId": "uuid-v4 (foreign key)",
"DeliveryStatus": "string ('Sent' | 'Delivered' | 'Failed')",
"FailureReason": "string (nullable)"
}
Email Templates
Verification Email:
- Subject: "Verify Your Riptide Trial Account"
- Body includes:
- Verification link/button
- Token expiration notice (24 hours)
- What happens after verification
- Resend instructions
- Support contact
Welcome Email (Post-Verification):
- Subject: "Your Riptide Trial is Ready"
- Body includes:
- Congratulations message
- Login token
- API token
- Application links
- Trial expiration date
- Getting started guide
- Support contact
Verification Link Expired Email:
- Subject: "Your Verification Link Has Expired"
- Body includes:
- Explanation of expiration
- New verification link/button
- Reminder of 24-hour validity
- Support contact
User Interface
Verification Pending Screen
┌─────────────────────────────────────────────────────┐
│ 📧 Verify Your Email Address │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Thank you for registering for a Riptide trial! │
│ │
│ We've sent a verification email to: │
│ │
│ john.doe@example.com │
│ │
│ Please check your inbox and click the │
│ verification link to activate your account. │
│ │
│ ⏰ The verification link expires in 24 hours. │
│ │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Didn't receive the email? │
│ │
│ • Check your spam or junk folder │
│ • Wait a few minutes for delivery │
│ • Ensure john.doe@example.com is correct │
│ │
│ ┌─────────────────────────────┐ │
│ │ Resend Verification Email │ │
│ └─────────────────────────────┘ │
│ │
│ Need help? Contact support@riptide.com │
└─────────────────────────────────────────────────────┘
Verification Success Screen
┌─────────────────────────────────────────────────────┐
│ ✅ Email Verified Successfully! │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Your email address has been verified. │
│ │
│ 📧 An email with your login credentials has been │
│ sent to: │
│ │
│ john.doe@example.com │
│ │
│ The email contains: │
│ • Your login token │
│ • Your API token │
│ • Links to access applications │
│ • Getting started guide │
│ │
│ ⏰ Trial Duration: 30 days │
│ 📅 Expires: February 29, 2026 │
│ │
│ ┌─────────────────────┐ │
│ │ Go to Login │ │
│ └─────────────────────┘ │
│ │
└─────────────────────────────────────────────────────┘
Token Expired Screen
┌─────────────────────────────────────────────────────┐
│ ⚠️ Verification Link Expired │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ This verification link has expired. │
│ Verification links are valid for 24 hours. │
│ │
│ Don't worry! You can request a new verification │
│ link below. │
│ │
│ Email address: john.doe@example.com │
│ │
│ ┌──────────────────────────────┐ │
│ │ Send New Verification Email │ │
│ └──────────────────────────────┘ │
│ │
│ Need help? Contact support@riptide.com │
└─────────────────────────────────────────────────────┘
Rate Limit Exceeded Screen
┌─────────────────────────────────────────────────────┐
│ ⛔ Too Many Requests │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ You have reached the maximum number of │
│ verification email resend attempts. │
│ │
│ Limit: 3 resends per 24 hours │
│ Retry after: 18 hours 32 minutes │
│ │
│ If you're having trouble receiving emails: │
│ │
│ 1. Check your spam/junk folder │
│ 2. Add noreply@riptide.com to contacts │
│ 3. Contact support for assistance │
│ │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ 📧 Email: support@riptide.com │
│ 💬 Chat: Available 9 AM - 5 PM EST │
│ │
└─────────────────────────────────────────────────────┘
Admin Manual Verification Interface
┌─────────────────────────────────────────────────────┐
│ Admin Panel - Trial User Details │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ User ID: 550e8400-e29b-41d4-a716-446655440000 │
│ Name: John Doe │
│ Email: john.doe@example.com │
│ Company: Acme Corporation │
│ │
│ Status │
│ • Registration: January 28, 2026 10:30 AM │
│ • Email Verified: ❌ No │
│ • Trial Expires: February 27, 2026 │
│ • Last Login: Never │
│ │
│ Verification History │
│ • Emails sent: 3 │
│ • Last sent: January 29, 2026 2:15 PM │
│ • Delivery status: Delivered │
│ • Link clicked: No │
│ │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Admin Actions │
│ │
│ ┌──────────────────────────┐ │
│ │ Verify Email Manually │ ⚠️ This will send │
│ └──────────────────────────┘ credentials │
│ │
│ ┌──────────────────────────┐ │
│ │ Resend Verification │ │
│ └──────────────────────────┘ │
│ │
│ ┌──────────────────────────┐ │
│ │ View Email Logs │ │
│ └──────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────┘
API Endpoints
Verify Email
Endpoint: POST /api/v1/trial-users/verify-email
Authentication: None (public endpoint, token-based verification)
Request Body:
{
"token": "550e8400-e29b-41d4-a716-446655440000"
}
Success Response: 200 OK
{
"success": true,
"message": "Email verified successfully. Check your email for login credentials.",
"user": {
"id": "750e8400-e29b-41d4-a716-446655440001",
"email": "john.doe@example.com",
"emailVerified": true,
"verifiedAt": "2026-01-30T14:25:00Z"
}
}
Error Responses:
400 Bad Request - Token expired
{
"error": "VerificationTokenExpired",
"message": "This verification link has expired. Verification links are valid for 24 hours.",
"canResend": true,
"email": "john.doe@example.com"
}
400 Bad Request - Already verified
{
"error": "AlreadyVerified",
"message": "This email address has already been verified. You can login now.",
"verifiedAt": "2026-01-29T10:30:00Z"
}
404 Not Found - Token not found
{
"error": "TokenNotFound",
"message": "Invalid verification link. Please request a new verification email.",
"canResend": true
}
Resend Verification Email
Endpoint: POST /api/v1/trial-users/resend-verification
Authentication: None (public endpoint, email-based)
Request Body:
{
"email": "john.doe@example.com"
}
Success Response: 200 OK
{
"success": true,
"message": "Verification email sent successfully. Please check your inbox.",
"email": "john.doe@example.com",
"expiresAt": "2026-01-31T14:30:00Z",
"resendCount": 2,
"maxResends": 3,
"retryAfter": null
}
Error Responses:
429 Too Many Requests - Rate limit exceeded
{
"error": "RateLimitExceeded",
"message": "Maximum resend attempts (3) reached for today. Please try again in 18 hours.",
"retryAfter": 64800,
"supportEmail": "support@riptide.com"
}
400 Bad Request - Email already verified
{
"error": "AlreadyVerified",
"message": "This email address is already verified. You can login now."
}
404 Not Found - Email not found
{
"error": "EmailNotFound",
"message": "No trial user found with this email address."
}
Admin Manual Verification
Endpoint: POST /api/v1/admin/trial-users/{userId}/verify-email
Authentication: Required (Admin role)
Request Body:
{
"reason": "User reported email delivery issues. Verified via phone.",
"sendWelcomeEmail": true
}
Success Response: 200 OK
{
"success": true,
"message": "User email verified manually by administrator.",
"user": {
"id": "750e8400-e29b-41d4-a716-446655440001",
"email": "john.doe@example.com",
"emailVerified": true,
"verifiedAt": "2026-01-30T15:00:00Z",
"verificationMethod": "Manual",
"verifiedByAdminId": "admin-550e8400-e29b-41d4-a716-446655440002"
},
"welcomeEmailSent": true
}
Error Responses:
403 Forbidden - Insufficient permissions
{
"error": "Forbidden",
"message": "You do not have permission to manually verify users."
}
400 Bad Request - Already verified
{
"error": "AlreadyVerified",
"message": "This user's email is already verified.",
"verifiedAt": "2026-01-29T10:30:00Z"
}
Get Verification Status
Endpoint: GET /api/v1/trial-users/verification-status
Authentication: None (email-based query)
Query Parameters:
email(required): Email address to check
Success Response: 200 OK
{
"email": "john.doe@example.com",
"emailVerified": false,
"verificationEmailsSent": 2,
"lastVerificationEmailSentAt": "2026-01-30T10:00:00Z",
"canResend": true,
"retryAfter": null,
"trialStatus": "Active",
"trialExpiresAt": "2026-02-29T10:30:00Z"
}
Performance Requirements
| Metric | Target | Critical Threshold |
|---|---|---|
| Verification email delivery time | < 30 seconds | < 2 minutes |
| Token validation response time | < 500ms | < 2 seconds |
| Database update for verification | < 300ms | < 1 second |
| Welcome email delivery after verification | < 30 seconds | < 2 minutes |
| Resend request processing | < 1 second | < 3 seconds |
| Admin manual verification | < 2 seconds | < 5 seconds |
| Verification status check | < 200ms | < 1 second |
Security Considerations
Token Security
- Verification tokens must be cryptographically secure UUIDs (v4)
- Tokens generated using
System.Security.Cryptography.RandomNumberGenerator - Tokens must be unique across all users
- Tokens stored with secure hash in database (optional)
- Tokens transmitted only via HTTPS
- Tokens included in email links (not in subject/preview)
- Tokens automatically invalidated after use
- Expired tokens cannot be reused
Email Security
- Verification emails sent via TLS/SSL
- Email content does not include sensitive credentials (only after verification)
- Verification links use HTTPS protocol
- Domain validation for email callback URLs
- DKIM/SPF/DMARC configured for email domain
- Unsubscribe link not included (transactional email)
Rate Limiting
- Maximum 3 resend requests per email per 24 hours
- Minimum 2 minutes between resend requests
- Rate limiting by email address (not IP, to handle shared IPs)
- Rate limit counters reset after 24 hours
- Admin actions exempt from rate limiting
Brute Force Protection
- No public endpoint to enumerate valid tokens
- Token lookup failures logged but not counted for rate limiting
- Failed verification attempts monitored for abuse patterns
- Suspicious activity alerts administrators
Privacy Considerations
- Email addresses not exposed in error messages
- Verification status not publicly queryable without email
- Admin actions logged in audit trail
- User consent implied by registration action
- GDPR compliance: user can request account deletion
Testing Scenarios
Test Case 1: Successful Email Verification
Given: User registered with verification enabled, email sent
When: User clicks valid verification link within 24 hours
Then: Email marked as verified, welcome email sent, 200 OK returned
Verify: EmailVerified = true, VerifiedAt set, token marked as used, credentials delivered
Test Case 2: Expired Token Handling
Given: User registered 25 hours ago, hasn't verified
When: User clicks original verification link
Then: 400 Bad Request returned with "Token expired" message
Verify: EmailVerified still false, resend option displayed, no credentials sent
Test Case 3: Duplicate Verification Attempt
Given: User already verified email successfully
When: User clicks verification link again
Then: 200 OK returned with "Already verified" message
Verify: No duplicate welcome email sent, login button displayed
Test Case 4: Resend Verification Within Rate Limit
Given: User has sent 2 verification emails today
When: User requests third resend
Then: New verification email sent, 200 OK returned
Verify: New token generated, old token invalidated, email delivered
Test Case 5: Resend Verification Exceeds Rate Limit
Given: User has already sent 3 verification emails today
When: User attempts fourth resend
Then: 429 Too Many Requests returned
Verify: No email sent, rate limit message displayed, retry time shown
Test Case 6: Invalid Token Format
Given: User clicks malformed verification link
When: System receives non-GUID token
Then: 400 Bad Request returned
Verify: No database lookup attempted, error logged
Test Case 7: Token Not Found in Database
Given: User clicks link with valid GUID not in database
When: System queries for token
Then: 404 Not Found returned
Verify: Generic error message, resend option offered
Test Case 8: Admin Manual Verification
Given: Administrator identified user needing manual verification
When: Admin clicks "Verify Manually" in admin panel
Then: Email marked as verified, welcome email sent, audit logged
Verify: VerificationMethod = "Manual", VerifiedByAdminId set, credentials delivered
Test Case 9: Verification Email Delivery Failure
Given: Email service unavailable during resend
When: System attempts to send verification email
Then: Email failure logged, user notified
Verify: Token still generated, delivery retried later or admin notified
Test Case 10: Concurrent Verification Attempts
Given: User clicks verification link from two different browsers simultaneously
When: Both requests process at same time
Then: Only one succeeds, other gets "Already verified"
Verify: No duplicate welcome emails, database transaction prevents race condition
Test Case 11: Trial Expired Before Verification
Given: User registered 31 days ago, never verified (trial duration 30 days)
When: User finally clicks verification link
Then: Based on policy: either extend trial or reject with "Trial expired"
Verify: Configured business rule applied consistently
Test Case 12: Unverified User Login Attempt
Given: User registered but hasn't verified email
When: User attempts to login with credentials
Then: Login rejected with "Email verification required"
Verify: Session not created, verification reminder displayed
Monitoring and Analytics
Key Metrics to Track
- Verification Rate: Users verified / Total registrations (%)
- Verification Time: Average time from registration to verification
- Token Expiration Rate: Expired tokens / Total tokens issued (%)
- Resend Request Rate: Resend requests / Total verifications sent
- Email Delivery Rate: Emails delivered / Emails sent (%)
- Verification Link Click Rate: Links clicked / Emails delivered (%)
- Manual Verification Rate: Manual verifications / Total verifications (%)
- Rate Limit Hit Rate: Rate limit errors / Total resend requests (%)
Performance Dashboards
- Real-time verification processing times
- Email delivery latency tracking
- Token validation response times
- Database query performance for verification lookups
- API endpoint health (verify, resend, status check)
Alerts
- Verification success rate < 70% in 24 hours
- Email delivery failure rate > 10% in 1 hour
- Token validation errors spike (> 50/hour)
- Rate limit hits spike (> 100/hour)
- Average verification time > 48 hours
- Manual verification rate > 20% (indicates systemic email issue)
- Database connection failures during verification
- Abnormal resend request patterns (potential abuse)
Email Service Monitoring
- SMTP connection health
- Email bounce rate tracking
- Spam complaint monitoring
- Email open rates (verification and welcome emails)
- Link click-through rates
- Email service provider status
Configuration Options
Application Settings
{
"EmailVerification": {
"Enabled": true,
"TokenExpirationHours": 24,
"MaxResendsPerDay": 3,
"MinResendIntervalMinutes": 2,
"AllowLoginWithoutVerification": false,
"ExtendTrialOnLateVerification": true,
"ExtensionDays": 30,
"AutoCleanupExpiredTokensDays": 7
},
"Email": {
"FromAddress": "noreply@riptide.com",
"FromName": "Riptide Platform",
"VerificationEmailTemplate": "trial-verification",
"WelcomeEmailTemplate": "trial-welcome",
"Provider": "AWSSES"
},
"RateLimiting": {
"VerificationResend": {
"Limit": 3,
"PeriodHours": 24,
"MinIntervalMinutes": 2
}
}
}
Feature Flags
RequireEmailVerification: Enable/disable verification requirementAllowAdminManualVerification: Allow administrators to bypass verificationSendVerificationReminders: Send reminder emails after 24/48 hoursExtendExpiredTrialsOnVerification: Auto-extend trials for late verifications
Integration Points
Email Service Integration
- AWS SES for production email delivery
- SMTP fallback for development/testing
- Email template management system
- Email delivery status webhooks (bounces, opens, clicks)
- Email queue for reliability
Database Integration
- Trial user table updates (
EmailVerifiedflag) - Verification token table management
- Email send history logging
- Audit trail integration
Admin Panel Integration
- User search and detail view
- Manual verification controls
- Email history display
- Rate limit override capability
Session Management Integration
- Login endpoint checks
EmailVerifiedflag - Unverified users blocked from session creation
- Error messages prompt verification
Related Use Cases
- UC-001: Trial User Self-Registration (triggers verification)
- UC-002: Trial User Login and Session Management (checks verification status)
- UC-005: Administrator Trial User Management (manual verification)
- UC-013: Email Notification Service (sends verification and welcome emails)
- UC-014: Rate Limiting and Abuse Prevention
- UC-015: Audit Trail and Logging
Notes and Assumptions
- Optional Feature: Email verification can be disabled via configuration; if disabled, welcome email sent immediately
- Token Format: GUIDs (v4) used for verification tokens to ensure uniqueness and security
- Single Token Policy: Only one active verification token per user at a time; resend invalidates previous token
- Email Provider: Assumes reliable email service (AWS SES or SMTP) with delivery tracking
- No SMS Verification: Email-only verification; SMS/2FA out of scope for trial users
- Trial Extension Logic: Configurable whether late verifications extend trial period
- No Password Reset During Verification: Password reset requires separate flow (post-verification)
- Link Format: Verification links are GET requests redirecting to POST API calls
- Internationalization: Currently English-only; multi-language support is future enhancement
- Mobile Optimization: Verification emails and pages are mobile-responsive
Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-30 | System Analyst | Initial use case documentation for email verification process |
Document Owner: Platform Architecture Team
Stakeholders: Product Management, Engineering, Customer Success, Security Team
Review Cycle: Quarterly or as needed for major changes