# How to set up user verification in Bubble

- Tool: Bubble
- Difficulty: Beginner
- Time required: 15-20 min
- Compatibility: All Bubble plans
- Last updated: March 2026

## TL;DR

Set up email verification in Bubble by sending a confirmation email with a unique verification link after signup. When users click the link, a workflow marks their account as verified. Block unverified users from accessing protected pages by checking a 'is_verified' field. Include a resend verification option for users who miss the initial email.

## Set Up Email Verification in Bubble

This tutorial shows you how to verify user email addresses after registration to prevent fake accounts and ensure valid contact information.

## Before you start

- A Bubble account with user authentication configured
- Email sending capability (built-in or SendGrid)
- Basic understanding of workflows and URL parameters

## Step-by-step guide

### 1. Add Verification Fields to User

Add to User: 'is_verified' (yes/no, default no), 'verification_token' (text). The token is a unique string used in the verification link.

**Expected result:** User data type has verification tracking fields.

### 2. Generate Token and Send Verification Email

In the signup workflow, after creating the user: generate a random string (use 'Calculate a random string' or a backend workflow), save it as verification_token. Send email with link: https://yourapp.com/verify?token=[token]. The email body explains they need to click to verify.

**Expected result:** New users receive a verification email with a unique link.

### 3. Create the Verification Page

Create a 'verify' page. On Page loaded, get URL parameter 'token'. Search for User where verification_token = token. If found: set is_verified = yes, clear token. Show success message. If not found: show error message.

**Expected result:** Clicking the verification link marks the user as verified.

### 4. Block Unverified Users

On protected pages, add Page is loaded workflow: if Current User is logged in AND is_verified is no → redirect to 'please-verify' page. The please-verify page shows a message and a Resend Verification button.

**Expected result:** Unverified users cannot access protected pages.

### 5. Add Resend Verification

On the please-verify page, add a 'Resend' button. Workflow: generate new token, save to Current User, send new verification email. Add a cooldown: disable button for 60 seconds after clicking to prevent spam.

**Expected result:** Users can request a new verification email.

## Complete code example

File: `Workflow summary`

```text
USER FIELDS:
- is_verified (yes/no, default: no)
- verification_token (text)

WORKFLOWS:
1. After signup:
   → Generate random token (32 chars)
   → Save token to new User
   → Send email: "Click to verify: https://app.com/verify?token=[token]"

2. Verify page loaded:
   → Get URL param 'token'
   → Search for User (verification_token = token)
   → If found: Set is_verified = yes, clear token
   → Show success or error message

3. Protected page loaded:
   → If Current User's is_verified is no → redirect to please-verify

4. Resend clicked:
   → Generate new token → Save → Send email
   → Disable button for 60 seconds
```

## Common mistakes

- **Not clearing the verification token after use** — An unused token could be reused or exploited. Fix: Set verification_token to empty after successful verification.
- **Not adding a resend option** — Verification emails can end up in spam. Without resend, users are stuck. Fix: Always provide a Resend Verification button on the please-verify page.
- **Blocking users immediately after signup without explanation** — Users who just signed up and see a blocked page are confused and may leave. Fix: Show a clear 'Please check your email' page with instructions and a resend option.

## Best practices

- Generate unique, random tokens for each verification link.
- Clear tokens after successful verification.
- Add a resend option with rate limiting (one per 60 seconds).
- Expire tokens after 24-48 hours for security.
- Show clear instructions on the verification pending page.
- Check verification status on all protected pages.

## Frequently asked questions

### Does Bubble have built-in email verification?

Bubble has a basic 'Confirm email' feature, but it is limited. Building your own gives more control over the flow, email content, and user experience.

### How do I prevent verification links from expiring?

Add a 'token_created_at' date field. On the verify page, check if the token is less than 24 hours old. If expired, show 'Link expired — request a new one'.

### Can I use phone number verification instead?

Yes. Use Twilio via the API Connector to send SMS verification codes. Store and verify a 6-digit code instead of an email link.

### Should I let unverified users access the app partially?

It depends on your app. Some apps allow read-only access for unverified users. Others block all access. Choose based on your user experience goals.

### How do I verify users who signed up with social login?

Social login providers (Google, Facebook) typically verify email as part of their OAuth flow. Check the provider's response for email_verified status. For comprehensive verification systems, RapidDev can build multi-method verification.

### What if verification emails go to spam?

Use a reputable email service (SendGrid, Mailgun), configure SPF/DKIM records for your domain, and keep email content simple with minimal HTML.

---

Source: https://www.rapidevelopers.com/bubble-tutorial/setup-user-verification-in-bubble
© RapidDev — https://www.rapidevelopers.com/bubble-tutorial/setup-user-verification-in-bubble
