Back to docs

Recipe: Email verification flow

End-to-end pattern for verifying user email addresses with Meridian licensing — token generation, delivery, and confirmation.

Overview

When a user purchases a license, Meridian sends a verification email containing a single-use token. The token is bound to the license key and expires after 15 minutes. This recipe covers the full round-trip: generating the token server-side, delivering it via your email provider, and handling the confirmation callback.

Step 1 — Generate the token

Call the Meridian API to create a verification token for a given license key. The response includes the token string and expiry timestamp. Store neither — pass them directly to your email template.

POST /api/v1/license/verify/initiate
{
  "license_key": "NMB-XXXX-XXXX-XXXX",
  "email": "user@example.com"
}

Step 2 — Deliver the email

Construct a magic link using the token and your application's confirmation route. Send it via your transactional email provider (Resend, Postmark, SES). The link must be HTTPS and point to a route you control.

https://yourapp.com/verify?token=<token>

Step 3 — Confirm the token

When the user clicks the link, your confirmation route extracts the token from the query string and calls the Meridian confirmation endpoint. On success, the license is marked as verified and the user can proceed to download.

POST /api/v1/license/verify/confirm
{
  "token": "<token-from-query>"
}

Error handling

  • Expired token — tokens live 15 minutes. Show a “link expired” page with a resend button.
  • Already verified — idempotent. Return success and redirect to the download page.
  • Invalid token — log the attempt, show a generic error. Do not leak whether the license exists.

Next steps

Once verified, redirect users to the download flow. See the download gate recipe for serving licensed binaries.