{"id":161,"date":"2025-08-26T14:10:58","date_gmt":"2025-08-26T14:10:58","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=161"},"modified":"2025-08-26T14:11:00","modified_gmt":"2025-08-26T14:11:00","slug":"how-to-build-email-verification-in-laravel-12-step-by-step","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-build-email-verification-in-laravel-12-step-by-step\/","title":{"rendered":"How to Build Email Verification in Laravel 12 (Step by Step)"},"content":{"rendered":"\n

One of the first security features you should add to any web app is Email Verification<\/strong>. When a new user signs up, you want to be sure the email they provided is valid and belongs to them. Without verification, users could register with fake or disposable emails, which leads to spam, weak security, and a lack of trust in your application.<\/p>\n\n\n\n

In this step-by-step tutorial, we\u2019ll build a complete Email Verification system in Laravel 12<\/strong>. We\u2019ll explain not just the code, but also why each step matters, so even beginners can follow along. By the end, your app will send verification emails, require verified emails for protected pages, and provide a simple UI for resending verification links.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – What is Email Verification?<\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

Email Verification<\/strong> means a new user must confirm ownership of their email before they can fully use your app. The system sends a unique, signed link to their inbox. Clicking the link marks their account as verified. This prevents fake accounts, strengthens security, and ensures you can reach users reliably (for password resets, notifications, etc.).<\/p>\n\n\n\n

Laravel 12 includes built-in verification support. We\u2019ll turn it on, add routes and UI, and protect pages with the verified<\/code> middleware.<\/p>\n\n\n\n

<\/p>\n\n\n\n\n

<\/div>\n\n\n\n\n

2 – Prerequisites<\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

    \n
  • Laravel 12 project (PHP 8.2+) with a working database connection in .env<\/code><\/li>\n
  • Basic auth (register & login) already in place (can be hand-rolled or any scaffolding)<\/li>\n
  • Mail configured in .env<\/code> (SMTP\/Mailgun\/Sendgrid\/etc.) so the app can send emails<\/li>\n<\/ul>\n\n\n\n

    <\/p>\n\n\n\n\n

    <\/div>\n\n\n\n\n

    3 – Enable Email Verification on the User model<\/strong><\/h2>\n\n\n\n

    <\/p>\n\n\n\n

    Add the MustVerifyEmail<\/code> interface to your User<\/code> model. This tells Laravel that users must verify their email before accessing routes protected by the verified<\/code> middleware.<\/p>\n\n\n

    \/\/ app\/Models\/User.php<\/span>\n<\/span><\/span>namespace<\/span> App<\/span>\\Models<\/span>;\n<\/span><\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Contracts<\/span>\\Auth<\/span>\\MustVerifyEmail<\/span>; \/\/ <-- add this<\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Foundation<\/span>\\Auth<\/span>\\User<\/span> as<\/span> Authenticatable<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Notifications<\/span>\\Notifiable<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Eloquent<\/span>\\Factories<\/span>\\HasFactory<\/span>;\n<\/span><\/span>\n<\/span><\/span>class<\/span> User<\/span> extends<\/span> Authenticatable<\/span> implements<\/span> MustVerifyEmail<\/span><\/span>\n<\/span><\/span><\/span>{\n<\/span><\/span>    use<\/span> HasFactory<\/span>, Notifiable<\/span>;\n<\/span><\/span>\n<\/span><\/span>    \/\/ fillable\/hidden\/casts as you normally have them<\/span>\n<\/span><\/span>}\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Explanation:<\/strong> implementing MustVerifyEmail<\/code> enables a few framework behaviors: Laravel knows how to send verification notifications, and the verified<\/code> middleware will check $user->hasVerifiedEmail()<\/code> for protected routes.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    4 – Add the verification routes (notice, verify, resend)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    Create three routes: a \u201cplease verify your email\u201d page, the confirmation<\/em> endpoint (clicked from email), and a resend<\/em> endpoint (rate-limited) in case the user didn\u2019t receive the email.<\/p>\n\n\n
    \/\/ routes\/web.php<\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Foundation<\/span>\\Auth<\/span>\\EmailVerificationRequest<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\n<\/span><\/span>\n<\/span><\/span>\/\/ 1) Notice page (unverified users land here)<\/span>\n<\/span><\/span>Route::get('\/email\/verify'<\/span>, function<\/span> ()<\/span> <\/span>{\n<\/span><\/span>    return<\/span> view('auth.verify-email'<\/span>); \/\/ we'll create this view next<\/span>\n<\/span><\/span>})->middleware('auth'<\/span>)->name('verification.notice'<\/span>);\n<\/span><\/span>\n<\/span><\/span>\/\/ 2) Verification callback (user clicks link in email)<\/span>\n<\/span><\/span>Route::get('\/email\/verify\/{id}\/{hash}'<\/span>, function<\/span> (EmailVerificationRequest $request)<\/span> <\/span>{\n<\/span><\/span>    $request->fulfill(); \/\/ marks the user's email as verified<\/span>\n<\/span><\/span>    return<\/span> redirect('\/dashboard'<\/span>); \/\/ or wherever you want verified users to land<\/span>\n<\/span><\/span>})->middleware(['auth'<\/span>, 'signed'<\/span>])->name('verification.verify'<\/span>);\n<\/span><\/span>\n<\/span><\/span>\/\/ 3) Resend verification link (rate-limited)<\/span>\n<\/span><\/span>Route::post('\/email\/verification-notification'<\/span>, function<\/span> (Request $request)<\/span> <\/span>{\n<\/span><\/span>    $request->user()->sendEmailVerificationNotification();\n<\/span><\/span>    return<\/span> back()->with('status'<\/span>, 'Verification link sent!'<\/span>);\n<\/span><\/span>})->middleware(['auth'<\/span>, 'throttle:6,1'<\/span>])->name('verification.send'<\/span>);\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Explanation:<\/strong> The signed<\/code> middleware ensures the verification link has not been tampered with. The throttle:6,1<\/code> middleware lets users request a new link but prevents abuse (max 6 per minute).<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    5 – Build the \u201cVerify your email\u201d Blade view (with resend button)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    Create a friendly, minimal UI that explains why verification is needed and allows resending the email.<\/p>\n\n\n
    <!-- resources\/views\/auth\/verify-email.blade.php -->\n<\/span><\/span>@extends('layouts.app'<\/span>)\n<\/span><\/span>\n<\/span><\/span>@section('content'<\/span>)\n<\/span><\/span><div class<\/span>=\"container<\/span> py<\/span>-5\" style<\/span>=\"max<\/span>-width<\/span>:720px<\/span>\"><\/span>\n<\/span><\/span>  <h1<\/span> class<\/span>=\"h4<\/span> mb<\/span>-3\">Verify<\/span> your<\/span> email<\/span> address<\/span><\/h1<\/span>><\/span>\n<\/span><\/span><\/span>\n<\/span><\/span>  <p<\/span>>Thanks<\/span> for<\/span> signing<\/span> up<\/span>! Before<\/span> getting<\/span> started<\/span>, please<\/span> verify<\/span> your<\/span> email<\/span> by<\/span> clicking<\/span> the<\/span> link<\/span> we<\/span> just<\/span> sent<\/span> you<\/span>.<\/p<\/span>><\/span>\n<\/span><\/span><\/span>\n<\/span><\/span>  @if<\/span> (session<\/span>('status<\/span>') === 'verification<\/span>-link<\/span>-sent<\/span>')<\/span>\n<\/span><\/span>    <div<\/span> class<\/span>=\"alert<\/span> alert<\/span>-success<\/span> mt<\/span>-3\"><\/span>\n<\/span><\/span>      A<\/span> new<\/span> verification<\/span> link<\/span> has<\/span> been<\/span> sent<\/span> to<\/span> your<\/span> email<\/span> address<\/span>.<\/span>\n<\/span><\/span>    <\/div<\/span>><\/span>\n<\/span><\/span>  @endif<\/span><\/span>\n<\/span><\/span><\/span>\n<\/span><\/span>  <form<\/span> method<\/span>=\"POST<\/span>\" action<\/span>=\"<\/span>{{ route('verification.send'<\/span>) }}\" class=\"<\/span>mt-3<\/span>\"><\/span>\n<\/span><\/span>    @csrf<\/span><\/span>\n<\/span><\/span>    <button class=\"<\/span>btn btn-primary\">Resend verification email<\/button><\/span><\/span>\n<\/span><\/span>  <\/form><\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>  <p class=\"<\/span>text-muted small mt-3<\/span> mb-0<\/span>\"><\/span><\/span>\n<\/span><\/span>    Didn\u2019t get the email? Check spam, or click the button above to resend.<\/span><\/span>\n<\/span><\/span>  <\/p><\/span><\/span>\n<\/span><\/span><\/div><\/span><\/span>\n<\/span><\/span>@endsection<\/span><\/span>\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Explanation:<\/strong> We use a neutral success message so users don\u2019t wonder if the button \u201cworked.\u201d The message displays whenever a new link is sent.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    6 – Protect pages with the verified<\/code> middleware<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    Add the verified<\/code> middleware to any route that should only be accessible after email confirmation. Unverified users are redirected to the notice page.<\/p>\n\n\n
    \/\/ routes\/web.php<\/span>\n<\/span><\/span>Route::get('\/dashboard'<\/span>, function<\/span> ()<\/span> <\/span>{\n<\/span><\/span>    return<\/span> view('dashboard'<\/span>);\n<\/span><\/span>})->middleware(['auth'<\/span>, 'verified'<\/span>]);\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Explanation:<\/strong> The middleware calls $request->user()->hasVerifiedEmail()<\/code>. If it returns false<\/code>, the user is redirected to verification.notice<\/code> (\/email\/verify<\/code>).<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    7 – Configure mail so emails actually send<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    Make sure your .env<\/code> is configured, otherwise emails will silently fail or go nowhere.<\/p>\n\n\n
    # .env (example SMTP settings)<\/span>\nMAIL_MAILER=smtp\nMAIL_HOST=smtp.your-provider.com\nMAIL_PORT=587<\/span>\nMAIL_USERNAME=your_user\nMAIL_PASSWORD=your_password\nMAIL_ENCRYPTION=tls\nMAIL_FROM_ADDRESS=no-reply@your-domain.com\nMAIL_FROM_NAME=\"${APP_NAME}\"<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Explanation:<\/strong> Test quickly by registering a new account in local\/dev. If you don\u2019t want to send real emails locally, use a mail catcher (MailHog\/HELO) and point SMTP to it.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    8 – (Optional) Customize the verification email<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    Laravel uses a notification to send the verification email. You can customize the email by overriding the notification\u2019s toMail<\/code> on a VerifyEmail<\/code> class and registering it, or by customizing mail styling with Markdown mail templates. A lightweight approach is to customize MAIL_FROM_*<\/code> and branding in your layout so it aligns with your app\u2019s voice.<\/p>\n\n\n\n
    (If you later need a branded template, create a custom notification that extends the default and uses your Markdown view. Keep the signed URL intact for security.)<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    9 – Test the entire flow (step-by-step)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
      \n
    1. Register a new user (ensure mail settings are correct).<\/li>\n
    2. Try visiting a protected page (like \/dashboard<\/code>) \u2014 you should be redirected to \/email\/verify<\/code>.<\/li>\n
    3. Open your inbox and click the verification link.<\/li>\n
    4. You should be redirected and now able to access \/dashboard<\/code>.<\/li>\n
    5. Try the \u201cResend verification email\u201d button if needed.<\/li>\n<\/ol>\n\n\n\n
      <\/p>\n\n\n\n\n
      <\/div>\n\n\n\n\n
      10 – Common errors & fixes<\/strong><\/h2>\n\n\n\n
      <\/p>\n\n\n\n