Email Verification Endpoints
Base URL:
https://auth.calimatic.com/api/v1/auth/headlessEmail verification endpoints use App Client authentication. Both endpoints are designed with anti-enumeration security: they always return 200 regardless of whether the email exists.
Authentication
All endpoints in this group use App Client authentication:
| Header | Value | Description |
|---|---|---|
x-client-id | cca_... | Your app client ID |
x-client-secret | ccas_... | Your app client secret |
Content-Type | application/json | Required for POST requests |
Endpoints Overview
| Method | Endpoint | Description |
|---|---|---|
POST | /email/verify-send | Send a verification email to the user |
POST | /email/verify-confirm | Confirm email using the token from the email link |
POST /api/v1/auth/headless/email/verify-send
Send an email verification link to the user. Use this after signup or when the user requests a new verification link.
Anti-enumeration: Always returns 200 even if the email does not exist or is already verified.
Authentication: App Client (x-client-id + x-client-secret)
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address to send the verification link to |
Response (200 OK)
Always returns an empty body. No information is disclosed about whether the email exists.
{}
Error Codes
| Code | HTTP Status | Description |
|---|---|---|
RATE_LIMITED | 429 | Request rate limit exceeded |
INVALID_CLIENT | 401 | App client credentials are missing or invalid |
VALIDATION_ERROR | 400 | Email format is invalid |
SDK Method
await client.email.sendVerification({ email: 'user@example.com' });
curl Example
curl -X POST https://auth.calimatic.com/api/v1/auth/headless/email/verify-send \
-H "Content-Type: application/json" \
-H "x-client-id: cca_aBcDeFgHiJkL" \
-H "x-client-secret: ccas_xYzAbCdEfGhI" \
-d '{
"email": "user@example.com"
}'
POST /api/v1/auth/headless/email/verify-confirm
Confirm email verification using a token from the verification email. The token is typically embedded in a link sent to the user's email (e.g., ?token=...). On success, the user's email address is marked as verified.
Authentication: App Client (x-client-id + x-client-secret)
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
token | string | Yes | Verification token extracted from the email link |
Response (200 OK)
Returns an empty body on success. The user's email is now verified.
{}
Error Codes
| Code | HTTP Status | Description |
|---|---|---|
VALIDATION_ERROR | 400 | Token is invalid, malformed, or has expired |
RATE_LIMITED | 429 | Request rate limit exceeded |
INVALID_CLIENT | 401 | App client credentials are missing or invalid |
SDK Method
await client.email.confirmVerification({ token: verificationTokenFromEmail });
curl Example
curl -X POST https://auth.calimatic.com/api/v1/auth/headless/email/verify-confirm \
-H "Content-Type: application/json" \
-H "x-client-id: cca_aBcDeFgHiJkL" \
-H "x-client-secret: ccas_xYzAbCdEfGhI" \
-d '{
"token": "vt_eyJhbGciOiJIUzI1NiJ9..."
}'