Verify Email

A user verifies their email address after adding one to their account.

Status: partially-live. Backend resend-verification endpoint is complete. Frontend UI for the email verification flow is not yet built.

Who Can Do This

Users with status: active who do not have a provider-supplied email on their account — typically those who signed in with a method that did not provide an email address.

Steps

  1. Enter an email address in the profile settings.
  2. A verification email is sent to that address.
  3. Click the verification link in the email.
  4. The email is confirmed and associated with the account.

Rules

  • This flow is only available when the account has no provider-supplied email.
  • The email address is validated for format before a verification email is sent. Basic format validation runs on the client and is re-checked server-side before the link is generated. A malformed address (e.g. missing @ or no domain) is rejected immediately with an error — no verification email is sent.
  • The email address is checked for uniqueness at two points:
  • At submission — before the verification email is sent. If the address is already associated with another account, the user is shown an error immediately and no verification email is sent.
  • At click time — when the verification link is followed. If the address was claimed by a different account between submission and click, the user sees an "email already in use" error and must start the flow again with a different address. If the same account clicks multiple links for the same address (due to a resend or delayed delivery), all clicks succeed.
  • The email is not used for any communication until verified.
  • The pending unverified email is stored server-side and is preserved if the user reinstalls the app or signs in on a different device.
  • The verification link expires 72 hours after it is sent. If the link expires without being clicked, the pending email is discarded. The account remains without a verified email and the user can start the flow again from profile settings.
  • Within the 72-hour window, the user can tap Resend from profile settings to send the same verification email again (same link, no expiry reset). Resends are rate-limited to once every 3 minutes and capped at 5 resends per verification attempt. After 5 resends, the user must change the address to restart the flow with a fresh 72-hour window.
  • The pending email address can be changed before it is verified. Changing it cancels the previous link and sends a new one with a fresh 72-hour window.
  • A user can attempt at most 3 distinct email addresses per week. Each new address entered (including changes before verification) counts as one attempt. Once the weekly limit is reached, the user cannot submit a new address until the 7-day window resets. Resends of the current address do not count toward this limit.
  • Once verified, the email can be changed to a new address by entering a new email in profile settings. A new verification link is sent; the change only takes effect when the link is clicked. A verified email cannot be removed entirely — the user must always have at least one email once one has been set.
  • An account can hold multiple user-verified emails — for example, after two accounts are merged. All verified emails receive product communications. The user can remove any of them from profile settings, as long as at least one remains.
  • Emails provided by a sign-in provider (Google or Apple) are managed by that provider and cannot be changed through this flow.

What Happens Next

Verification completes server-side when the link is clicked — the link can be opened on any device or browser, not just the device where the app is installed. The verified email is reflected in the app the next time the user opens it.

The verified email is saved to the user profile. It is used for product-related communications: ride updates, account management notices, and group notifications. 95octane does not send marketing emails.

Email notification toggles in profile settings that were previously greyed out (due to no verified email) become active immediately. Their stored values are unchanged — if they were at the default on state, email notifications begin arriving right away. See Update Profile.

Email is private data — it is never shown to other users, including Riding Buddies. It is visible only to the user themselves.

The email cannot be used to regain access to the app. If a user loses access to their Google or Apple account, they can recover via Mobile/OTP if they have previously linked it — see Add Authentication Provider. If no Mobile/OTP provider is linked, no self-service recovery path exists.

Failure Cases

  • Email already in use at submission: The address belongs to another account. The user is prompted to choose a different address — no verification email is sent.
  • Email already in use at click time: Another account claimed the address after this link was sent. The user sees an "email already in use" error and must start the flow again from profile settings with a different address.
  • Link not clicked: The email remains unverified and is not saved to the profile until the link is followed.
  • Link expired: The link is older than 72 hours and no longer works. The pending email is discarded. The user can start the flow again from profile settings.
  • Account banned when link is clicked: If the link opens in the app, the ban screen blocks it. If it opens on the 95octane website, the user sees an error that the action cannot be completed while their account is banned. The pending verification is not applied.
  • Account pending deletion when link is clicked: The link returns an error stating the account is marked for deletion. The pending verification is not applied. If the user cancels deletion during the grace period, they can restart the email verification flow from profile settings.
  • Email not received: The user can tap Resend from profile settings at any time before the link expires (up to 5 resends, once every 3 minutes). If the address was mistyped, the user can update it — changing the address cancels the old link and sends a new one with a fresh 5-resend allowance.
  • Resend limit reached: After 5 resends, the Resend button is disabled. The user must change the email address to start a new verification attempt.
  • Weekly address limit reached: After 3 distinct address attempts in a 7-day window, the user cannot enter a new address until the window resets. The UI shows when the next attempt will be available.