Firebase Auth has built-in email verification that FlutterFlow exposes directly. After sign-up, use the Send Email Verification action to send the verification email. Gate app access using a Conditional action that checks the emailVerified property on the current user — redirect unverified users to a verification prompt page. Add a resend button for users who missed the email. Enable Require Email Verification in FlutterFlow Settings > Authentication.
Stop Fake Emails Before They Reach Your Database
Without email verification, anyone can sign up with a fake or misspelled email address, creating unusable accounts and polluting your user data. Firebase Auth's email verification is a one-step add-on to your existing sign-up flow. The verification email is sent by Firebase's servers (no SMTP configuration needed), the link is cryptographically secure, and FlutterFlow gives you the actions and conditions to gate your app correctly without any custom code.
Prerequisites
- FlutterFlow project with Firebase Authentication configured
- Email/Password sign-in method enabled in Firebase Console > Authentication > Sign-in method
- A sign-up page already working in your FlutterFlow project
- Basic familiarity with FlutterFlow action flows and conditional navigation
Step-by-step guide
Enable Email Verification Requirement in Settings
Enable Email Verification Requirement in Settings
In FlutterFlow, open Settings > Authentication > scroll to the Email Verification section. Toggle 'Require Email Verification' to on. This setting tells FlutterFlow to check emailVerified on the authenticated user before allowing access to protected pages. It also enables the emailVerified field as an available condition in your action flows and page conditionals. This setting alone does not send any emails — it just makes the verification state available throughout your app logic.
Expected result: The Require Email Verification toggle is green. You can now reference emailVerified in action conditions throughout your FlutterFlow project.
Add Send Email Verification After Sign Up
Add Send Email Verification After Sign Up
In your sign-up page's Create Account action flow, add a new action immediately after the successful account creation action. Search for 'Send Email Verification' in the Actions panel and add it. This action calls Firebase Auth's sendEmailVerification() method which sends a verification link to the user's registered email address. The email is sent by Firebase's servers using your project's default email template — no SMTP configuration required on your end. After this action, navigate the user to a 'Please verify your email' page rather than directly into the app.
Expected result: After signing up, the user receives a Firebase verification email within 1-2 minutes. The email contains a link that, when clicked, sets emailVerified to true in Firebase Auth.
Create the Email Verification Prompt Page
Create the Email Verification Prompt Page
Create a new page called EmailVerificationPage. Add a column with: an envelope icon, a heading 'Check your email', a body text explaining the user should click the link in the verification email sent to their address (display the current user's email using the Current User widget). Add a Resend Email button and a Continue button. On this page's On Load action flow, add a Refresh Current User action followed by a Conditional — if Current User emailVerified equals true, navigate to your main app home page. This auto-redirects users who have already verified before they need to tap Continue.
Expected result: After signing up, users land on this page. Once they click the verification link in their email and return to the app, tapping Continue (or the automatic check) redirects them to the home page.
Gate Protected Pages with emailVerified Check
Gate Protected Pages with emailVerified Check
For any page that should only be accessible to verified users, add an On Page Load action at the very beginning of the action flow. Add a Conditional action: if Current User > emailVerified equals false, navigate to EmailVerificationPage. This check runs every time the page loads, so even if a user somehow bypasses the sign-up flow, they will be redirected to verify before accessing protected content. Do not add this check to your sign-in page, sign-up page, or email verification page — only add it to pages that contain actual app features.
Expected result: Navigating directly to a protected page while unverified redirects to EmailVerificationPage. After verification and token refresh, the same URL loads normally.
Add a Resend Button with Countdown Timer
Add a Resend Button with Countdown Timer
Users frequently miss or lose the verification email. Add a Resend Email button to EmailVerificationPage. To prevent abuse and respect Firebase's rate limits, add a cooldown: when the button is tapped, immediately disable it and set a Page State variable resendCooldown to 60. Add a periodic timer Custom Action that decrements resendCooldown by 1 every second. Show the remaining seconds in the button label ('Resend in 45s'). When resendCooldown reaches 0, re-enable the button. The Resend action should call Send Email Verification again.
Expected result: After tapping Resend, the button changes to 'Resend in 60s' and counts down. A new verification email arrives within 1-2 minutes. The button re-enables after 60 seconds.
Complete working example
1// FlutterFlow Custom Action: verifyEmailStatus2// Call on EmailVerificationPage On Load and on Continue button tap3// Returns: 'verified' | 'unverified' | 'error'45import 'package:firebase_auth/firebase_auth.dart';67Future<String> verifyEmailStatus() async {8 try {9 final user = FirebaseAuth.instance.currentUser;10 if (user == null) return 'error';1112 // Force reload to get latest emailVerified status from server13 await user.reload();1415 // Get fresh user object after reload16 final refreshedUser = FirebaseAuth.instance.currentUser;17 if (refreshedUser == null) return 'error';1819 return refreshedUser.emailVerified ? 'verified' : 'unverified';20 } catch (e) {21 return 'error';22 }23}2425// ─── Resend Verification Email ───────────────────────────────────────────────2627Future<bool> resendVerificationEmail() async {28 try {29 final user = FirebaseAuth.instance.currentUser;30 if (user == null) return false;31 if (user.emailVerified) return true; // Already verified, no need to resend3233 await user.sendEmailVerification(34 ActionCodeSettings(35 url: 'https://yourapp.page.link/verify', // Update with your domain36 handleCodeInApp: false, // Open in browser, not app37 ),38 );39 return true;40 } on FirebaseAuthException catch (e) {41 // Error code 'too-many-requests' means rate limited42 print('Resend error: ${e.code} - ${e.message}');43 return false;44 }45}4647// ─── Countdown Timer for Resend Button ───────────────────────────────────────48// Store in Page State: resendCooldownSeconds (int, starts at 60)49// This Custom Action decrements the count — call it on a 1-second timer5051int decrementCooldown(int currentSeconds) {52 return currentSeconds > 0 ? currentSeconds - 1 : 0;53}Common mistakes
Why it's a problem: Not gating app access on emailVerified — users sign up with fake or mistyped emails
How to avoid: Add an emailVerified conditional check to the On Page Load action of every protected page. Also add a Refresh Current User action before checking, since the cached token may not reflect the latest verification state.
Why it's a problem: Checking emailVerified without first calling Refresh Current User
How to avoid: Always call Refresh Current User (or user.reload() in a Custom Action) before reading emailVerified in any conditional. Without this, verified users get stuck on the verification page.
Why it's a problem: Sending the verification email only once and not offering a resend option
How to avoid: Add a clearly labeled Resend Email button with a 60-second cooldown. Include the user's email address in the prompt so they know which inbox to check.
Best practices
- Always call user.reload() before reading emailVerified — cached tokens do not auto-update.
- Display the user's email address on the verification page so they know which inbox to check.
- Add a link to open the email app directly from your verification page on mobile (mailto: scheme) to reduce friction.
- Customize the Firebase verification email template in Firebase Console > Authentication > Templates with your app name and branding.
- Set a deep link in ActionCodeSettings so the verification link opens your app directly instead of a browser on mobile — smoother experience.
- Log failed verification attempts (users who never verify within 7 days) and send a reminder email via Cloud Function using Firebase Admin SDK.
- For B2B apps, consider allowing corporate email domains to skip verification (whitelist check in Firestore) if verification emails are blocked by corporate firewalls.
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I am building a FlutterFlow app with Firebase Auth email/password login. Show me how to implement email verification: send the verification email after sign-up, create a verification prompt page, gate protected pages by checking emailVerified with a forced token reload, and add a resend button with a 60-second rate-limiting countdown. Show the Dart code for the verification check and resend actions.
In my FlutterFlow app, add a Send Email Verification action to my CreateAccount action flow after the successful sign-up step. Then create an EmailVerificationPage with a Refresh Current User action on page load followed by a conditional that navigates to HomePage if emailVerified is true. Add a Resend button that calls Send Email Verification and updates a Page State resendCooldown variable.
Frequently asked questions
How long does the Firebase verification email link stay valid?
Firebase verification email links expire after 24 hours by default. If a user clicks an expired link, they see a 'The link has expired' error in their browser. They will need to request a new verification email from your app. You can customize this expiration period in Firebase Console > Authentication > Templates > Email address verification.
Can I customize the verification email that Firebase sends?
Yes. Go to Firebase Console > Authentication > Templates > Email address verification. You can customize the subject, sender name, and email body text. You can also set a custom action URL that redirects through your own domain after verification. Full HTML email template customization requires upgrading to a paid Firebase/Google Cloud plan.
What happens if a user tries to log in before verifying their email?
Firebase Auth allows login regardless of email verification status — the emailVerified check is something you enforce in your app, not at the auth layer. This is why the page-level gate (checking emailVerified on every protected page load) is essential. Without it, unverified users can log in and access your app.
Does email verification work for social login (Google, Apple)?
For Google and Apple social logins, emailVerified is typically already true since these providers verify emails themselves. The verification flow described in this guide only applies to email/password accounts. You can skip sending a verification email for social login users by checking the sign-in provider before triggering the Send Email Verification action.
Can I verify phone numbers instead of email addresses?
Yes. Firebase Auth supports phone number verification as a separate authentication method using SMS OTP codes. FlutterFlow has a Phone Number Sign In flow built in. However, SMS verification has per-message costs and carrier reliability issues that email verification does not have — only use phone verification if your use case specifically requires it.
My users say they are not receiving the verification email. What should I check?
First, ask them to check their spam folder — Firebase emails frequently land in spam for new apps. Second, verify the email address they signed up with is spelled correctly. Third, check Firebase Console > Authentication > Users to confirm the account exists with that email. Fourth, check Firebase Console > Authentication > Usage for any email sending errors or quota issues. Finally, if you are on Spark (free) Firebase plan, verify you have not hit the 100 emails/day limit.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation