I’m trying to understand how to verify the ‘email_change_token’ that is generated by a GoTrue / Identity instance when a user’s email address is updated.
A couple of considerations –
- I’m not using the Identity Widget and have a custom auth flow that is processing auth events manually.
- I’m also not able to use the GoTrue-JS library and am creating similarly structured methods in serverless functions that hit the same GoTrue endpoints.
I see the email_change_token is passed back as URL fragment, similar to how confirmation_tokens and recovery_tokens are returned. For the latter two, I’m able to process these via the /verify endpoint.
Looking through the code of the GoTrue and GoTrue-JS repos, I can’t deduce what means or method is used to verify the email_change_token to complete the process of updating an email address.
Could you, or anyone else, help shed light on this?