Token difference when account hasn't been verified

  • I have a question about account verification: is the only difference between an account which is verified and one which is not that the id_token returned for the unverified user will have email_verified set to false in the JWT?

    This is relevant because we might want to disable functionality until the user has been verified.

  • The JWT (id_token or access_token) will contain the email_verified claim with a value of true or false, so if you wish to limit privilege based upon this state, that would be a good way to do it.