Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ALEJ4NDRO2025/urban-store/llms.txt

Use this file to discover all available pages before exploring further.

After registering, users receive a 6-digit verification code by email. These two endpoints handle the verification lifecycle: submitting the code to activate the account, and requesting a fresh code if the original expired or was not received. The verify endpoint enforces a 3-attempt limit with a 15-minute lockout after three consecutive failures to protect against brute-force guessing.

POST /api/users/verify-code/

Submit the 6-digit code received by email to activate the account. On success the account’s is_verified flag is set to True and all verification fields are cleared.

Authentication

None required. This endpoint is publicly accessible.

Request Body

email
string
required
The email address of the account to verify. Must match an existing, unverified user record.
code
string
required
The 6-digit numeric code that was emailed at registration (or after a resend). Example: "847203".

Rate Limiting

The endpoint tracks failed verification attempts per user:
  • A wrong code increments verification_attempts and records last_failed_attempt_at.
  • After 3 failed attempts, the account is locked for 15 minutes from the timestamp of the last failure.
  • During the lockout window every request returns 429 with the number of minutes remaining.
  • Once the 15-minute window passes, the attempt counter is automatically reset to 0 on the next request.

Code Expiry

The code expires 24 hours after it was issued. Submitting an expired code returns 400. A new code can be requested via POST /api/users/resend-verification/.

Request Example

curl -X POST https://your-domain.com/api/users/verify-code/ \
  -H "Content-Type: application/json" \
  -d '{
    "email": "alex@example.com",
    "code": "847203"
  }'

Response — 200 OK

{
  "message": "Cuenta verificada exitosamente"
}
After a successful verification the following model fields are updated:
FieldNew Value
is_verifiedTrue
verification_tokenNone
verification_token_expiresNone
verification_attempts0
last_failed_attempt_atNone

Error Responses

StatusBodyCause
400{ "error": "El código ha expirado. Solicita uno nuevo." }The code’s verification_token_expires timestamp is in the past
400{ "error": "Código incorrecto. Te quedan N intentos." }Code does not match; N is the number of remaining attempts before lockout
429{ "error": "Demasiados intentos fallidos. Intenta de nuevo en N minutos o solicita un nuevo código." }3 failed attempts recorded; N is minutes remaining in the 15-minute lockout
404{ "error": "Usuario no encontrado" }No user record found for the provided email
200{ "message": "La cuenta ya está verificada" }The account’s is_verified is already True — no action taken
If a user is locked out (3 failed attempts), they do not have to wait 15 minutes — they can immediately request a new code via POST /api/users/resend-verification/. Resending a code also resets verification_attempts to 0 and clears last_failed_attempt_at, lifting the lockout.

POST /api/users/resend-verification/

Request a new 6-digit verification code for an unverified account. Use this when the original code has expired, was never received, or if the account is locked out from too many failed attempts.

Authentication

None required. This endpoint is publicly accessible.

Request Body

email
string
required
The email address associated with the unverified account.

Cooldown

To prevent email spam, there is a 2-minute cooldown between resend requests, tracked via last_verification_sent_at. If a request arrives before the cooldown has elapsed, the API returns 429 with the exact number of seconds the caller must wait.

What the Resend Does

When a new code is issued the following fields are updated on the user record:
FieldNew Value
verification_tokenNew 6-digit code
verification_token_expiresNow + 24 hours (UTC)
last_verification_sent_atNow (UTC)
verification_attempts0
last_failed_attempt_atNone
Resetting verification_attempts and last_failed_attempt_at clears any active lockout, allowing the user to immediately attempt verification with the new code.

Request Example

curl -X POST https://your-domain.com/api/users/resend-verification/ \
  -H "Content-Type: application/json" \
  -d '{
    "email": "alex@example.com"
  }'

Response — 200 OK

{
  "message": "Nuevo código enviado a tu correo"
}
The new code expires 24 hours from the time of this response.

Error Responses

StatusBodyCause
429{ "error": "Debes esperar N segundos antes de solicitar otro código." }Resend requested within the 2-minute cooldown window; N is the exact seconds remaining
200{ "message": "La cuenta ya está verificada" }The account’s is_verified is already True — no new code is sent
200{ "message": "Si el email está registrado y no verificado, recibirás un nuevo código" }Email not found in the database — a generic response is returned to prevent user enumeration
The resend endpoint does not return an error when the email is not found. Instead it returns a generic 200 success message. This is intentional security behavior to prevent exposing whether a given email is registered.

Build docs developers (and LLMs) love

Get started for freeTalk to us