bichito
Account

Email verification

6-digit code sent at signup. 24-hour expiry, one-shot use, on-demand resend.

Email + password signups land in the verify your email step before they can use the dashboard. We send a 6-digit code to the address you signed up with; you paste it on the next screen.

OAuth signups (Google / GitHub) skip this — we trust the provider's verified email.

The code

  • 6 digits, numeric only.
  • Valid for 24 hours.
  • Single-use — once accepted, marked consumed. Re-using the same code returns "already verified".
  • New code on every resend invalidates the previous one.

Resending

If you didn't get the code (typo, spam folder, mail-server delay), click Resend code on the verify screen. Throttled to once per minute per email so a misbehaving frontend can't loop.

What's blocked until verification

While unverified you can:

  • Sign in (the JWT issues normally).
  • See the verify screen.

You can't:

  • Reach the dashboard (the AppShell redirects to /verify-email).
  • Use the API endpoints that require an authenticated user — they return 403 with email_not_verified.

You can still complete the rest of onboarding from the verify screen if you have the code.

Lost access to the email

If you can't read the inbox the verification code went to (typo at signup, lost mailbox), the recovery is:

  1. Sign out.
  2. Use the forgot password flow on the correct email — that flow doubles as a verification trigger if the account exists with that address.

If neither address works, get in touch — we'll fix it manually.

Sign in

Email + password vs Google / GitHub OAuth. What happens with mixed-mode accounts.

Password reset

Forgot-password flow, token TTL, what to do if you never had a password.

On this page

The codeResendingWhat's blocked until verificationLost access to the email