PHPackages                             symfonycasts/verify-email-bundle - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. symfonycasts/verify-email-bundle

ActiveSymfony-bundle[Authentication &amp; Authorization](/categories/authentication)

symfonycasts/verify-email-bundle
================================

Simple, stylish Email Verification for Symfony

v1.18.0(7mo ago)4425.1M↓23.9%39[11 issues](https://github.com/SymfonyCasts/verify-email-bundle/issues)[6 PRs](https://github.com/SymfonyCasts/verify-email-bundle/pulls)20MITPHPPHP &gt;=8.1CI passing

Since May 24Pushed 1mo ago10 watchersCompare

[ Source](https://github.com/SymfonyCasts/verify-email-bundle)[ Packagist](https://packagist.org/packages/symfonycasts/verify-email-bundle)[ RSS](/packages/symfonycasts-verify-email-bundle/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (10)Dependencies (9)Versions (30)Used By (20)

VerifyEmailBundle: Love Confirming Emails
=========================================

[](#verifyemailbundle-love-confirming-emails)

[![CI](https://github.com/SymfonyCasts/verify-email-bundle/actions/workflows/ci.yaml/badge.svg)](https://github.com/SymfonyCasts/verify-email-bundle/actions/workflows/ci.yaml)

Don't know if your users have a valid email address? The VerifyEmailBundle can help!

VerifyEmailBundle generates - and validates - a secure, signed URL that can be emailed to users to confirm their email address. It does this without needing any storage, so you can use your existing entities with minor modifications. This bundle provides:

- A generator to create a signed URL that should be emailed to the user.
- A signed URL validator.
- Peace of mind knowing that this is done without leaking the user's email address into your server logs (avoiding PII problems).

Installation
------------

[](#installation)

Using Composer, of course!

```
composer require symfonycasts/verify-email-bundle
```

Usage
-----

[](#usage)

We strongly suggest using Symfony MakerBundle's `make:registration-form` command to get a feel for how the bundle should be used. It's super simple! Answer a couple of questions, and you'll have a fully functional, secure registration system with email verification.

```
bin/console make:registration-form
```

Setting Things Up Manually
--------------------------

[](#setting-things-up-manually)

If you want to set things up manually, you can! But do so carefully: email verification is a sensitive, security process. We'll guide you through the important stuff. Using `make:registration-form` is still the easiest and simplest way.

The example below demonstrates the basic steps to generate a signed URL that is to be emailed to a user after they have registered. The URL is then validated once the user "clicks" the link in their email.

```
// RegistrationController.php
namespace App\Controller;

use App\Entity\User;
use App\Form\RegistrationFormType;
use App\Security\EmailVerifier;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bridge\Twig\Mime\TemplatedEmail;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Mime\Address;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Contracts\Translation\TranslatorInterface;
use SymfonyCasts\Bundle\VerifyEmail\Exception\VerifyEmailExceptionInterface;

class RegistrationController extends AbstractController
{
    public function __construct(private EmailVerifier $emailVerifier)
    {
    }

    #[Route('/register', name: 'app_register')]
    public function register(Request $request, UserPasswordHasherInterface $userPasswordHasher, EntityManagerInterface $entityManager): Response
    {
        $user = new User();
        $form = $this->createForm(RegistrationFormType::class, $user);
        $form->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {
            // encode the plain password
            $user->setPassword(
                $userPasswordHasher->hashPassword(
                    $user,
                    $form->get('plainPassword')->getData()
                )
            );

            $entityManager->persist($user);
            $entityManager->flush();

            // generate a signed URL and email it to the user
            $this->emailVerifier->sendEmailConfirmation('app_verify_email', $user,
                (new TemplatedEmail())
                    ->from(new Address('mailer@example.com', 'AcmeMailBot'))
                    ->to($user->getEmail())
                    ->subject('Please Confirm your Email')
                    ->htmlTemplate('registration/confirmation_email.html.twig')
            );
            // do anything else you need here

            return $this->redirectToRoute('app_main');
        }

        return $this->render('registration/register.html.twig', [
            'registrationForm' => $form,
        ]);
    }

    #[Route('/verify/email', name: 'app_verify_email')]
    public function verifyUserEmail(Request $request, TranslatorInterface $translator): Response
    {
        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');

        // validate email confirmation link, set User::$isVerified=true, and persist
        try {
            $this->emailVerifier->handleEmailConfirmation($request, $this->getUser());
        } catch (VerifyEmailExceptionInterface $exception) {
            $this->addFlash('verify_email_error', $translator->trans($exception->getReason(), [], 'VerifyEmailBundle'));

            return $this->redirectToRoute('app_register');
        }

        // @TODO Change the redirect on success and handle or remove the flash message in your templates
        $this->addFlash('success', 'Your email address has been verified.');

        return $this->redirectToRoute('app_register');
    }
}
```

This uses an `EmailVerifier` class that you should also add to your app:

```
// src/Security/EmailVerifier.php
namespace App\Security;

use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bridge\Twig\Mime\TemplatedEmail;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use SymfonyCasts\Bundle\VerifyEmail\Exception\VerifyEmailExceptionInterface;
use SymfonyCasts\Bundle\VerifyEmail\VerifyEmailHelperInterface;

class EmailVerifier
{
    public function __construct(
        private VerifyEmailHelperInterface $verifyEmailHelper,
        private MailerInterface $mailer,
        private EntityManagerInterface $entityManager
    ) {
    }

    public function sendEmailConfirmation(string $verifyEmailRouteName, UserInterface $user, TemplatedEmail $email): void
    {
        $signatureComponents = $this->verifyEmailHelper->generateSignature(
            $verifyEmailRouteName,
            $user->getId(),
            $user->getEmail()
        );

        $context = $email->getContext();
        $context['signedUrl'] = $signatureComponents->getSignedUrl();
        $context['expiresAtMessageKey'] = $signatureComponents->getExpirationMessageKey();
        $context['expiresAtMessageData'] = $signatureComponents->getExpirationMessageData();

        $email->context($context);

        $this->mailer->send($email);
    }

    /**
     * @throws VerifyEmailExceptionInterface
     */
    public function handleEmailConfirmation(Request $request, UserInterface $user): void
    {
        $this->verifyEmailHelper->validateEmailConfirmationFromRequest($request, $user->getId(), $user->getEmail());

        $user->setIsVerified(true);

        $this->entityManager->persist($user);
        $this->entityManager->flush();
    }
}
```

Anonymous Validation
--------------------

[](#anonymous-validation)

It is also possible to allow users to verify their email address without having to be authenticated. A use case for this would be if a user registers on their laptop, but clicks the verification link on their phone. Normally, the user would be required to log in before their email was verified.

We can overcome this by passing a user identifier as a query parameter in the signed URL. The diff below demonstrates how this is done based on the previous examples:

```
// src/Security/EmailVerifier.php

class EmailVerifier
{
    // ...

    public function sendEmailConfirmation(string $verifyEmailRouteName, UserInterface $user, TemplatedEmail $email): void
    {
        $user = new User();

        // handle the user registration form and persist the new user...

        $signatureComponents = $this->verifyEmailHelper->generateSignature(
                $verifyEmailRouteName,
                $user->getId(),
                $user->getEmail(),
+               ['id' => $user->getId()] // add the user's id as an extra query param
            );
    }
}
```

Once the user has received their email and clicked on the link, the RegistrationController would then validate the signed URL in the following method:

```
// RegistrationController.php

+use App\Repository\UserRepository;

class RegistrationController extends AbstractController
{
-   public function verifyUserEmail(Request $request): Response
+   public function verifyUserEmail(Request $request, UserRepository $userRepository): Response
    {
-       $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
-       $user = $this->getUser();

+       $id = $request->query->get('id'); // retrieve the user id from the URL
+
+       // Verify the user ID exists and is not null
+       if (null === $id) {
+           return $this->redirectToRoute('app_home');
+       }
+
+       $user = $userRepository->find($id);
+
+       // Ensure the user exists in persistence
+       if (null === $user) {
+           return $this->redirectToRoute('app_home');
+       }

        try {
            $this->verifyEmailHelper->validateEmailConfirmationFromRequest($request, $user->getId(), $user->getEmail());
        } catch (VerifyEmailExceptionInterface $e) {
        // ...
    }
}
```

Configuration
-------------

[](#configuration)

You can change the default configuration parameters for the bundle by creating a `config/packages/verify_email.yaml` config file:

```
symfonycasts_verify_email:
    lifetime: 3600
```

#### `lifetime`

[](#lifetime)

*Optional* - Defaults to `3600` seconds

This is the length of time a signed URL is valid for in seconds after it has been created.

Reserved Query Parameters
-------------------------

[](#reserved-query-parameters)

If you add any extra query parameters in the 5th argument of `verifyEmailHelper::generateSignature()`, such as we did for `id` above, take note that you cannot use the following query parameters, because they will be overwritten by this bundle:

- `token`
- `expires`
- `signature`

Support
-------

[](#support)

Feel free to open an issue for questions, problems, or suggestions with our bundle. Issues pertaining to Symfony's MakerBundle, specifically `make:registration-form`, should be addressed in the [Symfony Maker repository](https://github.com/symfony/maker-bundle).

Security Policy
---------------

[](#security-policy)

If you discover a security vulnerability, please do not open a public issue or pull request. Instead, please review this repository's [Security Policy](https://github.com/SymfonyCasts/verify-email-bundle/security) for instructions on how to report it responsibly.

###  Health Score

68

—

FairBetter than 99% of packages

Maintenance80

Actively maintained with recent releases

Popularity64

Solid adoption and visibility

Community42

Growing community involvement

Maturity75

Established project with proven stability

 Bus Factor1

Top contributor holds 67.4% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~77 days

Recently: every ~101 days

Total

27

Last Release

216d ago

Major Versions

v1.17.0 → 2.x-dev2024-08-31

PHP version history (4 changes)v1.0.0PHP ^7.2.5

v1.1.0PHP &gt;=7.2.5

v1.16.0PHP &gt;=8.1

2.x-devPHP &gt;=8.3

### Community

Maintainers

![](https://www.gravatar.com/avatar/8aa57faf031af6d7f14a231d38adf1aed19844770fb5de2f82dc61aa65b45111?d=identicon)[weaverryan](/maintainers/weaverryan)

---

Top Contributors

[![jrushlow](https://avatars.githubusercontent.com/u/40327885?v=4)](https://github.com/jrushlow "jrushlow (256 commits)")[![weaverryan](https://avatars.githubusercontent.com/u/121003?v=4)](https://github.com/weaverryan "weaverryan (61 commits)")[![bocharsky-bw](https://avatars.githubusercontent.com/u/3317635?v=4)](https://github.com/bocharsky-bw "bocharsky-bw (21 commits)")[![kbond](https://avatars.githubusercontent.com/u/127811?v=4)](https://github.com/kbond "kbond (5 commits)")[![t5810m](https://avatars.githubusercontent.com/u/34162365?v=4)](https://github.com/t5810m "t5810m (5 commits)")[![nabbisen](https://avatars.githubusercontent.com/u/19984221?v=4)](https://github.com/nabbisen "nabbisen (3 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (3 commits)")[![evertharmeling](https://avatars.githubusercontent.com/u/308513?v=4)](https://github.com/evertharmeling "evertharmeling (2 commits)")[![ker0x](https://avatars.githubusercontent.com/u/5331654?v=4)](https://github.com/ker0x "ker0x (2 commits)")[![kasperh90](https://avatars.githubusercontent.com/u/36596298?v=4)](https://github.com/kasperh90 "kasperh90 (1 commits)")[![laurentmuller](https://avatars.githubusercontent.com/u/4330059?v=4)](https://github.com/laurentmuller "laurentmuller (1 commits)")[![MolloKhan](https://avatars.githubusercontent.com/u/3451985?v=4)](https://github.com/MolloKhan "MolloKhan (1 commits)")[![N-M](https://avatars.githubusercontent.com/u/781417?v=4)](https://github.com/N-M "N-M (1 commits)")[![OskarStark](https://avatars.githubusercontent.com/u/995707?v=4)](https://github.com/OskarStark "OskarStark (1 commits)")[![PauchardThomas](https://avatars.githubusercontent.com/u/9884985?v=4)](https://github.com/PauchardThomas "PauchardThomas (1 commits)")[![priyadi](https://avatars.githubusercontent.com/u/1102197?v=4)](https://github.com/priyadi "priyadi (1 commits)")[![redecs](https://avatars.githubusercontent.com/u/153277?v=4)](https://github.com/redecs "redecs (1 commits)")[![RobQuistNL](https://avatars.githubusercontent.com/u/1442796?v=4)](https://github.com/RobQuistNL "RobQuistNL (1 commits)")[![routmoute](https://avatars.githubusercontent.com/u/36932590?v=4)](https://github.com/routmoute "routmoute (1 commits)")[![tacman](https://avatars.githubusercontent.com/u/619585?v=4)](https://github.com/tacman "tacman (1 commits)")

---

Tags

confirm-emailemail-confirmationemail-verificationsymfonysymfony-bundleverify-email

### Embed Badge

![Health badge](/badges/symfonycasts-verify-email-bundle/health.svg)

```
[![Health](https://phpackages.com/badges/symfonycasts-verify-email-bundle/health.svg)](https://phpackages.com/packages/symfonycasts-verify-email-bundle)
```

###  Alternatives

[symfony/framework-bundle

Provides a tight integration between Symfony components and the Symfony full-stack framework

3.6k251.7M11.6k](/packages/symfony-framework-bundle)[easycorp/easyadmin-bundle

Admin generator for Symfony applications

4.3k17.9M388](/packages/easycorp-easyadmin-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
