Vadym/obsidian
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian/wiki/payloadcms/authentication-email.md
Vadym Samoilenko 0e6a12242c wiki: auto-compile 2026-05-15 (1 log(s), 273 articles)
2026-05-15 15:13:56 +01:00

3.8 KiB
Raw Blame History

title aliases tags sources created updated
Authentication — Email Verification & Password Reset
payload-auth-email
payload-email-verification
payload-forgot-password
payloadcms
authentication
email
verification
password-reset
raw/authentication__email.md
2026-05-15 2026-05-15

Overview

Payload auth integrates with its wiki/payloadcms/features to send verification and password-reset emails. Both flows are fully customizable via generateEmailHTML / generateEmailSubject functions on the wiki/payloadcms/authentication-custom-strategies.

Email Verification

Prevents spam accounts by requiring users to prove email ownership before the account activates.

Enable:

export const Customers: CollectionConfig = {
  auth: {
    verify: true,
  },
}

Custom HTML template:

auth: {
  verify: {
    generateEmailHTML: ({ req, token, user }) => {
      const url = `https://yourfrontend.com/verify?token=${token}`
      return `Hey ${user.email}, verify your email: <a href="${url}">${url}</a>`
    },
  },
}

Custom subject:

auth: {
  verify: {
    generateEmailSubject: ({ req, user }) => `Verify your account, ${user.email}`,
  },
}

verify options

Option Description
generateEmailHTML Override verification email body — receives { req, token, user }, return HTML string
generateEmailSubject Override verification email subject — receives { req, user }, return plain string

Important: If you redirect users to a custom frontend URL, your frontend must call the Payload REST/GraphQL verify endpoint with the token query param yourself.

Forgot Password

Customize the password-reset workflow via auth.forgotPassword.

export const Customers: CollectionConfig = {
  auth: {
    forgotPassword: {
      expiration: 3600000, // 1 hour in ms
      generateEmailHTML: ({ req, token, user }) => {
        const url = `https://yourfrontend.com/reset-password?token=${token}`
        return `<a href="${url}">Reset your password</a>`
      },
      generateEmailSubject: ({ req, user }) => `Reset your password, ${user.email}`,
    },
  },
}

forgotPassword options

Option Description
expiration How long reset tokens stay valid (milliseconds)
generateEmailHTML Override reset email body — receives { req, token, user }
generateEmailSubject Override reset email subject — receives { req, user }

Tip: Payload ships a built-in reset page at ${serverURL}/admin/reset/${token}. Use it if you don't need a custom frontend — no generateEmailHTML needed.

Key Takeaways

  • Enable email verification with auth: { verify: true } on a collection — reduces spam accounts
  • Both verify and forgotPassword accept generateEmailHTML / generateEmailSubject overrides
  • Functions receive { req, token, user } — use token to build your custom frontend URL
  • Custom frontend redirect = you must call the Payload verify/reset-password endpoint yourself
  • No HTML templating engine is bundled — bring your own (mjml, react-email, etc.)
  • Built-in reset page: ${serverURL}/admin/reset/${token} — usable without any customization
  • forgotPassword.expiration controls token TTL (milliseconds)

Related

Sources