Add Email Verification for non-Microsoft/Google Emails (#9288)

Closes twentyhq/twenty#8240 This PR introduces email verification for non-Microsoft/Google Emails: ## Email Verification SignInUp Flow: https://github.com/user-attachments/assets/740e9714-5413-4fd8-b02e-ace728ea47ef The email verification link is sent as part of the `SignInUpStep.EmailVerification`. The email verification token validation is handled on a separate page (`AppPath.VerifyEmail`). A verification email resend can be triggered from both pages. ## Email Verification Flow Screenshots (In Order): ![image](https://github.com/user-attachments/assets/d52237dc-fcc6-4754-a40f-b7d6294eebad) ![image](https://github.com/user-attachments/assets/263a4b6b-db49-406b-9e43-6c0f90488bb8) ![image](https://github.com/user-attachments/assets/0343ae51-32ef-48b8-8167-a96deb7db99e) ## Sent Email Details (Subject & Template): ![Screenshot 2025-01-05 at 11 56 56 PM](https://github.com/user-attachments/assets/475840d1-7d47-4792-b8c6-5c9ef5e02229) ![image](https://github.com/user-attachments/assets/a41b3b36-a36f-4a8e-b1f9-beeec7fe23e4) ### Successful Email Verification Redirect: ![image](https://github.com/user-attachments/assets/e2fad9e2-f4b1-485e-8f4a-32163c2718e7) ### Unsuccessful Email Verification (invalid token, invalid email, token expired, user does not exist, etc.): ![image](https://github.com/user-attachments/assets/92f4b65e-2971-4f26-a9fa-7aafadd2b305) ### Force Sign In When Email Not Verified: ![image](https://github.com/user-attachments/assets/86d0f188-cded-49a6-bde9-9630fd18d71e) # TODOs: ## Sign Up Process - [x] Introduce server-level environment variable IS_EMAIL_VERIFICATION_REQUIRED (defaults to false) - [x] Ensure users joining an existing workspace through an invite are not required to validate their email - [x] Generate an email verification token - [x] Store the token in appToken - [x] Send email containing the verification link - [x] Create new email template for email verification - [x] Create a frontend page to handle verification requests ## Sign In Process - [x] After verifying user credentials, check if user's email is verified and prompt to to verify - [x] Show an option to resend the verification email ## Database - [x] Rename the `emailVerified` colum on `user` to to `isEmailVerified` for consistency ## During Deployment - [x] Run a script/sql query to set `isEmailVerified` to `true` for all users with a Google/Microsoft email and all users that show an indication of a valid subscription (e.g. linked credit card) - I have created a draft migration file below that shows one possible approach to implementing this change: ```typescript import { MigrationInterface, QueryRunner } from 'typeorm'; export class UpdateEmailVerifiedForActiveUsers1733318043628 implements MigrationInterface { name = 'UpdateEmailVerifiedForActiveUsers1733318043628'; public async up(queryRunner: QueryRunner): Promise<void> { await queryRunner.query(` CREATE TABLE core."user_email_verified_backup" AS SELECT id, email, "isEmailVerified" FROM core."user" WHERE "deletedAt" IS NULL; `); await queryRunner.query(` -- Update isEmailVerified for users who have been part of workspaces with active subscriptions UPDATE core."user" u SET "isEmailVerified" = true WHERE EXISTS ( -- Check if user has been part of a workspace through userWorkspace table SELECT 1 FROM core."userWorkspace" uw JOIN core."workspace" w ON uw."workspaceId" = w.id WHERE uw."userId" = u.id -- Check for valid subscription indicators AND ( w."activationStatus" = 'ACTIVE' -- Add any other subscription-related conditions here ) ) AND u."deletedAt" IS NULL; `); } public async down(queryRunner: QueryRunner): Promise<void> { await queryRunner.query(` UPDATE core."user" u SET "isEmailVerified" = b."isEmailVerified" FROM core."user_email_verified_backup" b WHERE u.id = b.id; `); await queryRunner.query(`DROP TABLE core."user_email_verified_backup";`); } } ``` --------- Co-authored-by: Antoine Moreaux <moreaux.antoine@gmail.com> Co-authored-by: Félix Malfait <felix@twenty.com>
2025-01-15 12:43:40 -05:00
parent 266b771a5b
commit f722a2d619
61 changed files with 1460 additions and 171 deletions
--- a/packages/twenty-emails/src/components/Footer.tsx
+++ b/packages/twenty-emails/src/components/Footer.tsx
@ -0,0 +1,55 @@
+import { Column, Row } from '@react-email/components';
+import { Link } from 'src/components/Link';
+import { ShadowText } from 'src/components/ShadowText';
+
+export const Footer = () => {
+  return (
+    <>
+      <Row>
+        <Column>
+          <ShadowText>
+            <Link
+              href="https://twenty.com/"
+              value="Website"
+              aria-label="Visit Twenty's website"
+            />
+          </ShadowText>
+        </Column>
+        <Column>
+          <ShadowText>
+            <Link
+              href="https://github.com/twentyhq/twenty"
+              value="Github"
+              aria-label="Visit Twenty's GitHub repository"
+            />
+          </ShadowText>
+        </Column>
+        <Column>
+          <ShadowText>
+            <Link
+              href="https://twenty.com/user-guide"
+              value="User guide"
+              aria-label="Read Twenty's user guide"
+            />
+          </ShadowText>
+        </Column>
+        <Column>
+          <ShadowText>
+            <Link
+              href="https://docs.twenty.com/"
+              value="Developers"
+              aria-label="Visit Twenty's developer documentation"
+            />
+          </ShadowText>
+        </Column>
+      </Row>
+      <ShadowText>
+        Twenty.com Public Benefit Corporation
+        <br />
+        2261 Market Street #5275
+        <br />
+        San Francisco, CA 94114
+      </ShadowText>
+    </>
+  );
+};
--- a/packages/twenty-emails/src/components/WhatIsTwenty.tsx
+++ b/packages/twenty-emails/src/components/WhatIsTwenty.tsx
@ -1,8 +1,7 @@
-import { Column, Row } from '@react-email/components';
-import { Link } from 'src/components/Link';
+import { Footer } from 'src/components/Footer';
 import { MainText } from 'src/components/MainText';
-import { ShadowText } from 'src/components/ShadowText';
 import { SubTitle } from 'src/components/SubTitle';
+
 export const WhatIsTwenty = () => {
  return (
    <>
@ -11,35 +10,7 @@ export const WhatIsTwenty = () => {
        It's a CRM, a software to help businesses manage their customer data and
        relationships efficiently.
      </MainText>
-      <Row>
-        <Column>
-          <ShadowText>
-            <Link href="https://twenty.com/" value="Website" />
-          </ShadowText>
-        </Column>
-        <Column>
-          <ShadowText>
-            <Link href="https://github.com/twentyhq/twenty" value="Github" />
-          </ShadowText>
-        </Column>
-        <Column>
-          <ShadowText>
-            <Link href="https://twenty.com/user-guide" value="User guide" />
-          </ShadowText>
-        </Column>
-        <Column>
-          <ShadowText>
-            <Link href="https://docs.twenty.com/" value="Developers" />
-          </ShadowText>
-        </Column>
-      </Row>
-      <ShadowText>
-        Twenty.com Public Benefit Corporation
-        <br />
-        2261 Market Street #5275
-        <br />
-        San Francisco, CA 94114
-      </ShadowText>
+      <Footer />
    </>
  );
 };
--- a/packages/twenty-emails/src/emails/send-email-verification-link.email.tsx
+++ b/packages/twenty-emails/src/emails/send-email-verification-link.email.tsx
@ -0,0 +1,28 @@
+import { BaseEmail } from 'src/components/BaseEmail';
+import { CallToAction } from 'src/components/CallToAction';
+import { Footer } from 'src/components/Footer';
+import { MainText } from 'src/components/MainText';
+import { Title } from 'src/components/Title';
+
+type SendEmailVerificationLinkEmailProps = {
+  link: string;
+};
+
+export const SendEmailVerificationLinkEmail = ({
+  link,
+}: SendEmailVerificationLinkEmailProps) => {
+  return (
+    <BaseEmail width={333}>
+      <Title value="Confirm your email address" />
+      <CallToAction href={link} value="Verify Email" />
+      <br />
+      <br />
+      <MainText>
+        Thanks for registering for an account on Twenty! Before we get started,
+        we just need to confirm that this is you. Click above to verify your
+        email address.
+      </MainText>
+      <Footer />
+    </BaseEmail>
+  );
+};
--- a/packages/twenty-emails/src/index.ts
+++ b/packages/twenty-emails/src/index.ts
@ -2,4 +2,5 @@ export * from './emails/clean-inactive-workspaces.email';
 export * from './emails/delete-inactive-workspaces.email';
 export * from './emails/password-reset-link.email';
 export * from './emails/password-update-notify.email';
+export * from './emails/send-email-verification-link.email';
 export * from './emails/send-invite-link.email';
--- a/packages/twenty-front/src/generated-metadata/graphql.ts
+++ b/packages/twenty-front/src/generated-metadata/graphql.ts
@ -183,6 +183,7 @@ export type ClientConfig = {
  debugMode: Scalars['Boolean']['output'];
  defaultSubdomain?: Maybe<Scalars['String']['output']>;
  frontDomain: Scalars['String']['output'];
+  isEmailVerificationRequired: Scalars['Boolean']['output'];
  isMultiWorkspaceEnabled: Scalars['Boolean']['output'];
  isSSOEnabled: Scalars['Boolean']['output'];
  sentry: Sentry;
@ -404,7 +405,6 @@ export enum FeatureFlagKey {
  IsSsoEnabled = 'IsSSOEnabled',
  IsStripeIntegrationEnabled = 'IsStripeIntegrationEnabled',
  IsUniqueIndexesEnabled = 'IsUniqueIndexesEnabled',
-  IsViewGroupsEnabled = 'IsViewGroupsEnabled',
  IsWorkflowEnabled = 'IsWorkflowEnabled'
 }

@ -612,9 +612,11 @@ export type Mutation = {
  generateApiKeyToken: ApiKeyToken;
  generateTransientToken: TransientToken;
  getAuthorizationUrl: GetAuthorizationUrlOutput;
+  getLoginTokenFromEmailVerificationToken: LoginToken;
  impersonate: ImpersonateOutput;
  publishServerlessFunction: ServerlessFunction;
  renewToken: AuthTokens;
+  resendEmailVerificationToken: ResendEmailVerificationTokenOutput;
  resendWorkspaceInvitation: SendInvitationsOutput;
  runWorkflowVersion: WorkflowRun;
  sendInvitations: SendInvitationsOutput;
@ -811,6 +813,12 @@ export type MutationGetAuthorizationUrlArgs = {
 };


+export type MutationGetLoginTokenFromEmailVerificationTokenArgs = {
+  captchaToken?: InputMaybe<Scalars['String']['input']>;
+  emailVerificationToken: Scalars['String']['input'];
+};
+
+
 export type MutationImpersonateArgs = {
  userId: Scalars['String']['input'];
  workspaceId: Scalars['String']['input'];
@ -827,6 +835,11 @@ export type MutationRenewTokenArgs = {
 };


+export type MutationResendEmailVerificationTokenArgs = {
+  email: Scalars['String']['input'];
+};
+
+
 export type MutationResendWorkspaceInvitationArgs = {
  appTokenId: Scalars['String']['input'];
 };
@ -1289,6 +1302,11 @@ export enum RemoteTableStatus {
  Synced = 'SYNCED'
 }

+export type ResendEmailVerificationTokenOutput = {
+  __typename?: 'ResendEmailVerificationTokenOutput';
+  success: Scalars['Boolean']['output'];
+};
+
 export type RunWorkflowVersionInput = {
  /** Execution result in JSON format */
  payload?: InputMaybe<Scalars['JSON']['input']>;
@ -1631,9 +1649,9 @@ export type User = {
  deletedAt?: Maybe<Scalars['DateTime']['output']>;
  disabled?: Maybe<Scalars['Boolean']['output']>;
  email: Scalars['String']['output'];
-  emailVerified: Scalars['Boolean']['output'];
  firstName: Scalars['String']['output'];
  id: Scalars['UUID']['output'];
+  isEmailVerified: Scalars['Boolean']['output'];
  lastName: Scalars['String']['output'];
  onboardingStatus?: Maybe<OnboardingStatus>;
  passwordHash?: Maybe<Scalars['String']['output']>;
@ -1657,6 +1675,7 @@ export type UserExists = {
  __typename?: 'UserExists';
  availableWorkspaces: Array<AvailableWorkspaceOutput>;
  exists: Scalars['Boolean']['output'];
+  isEmailVerified: Scalars['Boolean']['output'];
 };

 export type UserExistsOutput = UserExists | UserNotExists;
--- a/packages/twenty-front/src/generated/graphql.tsx
+++ b/packages/twenty-front/src/generated/graphql.tsx
@ -177,6 +177,7 @@ export type ClientConfig = {
  debugMode: Scalars['Boolean'];
  defaultSubdomain?: Maybe<Scalars['String']>;
  frontDomain: Scalars['String'];
+  isEmailVerificationRequired: Scalars['Boolean'];
  isMultiWorkspaceEnabled: Scalars['Boolean'];
  sentry: Sentry;
  signInPrefilled: Scalars['Boolean'];
@ -515,9 +516,11 @@ export type Mutation = {
  generateApiKeyToken: ApiKeyToken;
  generateTransientToken: TransientToken;
  getAuthorizationUrl: GetAuthorizationUrlOutput;
+  getLoginTokenFromEmailVerificationToken: LoginToken;
  impersonate: ImpersonateOutput;
  publishServerlessFunction: ServerlessFunction;
  renewToken: AuthTokens;
+  resendEmailVerificationToken: ResendEmailVerificationTokenOutput;
  resendWorkspaceInvitation: SendInvitationsOutput;
  runWorkflowVersion: WorkflowRun;
  sendInvitations: SendInvitationsOutput;
@ -680,6 +683,12 @@ export type MutationGetAuthorizationUrlArgs = {
 };


+export type MutationGetLoginTokenFromEmailVerificationTokenArgs = {
+  captchaToken?: InputMaybe<Scalars['String']>;
+  emailVerificationToken: Scalars['String'];
+};
+
+
 export type MutationImpersonateArgs = {
  userId: Scalars['String'];
  workspaceId: Scalars['String'];
@ -696,6 +705,11 @@ export type MutationRenewTokenArgs = {
 };


+export type MutationResendEmailVerificationTokenArgs = {
+  email: Scalars['String'];
+};
+
+
 export type MutationResendWorkspaceInvitationArgs = {
  appTokenId: Scalars['String'];
 };
@ -1062,6 +1076,11 @@ export enum RemoteTableStatus {
  Synced = 'SYNCED'
 }

+export type ResendEmailVerificationTokenOutput = {
+  __typename?: 'ResendEmailVerificationTokenOutput';
+  success: Scalars['Boolean'];
+};
+
 export type RunWorkflowVersionInput = {
  /** Execution result in JSON format */
  payload?: InputMaybe<Scalars['JSON']>;
@ -1396,9 +1415,9 @@ export type User = {
  deletedAt?: Maybe<Scalars['DateTime']>;
  disabled?: Maybe<Scalars['Boolean']>;
  email: Scalars['String'];
-  emailVerified: Scalars['Boolean'];
  firstName: Scalars['String'];
  id: Scalars['UUID'];
+  isEmailVerified: Scalars['Boolean'];
  lastName: Scalars['String'];
  onboardingStatus?: Maybe<OnboardingStatus>;
  passwordHash?: Maybe<Scalars['String']>;
@ -1422,6 +1441,7 @@ export type UserExists = {
  __typename?: 'UserExists';
  availableWorkspaces: Array<AvailableWorkspaceOutput>;
  exists: Scalars['Boolean'];
+  isEmailVerified: Scalars['Boolean'];
 };

 export type UserExistsOutput = UserExists | UserNotExists;
@ -1957,6 +1977,14 @@ export type GetAuthorizationUrlMutationVariables = Exact<{

 export type GetAuthorizationUrlMutation = { __typename?: 'Mutation', getAuthorizationUrl: { __typename?: 'GetAuthorizationUrlOutput', id: string, type: string, authorizationURL: string } };

+export type GetLoginTokenFromEmailVerificationTokenMutationVariables = Exact<{
+  emailVerificationToken: Scalars['String'];
+  captchaToken?: InputMaybe<Scalars['String']>;
+}>;
+
+
+export type GetLoginTokenFromEmailVerificationTokenMutation = { __typename?: 'Mutation', getLoginTokenFromEmailVerificationToken: { __typename?: 'LoginToken', loginToken: { __typename?: 'AuthToken', token: string, expiresAt: string } } };
+
 export type ImpersonateMutationVariables = Exact<{
  userId: Scalars['String'];
  workspaceId: Scalars['String'];
@ -1972,6 +2000,13 @@ export type RenewTokenMutationVariables = Exact<{

 export type RenewTokenMutation = { __typename?: 'Mutation', renewToken: { __typename?: 'AuthTokens', tokens: { __typename?: 'AuthTokenPair', accessToken: { __typename?: 'AuthToken', token: string, expiresAt: string }, refreshToken: { __typename?: 'AuthToken', token: string, expiresAt: string } } } };

+export type ResendEmailVerificationTokenMutationVariables = Exact<{
+  email: Scalars['String'];
+}>;
+
+
+export type ResendEmailVerificationTokenMutation = { __typename?: 'Mutation', resendEmailVerificationToken: { __typename?: 'ResendEmailVerificationTokenOutput', success: boolean } };
+
 export type SignUpMutationVariables = Exact<{
  email: Scalars['String'];
  password: Scalars['String'];
@ -2012,7 +2047,7 @@ export type CheckUserExistsQueryVariables = Exact<{
 }>;


-export type CheckUserExistsQuery = { __typename?: 'Query', checkUserExists: { __typename: 'UserExists', exists: boolean, availableWorkspaces: Array<{ __typename?: 'AvailableWorkspaceOutput', id: string, displayName?: string | null, subdomain: string, logo?: string | null, sso: Array<{ __typename?: 'SSOConnection', type: IdentityProviderType, id: string, issuer: string, name: string, status: SsoIdentityProviderStatus }> }> } | { __typename: 'UserNotExists', exists: boolean } };
+export type CheckUserExistsQuery = { __typename?: 'Query', checkUserExists: { __typename: 'UserExists', exists: boolean, isEmailVerified: boolean, availableWorkspaces: Array<{ __typename?: 'AvailableWorkspaceOutput', id: string, displayName?: string | null, subdomain: string, logo?: string | null, sso: Array<{ __typename?: 'SSOConnection', type: IdentityProviderType, id: string, issuer: string, name: string, status: SsoIdentityProviderStatus }> }> } | { __typename: 'UserNotExists', exists: boolean } };

 export type GetPublicWorkspaceDataBySubdomainQueryVariables = Exact<{ [key: string]: never; }>;

@ -2058,7 +2093,7 @@ export type UpdateBillingSubscriptionMutation = { __typename?: 'Mutation', updat
 export type GetClientConfigQueryVariables = Exact<{ [key: string]: never; }>;


-export type GetClientConfigQuery = { __typename?: 'Query', clientConfig: { __typename?: 'ClientConfig', signInPrefilled: boolean, isMultiWorkspaceEnabled: boolean, defaultSubdomain?: string | null, frontDomain: string, debugMode: boolean, analyticsEnabled: boolean, chromeExtensionId?: string | null, canManageFeatureFlags: boolean, billing: { __typename?: 'Billing', isBillingEnabled: boolean, billingUrl?: string | null, billingFreeTrialDurationInDays?: number | null }, authProviders: { __typename?: 'AuthProviders', google: boolean, password: boolean, microsoft: boolean, sso: Array<{ __typename?: 'SSOIdentityProvider', id: string, name: string, type: IdentityProviderType, status: SsoIdentityProviderStatus, issuer: string }> }, support: { __typename?: 'Support', supportDriver: string, supportFrontChatId?: string | null }, sentry: { __typename?: 'Sentry', dsn?: string | null, environment?: string | null, release?: string | null }, captcha: { __typename?: 'Captcha', provider?: CaptchaDriverType | null, siteKey?: string | null }, api: { __typename?: 'ApiConfig', mutationMaximumAffectedRecords: number } } };
+export type GetClientConfigQuery = { __typename?: 'Query', clientConfig: { __typename?: 'ClientConfig', signInPrefilled: boolean, isMultiWorkspaceEnabled: boolean, isEmailVerificationRequired: boolean, defaultSubdomain?: string | null, frontDomain: string, debugMode: boolean, analyticsEnabled: boolean, chromeExtensionId?: string | null, canManageFeatureFlags: boolean, billing: { __typename?: 'Billing', isBillingEnabled: boolean, billingUrl?: string | null, billingFreeTrialDurationInDays?: number | null }, authProviders: { __typename?: 'AuthProviders', google: boolean, password: boolean, microsoft: boolean, sso: Array<{ __typename?: 'SSOIdentityProvider', id: string, name: string, type: IdentityProviderType, status: SsoIdentityProviderStatus, issuer: string }> }, support: { __typename?: 'Support', supportDriver: string, supportFrontChatId?: string | null }, sentry: { __typename?: 'Sentry', dsn?: string | null, environment?: string | null, release?: string | null }, captcha: { __typename?: 'Captcha', provider?: CaptchaDriverType | null, siteKey?: string | null }, api: { __typename?: 'ApiConfig', mutationMaximumAffectedRecords: number } } };

 export type SkipSyncEmailOnboardingStepMutationVariables = Exact<{ [key: string]: never; }>;

@ -2915,6 +2950,45 @@ export function useGetAuthorizationUrlMutation(baseOptions?: Apollo.MutationHook
 export type GetAuthorizationUrlMutationHookResult = ReturnType<typeof useGetAuthorizationUrlMutation>;
 export type GetAuthorizationUrlMutationResult = Apollo.MutationResult<GetAuthorizationUrlMutation>;
 export type GetAuthorizationUrlMutationOptions = Apollo.BaseMutationOptions<GetAuthorizationUrlMutation, GetAuthorizationUrlMutationVariables>;
+export const GetLoginTokenFromEmailVerificationTokenDocument = gql`
+    mutation GetLoginTokenFromEmailVerificationToken($emailVerificationToken: String!, $captchaToken: String) {
+  getLoginTokenFromEmailVerificationToken(
+    emailVerificationToken: $emailVerificationToken
+    captchaToken: $captchaToken
+  ) {
+    loginToken {
+      ...AuthTokenFragment
+    }
+  }
+}
+    ${AuthTokenFragmentFragmentDoc}`;
+export type GetLoginTokenFromEmailVerificationTokenMutationFn = Apollo.MutationFunction<GetLoginTokenFromEmailVerificationTokenMutation, GetLoginTokenFromEmailVerificationTokenMutationVariables>;
+
+/**
+ * __useGetLoginTokenFromEmailVerificationTokenMutation__
+ *
+ * To run a mutation, you first call `useGetLoginTokenFromEmailVerificationTokenMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useGetLoginTokenFromEmailVerificationTokenMutation` returns a tuple that includes:
+ * - A mutate function that you can call at any time to execute the mutation
+ * - An object with fields that represent the current status of the mutation's execution
+ *
+ * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
+ *
+ * @example
+ * const [getLoginTokenFromEmailVerificationTokenMutation, { data, loading, error }] = useGetLoginTokenFromEmailVerificationTokenMutation({
+ *   variables: {
+ *      emailVerificationToken: // value for 'emailVerificationToken'
+ *      captchaToken: // value for 'captchaToken'
+ *   },
+ * });
+ */
+export function useGetLoginTokenFromEmailVerificationTokenMutation(baseOptions?: Apollo.MutationHookOptions<GetLoginTokenFromEmailVerificationTokenMutation, GetLoginTokenFromEmailVerificationTokenMutationVariables>) {
+        const options = {...defaultOptions, ...baseOptions}
+        return Apollo.useMutation<GetLoginTokenFromEmailVerificationTokenMutation, GetLoginTokenFromEmailVerificationTokenMutationVariables>(GetLoginTokenFromEmailVerificationTokenDocument, options);
+      }
+export type GetLoginTokenFromEmailVerificationTokenMutationHookResult = ReturnType<typeof useGetLoginTokenFromEmailVerificationTokenMutation>;
+export type GetLoginTokenFromEmailVerificationTokenMutationResult = Apollo.MutationResult<GetLoginTokenFromEmailVerificationTokenMutation>;
+export type GetLoginTokenFromEmailVerificationTokenMutationOptions = Apollo.BaseMutationOptions<GetLoginTokenFromEmailVerificationTokenMutation, GetLoginTokenFromEmailVerificationTokenMutationVariables>;
 export const ImpersonateDocument = gql`
    mutation Impersonate($userId: String!, $workspaceId: String!) {
  impersonate(userId: $userId, workspaceId: $workspaceId) {
@ -2990,6 +3064,39 @@ export function useRenewTokenMutation(baseOptions?: Apollo.MutationHookOptions<R
 export type RenewTokenMutationHookResult = ReturnType<typeof useRenewTokenMutation>;
 export type RenewTokenMutationResult = Apollo.MutationResult<RenewTokenMutation>;
 export type RenewTokenMutationOptions = Apollo.BaseMutationOptions<RenewTokenMutation, RenewTokenMutationVariables>;
+export const ResendEmailVerificationTokenDocument = gql`
+    mutation ResendEmailVerificationToken($email: String!) {
+  resendEmailVerificationToken(email: $email) {
+    success
+  }
+}
+    `;
+export type ResendEmailVerificationTokenMutationFn = Apollo.MutationFunction<ResendEmailVerificationTokenMutation, ResendEmailVerificationTokenMutationVariables>;
+
+/**
+ * __useResendEmailVerificationTokenMutation__
+ *
+ * To run a mutation, you first call `useResendEmailVerificationTokenMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useResendEmailVerificationTokenMutation` returns a tuple that includes:
+ * - A mutate function that you can call at any time to execute the mutation
+ * - An object with fields that represent the current status of the mutation's execution
+ *
+ * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
+ *
+ * @example
+ * const [resendEmailVerificationTokenMutation, { data, loading, error }] = useResendEmailVerificationTokenMutation({
+ *   variables: {
+ *      email: // value for 'email'
+ *   },
+ * });
+ */
+export function useResendEmailVerificationTokenMutation(baseOptions?: Apollo.MutationHookOptions<ResendEmailVerificationTokenMutation, ResendEmailVerificationTokenMutationVariables>) {
+        const options = {...defaultOptions, ...baseOptions}
+        return Apollo.useMutation<ResendEmailVerificationTokenMutation, ResendEmailVerificationTokenMutationVariables>(ResendEmailVerificationTokenDocument, options);
+      }
+export type ResendEmailVerificationTokenMutationHookResult = ReturnType<typeof useResendEmailVerificationTokenMutation>;
+export type ResendEmailVerificationTokenMutationResult = Apollo.MutationResult<ResendEmailVerificationTokenMutation>;
+export type ResendEmailVerificationTokenMutationOptions = Apollo.BaseMutationOptions<ResendEmailVerificationTokenMutation, ResendEmailVerificationTokenMutationVariables>;
 export const SignUpDocument = gql`
    mutation SignUp($email: String!, $password: String!, $workspaceInviteHash: String, $workspacePersonalInviteToken: String = null, $captchaToken: String, $workspaceId: String) {
  signUp(
@ -3179,6 +3286,7 @@ export const CheckUserExistsDocument = gql`
          status
        }
      }
+      isEmailVerified
    }
    ... on UserNotExists {
      exists
@ -3471,6 +3579,7 @@ export const GetClientConfigDocument = gql`
    }
    signInPrefilled
    isMultiWorkspaceEnabled
+    isEmailVerificationRequired
    defaultSubdomain
    frontDomain
    debugMode
--- a/packages/twenty-front/src/hooks/tests/usePageChangeEffectNavigateLocation.test.ts
+++ b/packages/twenty-front/src/hooks/tests/usePageChangeEffectNavigateLocation.test.ts
@ -58,6 +58,17 @@ const testCases = [
  { loc: AppPath.Verify, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.InviteTeam, res: AppPath.InviteTeam },
  { loc: AppPath.Verify, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.Completed, res: defaultHomePagePath },

+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: undefined, onboardingStatus: OnboardingStatus.PlanRequired, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Canceled, onboardingStatus: OnboardingStatus.Completed, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Unpaid, onboardingStatus: OnboardingStatus.Completed, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.PastDue, onboardingStatus: OnboardingStatus.Completed, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: false, subscriptionStatus: undefined, onboardingStatus: undefined, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.WorkspaceActivation, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.ProfileCreation, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.SyncEmail, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.InviteTeam, res: undefined },
+  { loc: AppPath.VerifyEmail, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.Completed, res: undefined },
+
  { loc: AppPath.SignInUp, isLoggedIn: true, subscriptionStatus: undefined, onboardingStatus: OnboardingStatus.PlanRequired, res: AppPath.PlanRequired },
  { loc: AppPath.SignInUp, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Canceled, onboardingStatus: OnboardingStatus.Completed, res: '/settings/billing' },
  { loc: AppPath.SignInUp, isLoggedIn: true, subscriptionStatus: SubscriptionStatus.Unpaid, onboardingStatus: OnboardingStatus.Completed, res: '/settings/billing' },
--- a/packages/twenty-front/src/hooks/usePageChangeEffectNavigateLocation.ts
+++ b/packages/twenty-front/src/hooks/usePageChangeEffectNavigateLocation.ts
@ -16,7 +16,8 @@ export const usePageChangeEffectNavigateLocation = () => {

  const isMatchingOpenRoute =
    isMatchingLocation(AppPath.Invite) ||
-    isMatchingLocation(AppPath.ResetPassword);
+    isMatchingLocation(AppPath.ResetPassword) ||
+    isMatchingLocation(AppPath.VerifyEmail);

  const isMatchingOngoingUserCreationRoute =
    isMatchingOpenRoute ||
--- a/packages/twenty-front/src/modules/app/hooks/useCreateAppRouter.tsx
+++ b/packages/twenty-front/src/modules/app/hooks/useCreateAppRouter.tsx
@ -1,6 +1,8 @@
 import { AppRouterProviders } from '@/app/components/AppRouterProviders';
 import { SettingsRoutes } from '@/app/components/SettingsRoutes';
+
 import { VerifyEffect } from '@/auth/components/VerifyEffect';
+import { VerifyEmailEffect } from '@/auth/components/VerifyEmailEffect';
 import indexAppPath from '@/navigation/utils/indexAppPath';
 import { AppPath } from '@/types/AppPath';
 import { BlankLayout } from '@/ui/layout/page/components/BlankLayout';
@ -40,6 +42,7 @@ export const useCreateAppRouter = (
      >
        <Route element={<DefaultLayout />}>
          <Route path={AppPath.Verify} element={<VerifyEffect />} />
+          <Route path={AppPath.VerifyEmail} element={<VerifyEmailEffect />} />
          <Route path={AppPath.SignInUp} element={<SignInUp />} />
          <Route path={AppPath.Invite} element={<Invite />} />
          <Route path={AppPath.ResetPassword} element={<PasswordReset />} />
--- a/packages/twenty-front/src/modules/auth/components/VerifyEffect.tsx
+++ b/packages/twenty-front/src/modules/auth/components/VerifyEffect.tsx
@ -5,9 +5,9 @@ import { useAuth } from '@/auth/hooks/useAuth';
 import { useIsLogged } from '@/auth/hooks/useIsLogged';
 import { isAppWaitingForFreshObjectMetadataState } from '@/object-metadata/states/isAppWaitingForFreshObjectMetadataState';
 import { AppPath } from '@/types/AppPath';
-import { useSetRecoilState } from 'recoil';
-import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
 import { SnackBarVariant } from '@/ui/feedback/snack-bar-manager/components/SnackBar';
+import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
+import { useSetRecoilState } from 'recoil';
 import { isDefined } from 'twenty-ui';

 export const VerifyEffect = () => {
@ -29,6 +29,7 @@ export const VerifyEffect = () => {
  useEffect(() => {
    if (isDefined(errorMessage)) {
      enqueueSnackBar(errorMessage, {
+        dedupeKey: 'verify-failed-dedupe-key',
        variant: SnackBarVariant.Error,
      });
    }
--- a/packages/twenty-front/src/modules/auth/components/VerifyEmailEffect.tsx
+++ b/packages/twenty-front/src/modules/auth/components/VerifyEmailEffect.tsx
@ -0,0 +1,68 @@
+import { useAuth } from '@/auth/hooks/useAuth';
+import { AppPath } from '@/types/AppPath';
+import { SnackBarVariant } from '@/ui/feedback/snack-bar-manager/components/SnackBar';
+import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
+
+import { useReadCaptchaToken } from '@/captcha/hooks/useReadCaptchaToken';
+import { useEffect, useState } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { EmailVerificationSent } from '../sign-in-up/components/EmailVerificationSent';
+
+export const VerifyEmailEffect = () => {
+  const { getLoginTokenFromEmailVerificationToken } = useAuth();
+
+  const { enqueueSnackBar } = useSnackBar();
+
+  const [searchParams] = useSearchParams();
+  const [isError, setIsError] = useState(false);
+  const email = searchParams.get('email');
+  const emailVerificationToken = searchParams.get('emailVerificationToken');
+
+  const navigate = useNavigate();
+  const { readCaptchaToken } = useReadCaptchaToken();
+
+  useEffect(() => {
+    const verifyEmailToken = async () => {
+      if (!email || !emailVerificationToken) {
+        enqueueSnackBar(`Invalid email verification link.`, {
+          dedupeKey: 'email-verification-link-dedupe-key',
+          variant: SnackBarVariant.Error,
+        });
+        return navigate(AppPath.SignInUp);
+      }
+
+      const captchaToken = await readCaptchaToken();
+
+      try {
+        const { loginToken } = await getLoginTokenFromEmailVerificationToken(
+          emailVerificationToken,
+          captchaToken,
+        );
+
+        enqueueSnackBar('Email verified.', {
+          dedupeKey: 'email-verification-dedupe-key',
+          variant: SnackBarVariant.Success,
+        });
+
+        navigate(`${AppPath.Verify}?loginToken=${loginToken.token}`);
+      } catch (error) {
+        enqueueSnackBar('Email verification failed.', {
+          dedupeKey: 'email-verification-dedupe-key',
+          variant: SnackBarVariant.Error,
+        });
+        setIsError(true);
+      }
+    };
+
+    verifyEmailToken();
+
+    // Verify email only needs to run once at mount
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  if (isError) {
+    return <EmailVerificationSent email={email} isError={true} />;
+  }
+
+  return <></>;
+};
--- a/packages/twenty-front/src/modules/auth/graphql/mutations/getLoginTokenFromEmailVerificationToken.ts
+++ b/packages/twenty-front/src/modules/auth/graphql/mutations/getLoginTokenFromEmailVerificationToken.ts
@ -0,0 +1,17 @@
+import { gql } from '@apollo/client';
+
+export const GET_LOGIN_TOKEN_FROM_EMAIL_VERIFICATION_TOKEN = gql`
+  mutation GetLoginTokenFromEmailVerificationToken(
+    $emailVerificationToken: String!
+    $captchaToken: String
+  ) {
+    getLoginTokenFromEmailVerificationToken(
+      emailVerificationToken: $emailVerificationToken
+      captchaToken: $captchaToken
+    ) {
+      loginToken {
+        ...AuthTokenFragment
+      }
+    }
+  }
+`;
--- a/packages/twenty-front/src/modules/auth/graphql/mutations/resendEmailVerificationToken.ts
+++ b/packages/twenty-front/src/modules/auth/graphql/mutations/resendEmailVerificationToken.ts
@ -0,0 +1,9 @@
+import { gql } from '@apollo/client';
+
+export const RESEND_EMAIL_VERIFICATION_TOKEN = gql`
+  mutation ResendEmailVerificationToken($email: String!) {
+    resendEmailVerificationToken(email: $email) {
+      success
+    }
+  }
+`;
--- a/packages/twenty-front/src/modules/auth/graphql/queries/checkUserExists.ts
+++ b/packages/twenty-front/src/modules/auth/graphql/queries/checkUserExists.ts
@ -19,6 +19,7 @@ export const CHECK_USER_EXISTS = gql`
            status
          }
        }
+        isEmailVerified
      }
      ... on UserNotExists {
        exists
--- a/packages/twenty-front/src/modules/auth/hooks/tests/useAuth.test.tsx
+++ b/packages/twenty-front/src/modules/auth/hooks/tests/useAuth.test.tsx
@ -2,6 +2,7 @@ import { useApolloClient } from '@apollo/client';
 import { MockedProvider } from '@apollo/client/testing';
 import { expect } from '@storybook/test';
 import { ReactNode, act } from 'react';
+import { MemoryRouter } from 'react-router-dom';
 import { RecoilRoot, useRecoilValue } from 'recoil';
 import { iconsState } from 'twenty-ui';

@ -13,12 +14,14 @@ import { supportChatState } from '@/client-config/states/supportChatState';
 import { workspaceAuthProvidersState } from '@/workspace/states/workspaceAuthProvidersState';

 import { isMultiWorkspaceEnabledState } from '@/client-config/states/isMultiWorkspaceEnabledState';
-import { email, mocks, password, results, token } from '../__mocks__/useAuth';
 import { renderHook } from '@testing-library/react';
+import { email, mocks, password, results, token } from '../__mocks__/useAuth';

 const Wrapper = ({ children }: { children: ReactNode }) => (
  <MockedProvider mocks={mocks} addTypename={false}>
-    <RecoilRoot>{children}</RecoilRoot>
+    <RecoilRoot>
+      <MemoryRouter>{children}</MemoryRouter>
+    </RecoilRoot>
  </MockedProvider>
 );

--- a/packages/twenty-front/src/modules/auth/hooks/useAuth.ts
+++ b/packages/twenty-front/src/modules/auth/hooks/useAuth.ts
@ -1,4 +1,4 @@
-import { useApolloClient } from '@apollo/client';
+import { ApolloError, useApolloClient } from '@apollo/client';
 import { useCallback } from 'react';
 import {
  snapshot_UNSTABLE,
@ -26,6 +26,7 @@ import {
  useChallengeMutation,
  useCheckUserExistsLazyQuery,
  useGetCurrentUserLazyQuery,
+  useGetLoginTokenFromEmailVerificationTokenMutation,
  useSignUpMutation,
  useVerifyMutation,
 } from '~/generated/graphql';
@ -44,7 +45,12 @@ import { getTimeFormatFromWorkspaceTimeFormat } from '@/localization/utils/getTi
 import { currentUserState } from '../states/currentUserState';
 import { tokenPairState } from '../states/tokenPairState';

+import {
+  SignInUpStep,
+  signInUpStepState,
+} from '@/auth/states/signInUpStepState';
 import { BillingCheckoutSession } from '@/auth/types/billingCheckoutSession.type';
+import { isEmailVerificationRequiredState } from '@/client-config/states/isEmailVerificationRequiredState';
 import { isMultiWorkspaceEnabledState } from '@/client-config/states/isMultiWorkspaceEnabledState';
 import { useIsCurrentLocationOnAWorkspaceSubdomain } from '@/domain-manager/hooks/useIsCurrentLocationOnAWorkspaceSubdomain';
 import { useLastAuthenticatedWorkspaceDomain } from '@/domain-manager/hooks/useLastAuthenticatedWorkspaceDomain';
@ -54,6 +60,7 @@ import { domainConfigurationState } from '@/domain-manager/states/domainConfigur
 import { isAppWaitingForFreshObjectMetadataState } from '@/object-metadata/states/isAppWaitingForFreshObjectMetadataState';
 import { workspaceAuthProvidersState } from '@/workspace/states/workspaceAuthProvidersState';
 import { workspacePublicDataState } from '@/auth/states/workspacePublicDataState';
+import { useSearchParams } from 'react-router-dom';

 export const useAuth = () => {
  const setTokenPair = useSetRecoilState(tokenPairState);
@ -68,7 +75,11 @@ export const useAuth = () => {
    currentWorkspaceMembersState,
  );
  const isMultiWorkspaceEnabled = useRecoilValue(isMultiWorkspaceEnabledState);
+  const isEmailVerificationRequired = useRecoilValue(
+    isEmailVerificationRequiredState,
+  );

+  const setSignInUpStep = useSetRecoilState(signInUpStepState);
  const setCurrentWorkspace = useSetRecoilState(currentWorkspaceState);
  const setIsVerifyPendingState = useSetRecoilState(isVerifyPendingState);
  const setWorkspaces = useSetRecoilState(workspacesState);
@ -78,6 +89,8 @@ export const useAuth = () => {
  const [challenge] = useChallengeMutation();
  const [signUp] = useSignUpMutation();
  const [verify] = useVerifyMutation();
+  const [getLoginTokenFromEmailVerificationToken] =
+    useGetLoginTokenFromEmailVerificationTokenMutation();
  const [getCurrentUser] = useGetCurrentUserLazyQuery();

  const { isOnAWorkspaceSubdomain } =
@ -96,6 +109,8 @@ export const useAuth = () => {

  const setDateTimeFormat = useSetRecoilState(dateTimeFormatState);

+  const [, setSearchParams] = useSearchParams();
+
  const clearSession = useRecoilCallback(
    ({ snapshot }) =>
      async () => {
@ -154,25 +169,59 @@ export const useAuth = () => {

  const handleChallenge = useCallback(
    async (email: string, password: string, captchaToken?: string) => {
-      const challengeResult = await challenge({
+      try {
+        const challengeResult = await challenge({
+          variables: {
+            email,
+            password,
+            captchaToken,
+          },
+        });
+        if (isDefined(challengeResult.errors)) {
+          throw challengeResult.errors;
+        }
+
+        if (!challengeResult.data?.challenge) {
+          throw new Error('No login token');
+        }
+
+        return challengeResult.data.challenge;
+      } catch (error) {
+        // TODO: Get intellisense for graphql error extensions code (codegen?)
+        if (
+          error instanceof ApolloError &&
+          error.graphQLErrors[0]?.extensions?.code === 'EMAIL_NOT_VERIFIED'
+        ) {
+          setSearchParams({ email });
+          setSignInUpStep(SignInUpStep.EmailVerification);
+          throw error;
+        }
+        throw error;
+      }
+    },
+    [challenge, setSearchParams, setSignInUpStep],
+  );
+
+  const handleGetLoginTokenFromEmailVerificationToken = useCallback(
+    async (emailVerificationToken: string, captchaToken?: string) => {
+      const loginTokenResult = await getLoginTokenFromEmailVerificationToken({
        variables: {
-          email,
-          password,
+          emailVerificationToken,
          captchaToken,
        },
      });

-      if (isDefined(challengeResult.errors)) {
-        throw challengeResult.errors;
+      if (isDefined(loginTokenResult.errors)) {
+        throw loginTokenResult.errors;
      }

-      if (!challengeResult.data?.challenge) {
+      if (!loginTokenResult.data?.getLoginTokenFromEmailVerificationToken) {
        throw new Error('No login token');
      }

-      return challengeResult.data.challenge;
+      return loginTokenResult.data.getLoginTokenFromEmailVerificationToken;
    },
-    [challenge],
+    [getLoginTokenFromEmailVerificationToken],
  );

  const loadCurrentUser = useCallback(async () => {
@ -343,12 +392,21 @@ export const useAuth = () => {
        throw new Error('No login token');
      }

+      if (isEmailVerificationRequired) {
+        setSearchParams({ email });
+        setSignInUpStep(SignInUpStep.EmailVerification);
+        return null;
+      }
+
      if (isMultiWorkspaceEnabled) {
        return redirectToWorkspaceDomain(
          signUpResult.data.signUp.workspace.subdomain,
-          AppPath.Verify,
+          isEmailVerificationRequired ? AppPath.SignInUp : AppPath.Verify,
          {
-            loginToken: signUpResult.data.signUp.loginToken.token,
+            ...(!isEmailVerificationRequired && {
+              loginToken: signUpResult.data.signUp.loginToken.token,
+            }),
+            email,
          },
        );
      }
@ -361,6 +419,9 @@ export const useAuth = () => {
      workspacePublicData,
      isMultiWorkspaceEnabled,
      handleVerify,
+      setSignInUpStep,
+      setSearchParams,
+      isEmailVerificationRequired,
      redirectToWorkspaceDomain,
    ],
  );
@ -424,6 +485,8 @@ export const useAuth = () => {

  return {
    challenge: handleChallenge,
+    getLoginTokenFromEmailVerificationToken:
+      handleGetLoginTokenFromEmailVerificationToken,
    verify: handleVerify,

    loadCurrentUser,
--- a/packages/twenty-front/src/modules/auth/sign-in-up/components/EmailVerificationSent.tsx
+++ b/packages/twenty-front/src/modules/auth/sign-in-up/components/EmailVerificationSent.tsx
@ -0,0 +1,79 @@
+import styled from '@emotion/styled';
+
+import { SubTitle } from '@/auth/components/SubTitle';
+import { Title } from '@/auth/components/Title';
+import { useHandleResendEmailVerificationToken } from '@/auth/sign-in-up/hooks/useHandleResendEmailVerificationToken';
+import { useTheme } from '@emotion/react';
+import { AnimatedEaseIn, IconMail, Loader, MainButton, RGBA } from 'twenty-ui';
+
+const StyledMailContainer = styled.div`
+  align-items: center;
+  display: flex;
+  justify-content: center;
+  border: 2px solid ${(props) => props.color};
+  border-radius: ${({ theme }) => theme.border.radius.rounded};
+  box-shadow: ${(props) =>
+    props.color && `-4px 4px 0 -2px ${RGBA(props.color, 1)}`};
+  height: 36px;
+  width: 36px;
+  margin-bottom: ${({ theme }) => theme.spacing(4)};
+`;
+
+const StyledEmail = styled.span`
+  font-weight: ${({ theme }) => theme.font.weight.medium};
+`;
+
+const StyledButtonContainer = styled.div`
+  margin-top: ${({ theme }) => theme.spacing(8)};
+`;
+
+export const EmailVerificationSent = ({
+  email,
+  isError = false,
+}: {
+  email: string | null;
+  isError?: boolean;
+}) => {
+  const theme = useTheme();
+  const color =
+    theme.name === 'light' ? theme.grayScale.gray90 : theme.grayScale.gray10;
+
+  const { handleResendEmailVerificationToken, loading: isLoading } =
+    useHandleResendEmailVerificationToken();
+
+  return (
+    <>
+      <AnimatedEaseIn>
+        <StyledMailContainer color={color}>
+          <IconMail color={color} size={24} stroke={3} />
+        </StyledMailContainer>
+      </AnimatedEaseIn>
+      <Title animate>
+        {isError ? 'Email Verification Failed' : 'Confirm Your Email Address'}
+      </Title>
+      <SubTitle>
+        {isError ? (
+          <>
+            Oops! We encountered an issue verifying{' '}
+            <StyledEmail>{email}</StyledEmail>. Please request a new
+            verification email and try again.
+          </>
+        ) : (
+          <>
+            A verification email has been sent to{' '}
+            <StyledEmail>{email}</StyledEmail>. Please check your inbox and
+            click the link in the email to activate your account.
+          </>
+        )}
+      </SubTitle>
+      <StyledButtonContainer>
+        <MainButton
+          title="Click to resend"
+          onClick={handleResendEmailVerificationToken(email)}
+          Icon={() => (isLoading ? <Loader /> : undefined)}
+          width={200}
+        />
+      </StyledButtonContainer>
+    </>
+  );
+};
--- a/packages/twenty-front/src/modules/auth/sign-in-up/hooks/useHandleResendEmailVerificationToken.ts
+++ b/packages/twenty-front/src/modules/auth/sign-in-up/hooks/useHandleResendEmailVerificationToken.ts
@ -0,0 +1,47 @@
+import { useCallback } from 'react';
+
+import { SnackBarVariant } from '@/ui/feedback/snack-bar-manager/components/SnackBar';
+import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
+import { useResendEmailVerificationTokenMutation } from '~/generated/graphql';
+
+export const useHandleResendEmailVerificationToken = () => {
+  const { enqueueSnackBar } = useSnackBar();
+  const [resendEmailVerificationToken, { loading }] =
+    useResendEmailVerificationTokenMutation();
+
+  const handleResendEmailVerificationToken = useCallback(
+    (email: string | null) => {
+      return async () => {
+        if (!email) {
+          enqueueSnackBar('Invalid email', {
+            variant: SnackBarVariant.Error,
+          });
+          return;
+        }
+
+        try {
+          const { data } = await resendEmailVerificationToken({
+            variables: { email },
+          });
+
+          if (data?.resendEmailVerificationToken?.success === true) {
+            enqueueSnackBar('Email verification link resent!', {
+              variant: SnackBarVariant.Success,
+            });
+          } else {
+            enqueueSnackBar('There was some issue', {
+              variant: SnackBarVariant.Error,
+            });
+          }
+        } catch (error) {
+          enqueueSnackBar((error as Error).message, {
+            variant: SnackBarVariant.Error,
+          });
+        }
+      };
+    },
+    [enqueueSnackBar, resendEmailVerificationToken],
+  );
+
+  return { handleResendEmailVerificationToken, loading };
+};
--- a/packages/twenty-front/src/modules/auth/states/signInUpStepState.ts
+++ b/packages/twenty-front/src/modules/auth/states/signInUpStepState.ts
@ -4,6 +4,7 @@ export enum SignInUpStep {
  Init = 'init',
  Email = 'email',
  Password = 'password',
+  EmailVerification = 'emailVerification',
  WorkspaceSelection = 'workspaceSelection',
  SSOIdentityProviderSelection = 'SSOIdentityProviderSelection',
 }
--- a/packages/twenty-front/src/modules/client-config/components/ClientConfigProviderEffect.tsx
+++ b/packages/twenty-front/src/modules/client-config/components/ClientConfigProviderEffect.tsx
@ -8,6 +8,7 @@ import { clientConfigApiStatusState } from '@/client-config/states/clientConfigA
 import { isAnalyticsEnabledState } from '@/client-config/states/isAnalyticsEnabledState';
 import { isDebugModeState } from '@/client-config/states/isDebugModeState';
 import { isDeveloperDefaultSignInPrefilledState } from '@/client-config/states/isDeveloperDefaultSignInPrefilledState';
+import { isEmailVerificationRequiredState } from '@/client-config/states/isEmailVerificationRequiredState';
 import { isMultiWorkspaceEnabledState } from '@/client-config/states/isMultiWorkspaceEnabledState';
 import { sentryConfigState } from '@/client-config/states/sentryConfigState';
 import { supportChatState } from '@/client-config/states/supportChatState';
@ -29,6 +30,9 @@ export const ClientConfigProviderEffect = () => {
  const setIsMultiWorkspaceEnabled = useSetRecoilState(
    isMultiWorkspaceEnabledState,
  );
+  const setIsEmailVerificationRequired = useSetRecoilState(
+    isEmailVerificationRequiredState,
+  );

  const setBilling = useSetRecoilState(billingState);
  const setSupportChat = useSetRecoilState(supportChatState);
@ -89,6 +93,9 @@ export const ClientConfigProviderEffect = () => {
    setIsAnalyticsEnabled(data?.clientConfig.analyticsEnabled);
    setIsDeveloperDefaultSignInPrefilled(data?.clientConfig.signInPrefilled);
    setIsMultiWorkspaceEnabled(data?.clientConfig.isMultiWorkspaceEnabled);
+    setIsEmailVerificationRequired(
+      data?.clientConfig.isEmailVerificationRequired,
+    );
    setBilling(data?.clientConfig.billing);
    setSupportChat(data?.clientConfig.support);

@ -115,6 +122,7 @@ export const ClientConfigProviderEffect = () => {
    setIsDebugMode,
    setIsDeveloperDefaultSignInPrefilled,
    setIsMultiWorkspaceEnabled,
+    setIsEmailVerificationRequired,
    setSupportChat,
    setBilling,
    setSentryConfig,
--- a/packages/twenty-front/src/modules/client-config/graphql/queries/getClientConfig.ts
+++ b/packages/twenty-front/src/modules/client-config/graphql/queries/getClientConfig.ts
@ -22,6 +22,7 @@ export const GET_CLIENT_CONFIG = gql`
      }
      signInPrefilled
      isMultiWorkspaceEnabled
+      isEmailVerificationRequired
      defaultSubdomain
      frontDomain
      debugMode
--- a/packages/twenty-front/src/modules/client-config/states/isEmailVerificationRequiredState.ts
+++ b/packages/twenty-front/src/modules/client-config/states/isEmailVerificationRequiredState.ts
@ -0,0 +1,6 @@
+import { createState } from 'twenty-ui';
+
+export const isEmailVerificationRequiredState = createState<boolean>({
+  key: 'isEmailVerificationRequired',
+  defaultValue: false,
+});
--- a/packages/twenty-front/src/modules/types/AppPath.ts
+++ b/packages/twenty-front/src/modules/types/AppPath.ts
@ -1,6 +1,7 @@
 export enum AppPath {
  // Not logged-in
  Verify = '/verify',
+  VerifyEmail = '/verify-email',
  SignInUp = '/welcome',
  Invite = '/invite/:workspaceInviteHash',
  ResetPassword = '/reset-password/:passwordResetToken',
--- a/packages/twenty-front/src/modules/ui/feedback/snack-bar-manager/components/SnackBar.tsx
+++ b/packages/twenty-front/src/modules/ui/feedback/snack-bar-manager/components/SnackBar.tsx
@ -35,6 +35,7 @@ export type SnackBarProps = Pick<ComponentPropsWithoutRef<'div'>, 'id'> & {
  onClose?: () => void;
  role?: 'alert' | 'status';
  variant?: SnackBarVariant;
+  dedupeKey?: string;
 };

 const StyledContainer = styled.div`
--- a/packages/twenty-front/src/modules/ui/feedback/snack-bar-manager/hooks/useSnackBar.ts
+++ b/packages/twenty-front/src/modules/ui/feedback/snack-bar-manager/hooks/useSnackBar.ts
@ -1,6 +1,7 @@
 import { useCallback } from 'react';
 import { useRecoilCallback } from 'recoil';
 import { v4 as uuidv4 } from 'uuid';
+import { isDefined } from '~/utils/isDefined';

 import { SnackBarManagerScopeInternalContext } from '@/ui/feedback/snack-bar-manager/scopes/scope-internal-context/SnackBarManagerScopeInternalContext';
 import {
@ -27,8 +28,17 @@ export const useSnackBar = () => {

  const setSnackBarQueue = useRecoilCallback(
    ({ set }) =>
-      (newValue) =>
+      (newValue: SnackBarOptions) =>
        set(snackBarInternalScopedState({ scopeId }), (prev) => {
+          if (
+            isDefined(newValue.dedupeKey) &&
+            prev.queue.some(
+              (snackBar) => snackBar.dedupeKey === newValue.dedupeKey,
+            )
+          ) {
+            return prev;
+          }
+
          if (prev.queue.length >= prev.maxQueue) {
            return {
              ...prev,
--- a/packages/twenty-front/src/modules/ui/layout/hooks/tests/useShowAuthModal.test.tsx
+++ b/packages/twenty-front/src/modules/ui/layout/hooks/tests/useShowAuthModal.test.tsx
@ -67,6 +67,17 @@ const testCases = [
  { loc: AppPath.Verify, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.InviteTeam, res: false },
  { loc: AppPath.Verify, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.Completed, res: false },

+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: undefined, onboardingStatus: OnboardingStatus.PlanRequired, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Canceled, onboardingStatus: OnboardingStatus.Completed, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Unpaid, onboardingStatus: OnboardingStatus.Completed, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.PastDue, onboardingStatus: OnboardingStatus.Completed, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: false, subscriptionStatus: undefined, onboardingStatus: undefined, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.WorkspaceActivation, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.ProfileCreation, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.SyncEmail, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.InviteTeam, res: true },
+  { loc: AppPath.VerifyEmail, isLogged: true, subscriptionStatus: SubscriptionStatus.Active, onboardingStatus: OnboardingStatus.Completed, res: true },
+
  { loc: AppPath.SignInUp, isLogged: true, subscriptionStatus: undefined, onboardingStatus: OnboardingStatus.PlanRequired, res: true },
  { loc: AppPath.SignInUp, isLogged: true, subscriptionStatus: SubscriptionStatus.Canceled, onboardingStatus: OnboardingStatus.Completed, res: true },
  { loc: AppPath.SignInUp, isLogged: true, subscriptionStatus: SubscriptionStatus.Unpaid, onboardingStatus: OnboardingStatus.Completed, res: true },
--- a/packages/twenty-front/src/modules/ui/layout/hooks/useShowAuthModal.ts
+++ b/packages/twenty-front/src/modules/ui/layout/hooks/useShowAuthModal.ts
@ -28,6 +28,7 @@ export const useShowAuthModal = () => {
    if (
      isMatchingLocation(AppPath.Invite) ||
      isMatchingLocation(AppPath.ResetPassword) ||
+      isMatchingLocation(AppPath.VerifyEmail) ||
      isMatchingLocation(AppPath.SignInUp)
    ) {
      return isDefaultLayoutAuthModalVisible;
--- a/packages/twenty-front/src/pages/auth/SignInUp.tsx
+++ b/packages/twenty-front/src/pages/auth/SignInUp.tsx
@ -1,12 +1,12 @@
-import { useRecoilValue } from 'recoil';
-
 import { useSignInUp } from '@/auth/sign-in-up/hooks/useSignInUp';
 import { useSignInUpForm } from '@/auth/sign-in-up/hooks/useSignInUpForm';
 import { SignInUpStep } from '@/auth/states/signInUpStepState';
 import { workspacePublicDataState } from '@/auth/states/workspacePublicDataState';
+import { useRecoilValue } from 'recoil';

 import { Logo } from '@/auth/components/Logo';
 import { Title } from '@/auth/components/Title';
+import { EmailVerificationSent } from '@/auth/sign-in-up/components/EmailVerificationSent';
 import { FooterNote } from '@/auth/sign-in-up/components/FooterNote';
 import { SignInUpGlobalScopeForm } from '@/auth/sign-in-up/components/SignInUpGlobalScopeForm';
 import { SignInUpSSOIdentityProviderSelection } from '@/auth/sign-in-up/components/SignInUpSSOIdentityProviderSelection';
@ -21,6 +21,37 @@ import { useMemo } from 'react';
 import { AnimatedEaseIn } from 'twenty-ui';
 import { isDefined } from '~/utils/isDefined';

+import { useSearchParams } from 'react-router-dom';
+import { PublicWorkspaceDataOutput } from '~/generated-metadata/graphql';
+
+const StandardContent = ({
+  workspacePublicData,
+  signInUpForm,
+  signInUpStep,
+}: {
+  workspacePublicData: PublicWorkspaceDataOutput | null;
+  signInUpForm: JSX.Element | null;
+  signInUpStep: SignInUpStep;
+}) => {
+  return (
+    <>
+      <AnimatedEaseIn>
+        <Logo secondaryLogo={workspacePublicData?.logo} />
+      </AnimatedEaseIn>
+      <Title animate>
+        Welcome to{' '}
+        {!isDefined(workspacePublicData?.displayName)
+          ? DEFAULT_WORKSPACE_NAME
+          : workspacePublicData?.displayName === ''
+            ? 'Your Workspace'
+            : workspacePublicData?.displayName}
+      </Title>
+      {signInUpForm}
+      {signInUpStep !== SignInUpStep.Password && <FooterNote />}
+    </>
+  );
+};
+
 export const SignInUp = () => {
  const { form } = useSignInUpForm();
  const { signInUpStep } = useSignInUp(form);
@ -31,6 +62,8 @@ export const SignInUp = () => {
  const { loading } = useGetPublicWorkspaceDataBySubdomain();
  const isMultiWorkspaceEnabled = useRecoilValue(isMultiWorkspaceEnabledState);

+  const [searchParams] = useSearchParams();
+
  const signInUpForm = useMemo(() => {
    if (loading) return null;

@ -68,16 +101,15 @@ export const SignInUp = () => {
    workspacePublicData,
  ]);

+  if (signInUpStep === SignInUpStep.EmailVerification) {
+    return <EmailVerificationSent email={searchParams.get('email')} />;
+  }
+
  return (
-    <>
-      <AnimatedEaseIn>
-        <Logo secondaryLogo={workspacePublicData?.logo} />
-      </AnimatedEaseIn>
-      <Title animate>
-        {`Welcome to ${workspacePublicData?.displayName ?? DEFAULT_WORKSPACE_NAME}`}
-      </Title>
-      {signInUpForm}
-      {signInUpStep !== SignInUpStep.Password && <FooterNote />}
-    </>
+    <StandardContent
+      workspacePublicData={workspacePublicData}
+      signInUpForm={signInUpForm}
+      signInUpStep={signInUpStep}
+    />
  );
 };
--- a/packages/twenty-front/src/testing/mock-data/config.ts
+++ b/packages/twenty-front/src/testing/mock-data/config.ts
@ -3,6 +3,7 @@ import { CaptchaDriverType, ClientConfig } from '~/generated/graphql';
 export const mockedClientConfig: ClientConfig = {
  signInPrefilled: true,
  isMultiWorkspaceEnabled: false,
+  isEmailVerificationRequired: false,
  authProviders: {
    google: true,
    magicLink: false,
--- a/packages/twenty-server/.env.example
+++ b/packages/twenty-server/.env.example
@ -56,6 +56,8 @@ FRONT_PORT=3001
 # WORKSPACE_INACTIVE_DAYS_BEFORE_NOTIFICATION=30
 # WORKSPACE_INACTIVE_DAYS_BEFORE_DELETION=60
 # Email Server Settings, see this doc for more info: https://docs.twenty.com/start/self-hosting/#email
+# IS_EMAIL_VERIFICATION_REQUIRED=false
+# EMAIL_VERIFICATION_TOKEN_EXPIRES_IN=1h
 # EMAIL_FROM_ADDRESS=contact@yourdomain.com
 # EMAIL_SYSTEM_ADDRESS=system@yourdomain.com
 # EMAIL_FROM_NAME='John from YourDomain'
--- a/packages/twenty-server/src/database/typeorm/core/migrations/common/1736050161854-renameEmailVerifiedColumn.ts
+++ b/packages/twenty-server/src/database/typeorm/core/migrations/common/1736050161854-renameEmailVerifiedColumn.ts
@ -0,0 +1,19 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+
+export class RenameEmailVerifiedColumn1736050161854
+  implements MigrationInterface
+{
+  name = 'RenameEmailVerifiedColumn1736050161854';
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "core"."user" RENAME COLUMN "emailVerified" TO "isEmailVerified"`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "core"."user" RENAME COLUMN "isEmailVerified" TO "emailVerified"`,
+    );
+  }
+}
--- a/packages/twenty-server/src/engine/core-modules/app-token/app-token.entity.ts
+++ b/packages/twenty-server/src/engine/core-modules/app-token/app-token.entity.ts
@ -1,21 +1,21 @@
 import { Field, ObjectType } from '@nestjs/graphql';

-import {
-  Entity,
-  Column,
-  PrimaryGeneratedColumn,
-  ManyToOne,
-  JoinColumn,
-  CreateDateColumn,
-  UpdateDateColumn,
-  Relation,
-} from 'typeorm';
 import { BeforeCreateOne, IDField } from '@ptc-org/nestjs-query-graphql';
+import {
+  Column,
+  CreateDateColumn,
+  Entity,
+  JoinColumn,
+  ManyToOne,
+  PrimaryGeneratedColumn,
+  Relation,
+  UpdateDateColumn,
+} from 'typeorm';

+import { UUIDScalarType } from 'src/engine/api/graphql/workspace-schema-builder/graphql-types/scalars';
 import { BeforeCreateOneAppToken } from 'src/engine/core-modules/app-token/hooks/before-create-one-app-token.hook';
 import { User } from 'src/engine/core-modules/user/user.entity';
 import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
-import { UUIDScalarType } from 'src/engine/api/graphql/workspace-schema-builder/graphql-types/scalars';
 export enum AppTokenType {
  RefreshToken = 'REFRESH_TOKEN',
  CodeChallenge = 'CODE_CHALLENGE',
@ -23,6 +23,7 @@ export enum AppTokenType {
  PasswordResetToken = 'PASSWORD_RESET_TOKEN',
  InvitationToken = 'INVITATION_TOKEN',
  OIDCCodeVerifier = 'OIDC_CODE_VERIFIER',
+  EmailVerificationToken = 'EMAIL_VERIFICATION_TOKEN',
 }

@Entity({ name: 'appToken', schema: 'core' })
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.exception.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.exception.ts
@ -9,6 +9,7 @@ export class AuthException extends CustomException {

 export enum AuthExceptionCode {
  USER_NOT_FOUND = 'USER_NOT_FOUND',
+  EMAIL_NOT_VERIFIED = 'EMAIL_NOT_VERIFIED',
  CLIENT_NOT_FOUND = 'CLIENT_NOT_FOUND',
  WORKSPACE_NOT_FOUND = 'WORKSPACE_NOT_FOUND',
  INVALID_INPUT = 'INVALID_INPUT',
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.module.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.module.ts
@ -25,6 +25,7 @@ import { RefreshTokenService } from 'src/engine/core-modules/auth/token/services
 import { TransientTokenService } from 'src/engine/core-modules/auth/token/services/transient-token.service';
 import { TokenModule } from 'src/engine/core-modules/auth/token/token.module';
 import { DomainManagerModule } from 'src/engine/core-modules/domain-manager/domain-manager.module';
+import { EmailVerificationModule } from 'src/engine/core-modules/email-verification/email-verification.module';
 import { FeatureFlagEntity } from 'src/engine/core-modules/feature-flag/feature-flag.entity';
 import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module';
 import { FileUploadModule } from 'src/engine/core-modules/file/file-upload/file-upload.module';
@ -80,6 +81,7 @@ import { JwtAuthStrategy } from './strategies/jwt.auth.strategy';
    WorkspaceSSOModule,
    FeatureFlagModule,
    WorkspaceInvitationModule,
+    EmailVerificationModule,
  ],
  controllers: [
    GoogleAuthController,
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.spec.ts
@ -3,11 +3,12 @@ import { Test, TestingModule } from '@nestjs/testing';
 import { getRepositoryToken } from '@nestjs/typeorm';

 import { CaptchaGuard } from 'src/engine/core-modules/captcha/captcha.guard';
+import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import { EmailVerificationService } from 'src/engine/core-modules/email-verification/services/email-verification.service';
 import { UserWorkspaceService } from 'src/engine/core-modules/user-workspace/user-workspace.service';
 import { UserService } from 'src/engine/core-modules/user/services/user.service';
 import { User } from 'src/engine/core-modules/user/user.entity';
 import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
-import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';

 import { AuthResolver } from './auth.resolver';

@ -16,6 +17,7 @@ import { AuthService } from './services/auth.service';
 // import { OAuthService } from './services/oauth.service';
 import { ResetPasswordService } from './services/reset-password.service';
 import { SwitchWorkspaceService } from './services/switch-workspace.service';
+import { EmailVerificationTokenService } from './token/services/email-verification-token.service';
 import { LoginTokenService } from './token/services/login-token.service';
 import { RenewTokenService } from './token/services/renew-token.service';
 import { TransientTokenService } from './token/services/transient-token.service';
@ -80,6 +82,14 @@ describe('AuthResolver', () => {
          provide: TransientTokenService,
          useValue: {},
        },
+        {
+          provide: EmailVerificationService,
+          useValue: {},
+        },
+        {
+          provide: EmailVerificationTokenService,
+          useValue: {},
+        },
        // {
        //   provide: OAuthService,
        //   useValue: {},
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts
@ -18,30 +18,34 @@ import { ValidatePasswordResetTokenInput } from 'src/engine/core-modules/auth/dt
 import { AuthGraphqlApiExceptionFilter } from 'src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter';
 import { ApiKeyService } from 'src/engine/core-modules/auth/services/api-key.service';
 // import { OAuthService } from 'src/engine/core-modules/auth/services/oauth.service';
-import { ResetPasswordService } from 'src/engine/core-modules/auth/services/reset-password.service';
-import { SwitchWorkspaceService } from 'src/engine/core-modules/auth/services/switch-workspace.service';
-import { LoginTokenService } from 'src/engine/core-modules/auth/token/services/login-token.service';
-import { RenewTokenService } from 'src/engine/core-modules/auth/token/services/renew-token.service';
-import { TransientTokenService } from 'src/engine/core-modules/auth/token/services/transient-token.service';
-import { CaptchaGuard } from 'src/engine/core-modules/captcha/captcha.guard';
-import { UserService } from 'src/engine/core-modules/user/services/user.service';
-import { User } from 'src/engine/core-modules/user/user.entity';
-import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
-import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
-import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
-import { UserAuthGuard } from 'src/engine/guards/user-auth.guard';
-import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
-import { SwitchWorkspaceInput } from 'src/engine/core-modules/auth/dto/switch-workspace.input';
-import { PublicWorkspaceDataOutput } from 'src/engine/core-modules/workspace/dtos/public-workspace-data-output';
 import {
  AuthException,
  AuthExceptionCode,
 } from 'src/engine/core-modules/auth/auth.exception';
-import { OriginHeader } from 'src/engine/decorators/auth/origin-header.decorator';
 import { AvailableWorkspaceOutput } from 'src/engine/core-modules/auth/dto/available-workspaces.output';
-import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import { GetLoginTokenFromEmailVerificationTokenInput } from 'src/engine/core-modules/auth/dto/get-login-token-from-email-verification-token.input';
 import { SignUpOutput } from 'src/engine/core-modules/auth/dto/sign-up.output';
+import { SwitchWorkspaceInput } from 'src/engine/core-modules/auth/dto/switch-workspace.input';
+import { ResetPasswordService } from 'src/engine/core-modules/auth/services/reset-password.service';
+import { SwitchWorkspaceService } from 'src/engine/core-modules/auth/services/switch-workspace.service';
+import { EmailVerificationTokenService } from 'src/engine/core-modules/auth/token/services/email-verification-token.service';
+import { LoginTokenService } from 'src/engine/core-modules/auth/token/services/login-token.service';
+import { RenewTokenService } from 'src/engine/core-modules/auth/token/services/renew-token.service';
+import { TransientTokenService } from 'src/engine/core-modules/auth/token/services/transient-token.service';
+import { CaptchaGuard } from 'src/engine/core-modules/captcha/captcha.guard';
+import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import { EmailVerificationService } from 'src/engine/core-modules/email-verification/services/email-verification.service';
+import { UserWorkspaceService } from 'src/engine/core-modules/user-workspace/user-workspace.service';
+import { UserService } from 'src/engine/core-modules/user/services/user.service';
+import { User } from 'src/engine/core-modules/user/user.entity';
+import { PublicWorkspaceDataOutput } from 'src/engine/core-modules/workspace/dtos/public-workspace-data-output';
+import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
 import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
+import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
+import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
+import { OriginHeader } from 'src/engine/decorators/auth/origin-header.decorator';
+import { UserAuthGuard } from 'src/engine/guards/user-auth.guard';
+import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';

 import { ChallengeInput } from './dto/challenge.input';
 import { LoginToken } from './dto/login-token.entity';
@ -68,8 +72,11 @@ export class AuthResolver {
    private loginTokenService: LoginTokenService,
    private switchWorkspaceService: SwitchWorkspaceService,
    private transientTokenService: TransientTokenService,
+    private emailVerificationService: EmailVerificationService,
    // private oauthService: OAuthService,
    private domainManagerService: DomainManagerService,
+    private userWorkspaceService: UserWorkspaceService,
+    private emailVerificationTokenService: EmailVerificationTokenService,
  ) {}

  @UseGuards(CaptchaGuard)
@ -116,7 +123,6 @@ export class AuthResolver {
        AuthExceptionCode.WORKSPACE_NOT_FOUND,
      ),
    );
-
    const user = await this.authService.challenge(challengeInput, workspace);
    const loginToken = await this.loginTokenService.generateLoginToken(
      user.email,
@ -126,6 +132,41 @@ export class AuthResolver {
    return { loginToken };
  }

+  @UseGuards(CaptchaGuard)
+  @Mutation(() => LoginToken)
+  async getLoginTokenFromEmailVerificationToken(
+    @Args()
+    getLoginTokenFromEmailVerificationTokenInput: GetLoginTokenFromEmailVerificationTokenInput,
+    @OriginHeader() origin: string,
+  ) {
+    const workspace =
+      await this.domainManagerService.getWorkspaceByOriginOrDefaultWorkspace(
+        origin,
+      );
+
+    workspaceValidator.assertIsDefinedOrThrow(
+      workspace,
+      new AuthException(
+        'Workspace not found',
+        AuthExceptionCode.WORKSPACE_NOT_FOUND,
+      ),
+    );
+
+    const user =
+      await this.emailVerificationTokenService.validateEmailVerificationTokenOrThrow(
+        getLoginTokenFromEmailVerificationTokenInput.emailVerificationToken,
+      );
+
+    await this.userService.markEmailAsVerified(user.id);
+
+    const loginToken = await this.loginTokenService.generateLoginToken(
+      user.email,
+      workspace.id,
+    );
+
+    return { loginToken };
+  }
+
  @UseGuards(CaptchaGuard)
  @Mutation(() => SignUpOutput)
  async signUp(@Args() signUpInput: SignUpInput): Promise<SignUpOutput> {
@ -170,6 +211,12 @@ export class AuthResolver {
      },
    });

+    await this.emailVerificationService.sendVerificationEmail(
+      user.id,
+      user.email,
+      workspace.subdomain,
+    );
+
    const loginToken = await this.loginTokenService.generateLoginToken(
      user.email,
      workspace.id,
@ -333,6 +380,6 @@ export class AuthResolver {
  async findAvailableWorkspacesByEmail(
    @Args('email') email: string,
  ): Promise<AvailableWorkspaceOutput[]> {
-    return this.authService.findAvailableWorkspacesByEmail(email);
+    return this.userWorkspaceService.findAvailableWorkspacesByEmail(email);
  }
 }
--- a/packages/twenty-server/src/engine/core-modules/auth/dto/get-login-token-from-email-verification-token.input.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/dto/get-login-token-from-email-verification-token.input.ts
@ -0,0 +1,16 @@
+import { ArgsType, Field } from '@nestjs/graphql';
+
+import { IsNotEmpty, IsString, IsOptional } from 'class-validator';
+
+@ArgsType()
+export class GetLoginTokenFromEmailVerificationTokenInput {
+  @Field(() => String)
+  @IsNotEmpty()
+  @IsString()
+  emailVerificationToken: string;
+
+  @Field(() => String, { nullable: true })
+  @IsString()
+  @IsOptional()
+  captchaToken?: string;
+}
--- a/packages/twenty-server/src/engine/core-modules/auth/dto/user-exists.entity.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/dto/user-exists.entity.ts
@ -9,6 +9,9 @@ export class UserExists {

  @Field(() => [AvailableWorkspaceOutput])
  availableWorkspaces: Array<AvailableWorkspaceOutput>;
+
+  @Field(() => Boolean)
+  isEmailVerified: boolean;
 }

@ObjectType()
--- a/packages/twenty-server/src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter.ts
@ -6,6 +6,7 @@ import {
 } from 'src/engine/core-modules/auth/auth.exception';
 import {
  AuthenticationError,
+  EmailNotVerifiedError,
  ForbiddenError,
  InternalServerError,
  NotFoundError,
@ -20,6 +21,8 @@ export class AuthGraphqlApiExceptionFilter implements ExceptionFilter {
        throw new NotFoundError(exception.message);
      case AuthExceptionCode.INVALID_INPUT:
        throw new UserInputError(exception.message);
+      case AuthExceptionCode.EMAIL_NOT_VERIFIED:
+        throw new EmailNotVerifiedError(exception.message);
      case AuthExceptionCode.FORBIDDEN_EXCEPTION:
        throw new ForbiddenError(exception.message);
      case AuthExceptionCode.UNAUTHENTICATED:
--- a/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.spec.ts
@ -1,23 +1,23 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import { getRepositoryToken } from '@nestjs/typeorm';

-import bcrypt from 'bcrypt';
 import { expect, jest } from '@jest/globals';
 import { Repository } from 'typeorm';
+import bcrypt from 'bcrypt';

 import { AppToken } from 'src/engine/core-modules/app-token/app-token.entity';
-import { User } from 'src/engine/core-modules/user/user.entity';
-import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
-import { UserWorkspaceService } from 'src/engine/core-modules/user-workspace/user-workspace.service';
 import { SignInUpService } from 'src/engine/core-modules/auth/services/sign-in-up.service';
-import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
-import { EmailService } from 'src/engine/core-modules/email/email.service';
 import { AccessTokenService } from 'src/engine/core-modules/auth/token/services/access-token.service';
 import { RefreshTokenService } from 'src/engine/core-modules/auth/token/services/refresh-token.service';
-import { UserService } from 'src/engine/core-modules/user/services/user.service';
-import { WorkspaceInvitationService } from 'src/engine/core-modules/workspace-invitation/services/workspace-invitation.service';
 import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import { EmailService } from 'src/engine/core-modules/email/email.service';
+import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
+import { UserWorkspaceService } from 'src/engine/core-modules/user-workspace/user-workspace.service';
+import { UserService } from 'src/engine/core-modules/user/services/user.service';
+import { User } from 'src/engine/core-modules/user/user.entity';
+import { WorkspaceInvitationService } from 'src/engine/core-modules/workspace-invitation/services/workspace-invitation.service';
 import { SocialSsoService } from 'src/engine/core-modules/auth/services/social-sso.service';
+import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';

 import { AuthService } from './auth.service';

@ -31,9 +31,10 @@ const workspaceInvitationGetOneWorkspaceInvitationMock = jest.fn();
 const workspaceInvitationValidateInvitationMock = jest.fn();
 const userWorkspaceAddUserToWorkspaceMock = jest.fn();

+const environmentServiceGetMock = jest.fn();
+
 describe('AuthService', () => {
  let service: AuthService;
-  let appTokenRepository: Repository<AppToken>;

  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
@ -66,7 +67,9 @@ describe('AuthService', () => {
        },
        {
          provide: EnvironmentService,
-          useValue: {},
+          useValue: {
+            get: environmentServiceGetMock,
+          },
        },
        {
          provide: DomainManagerService,
@ -112,10 +115,10 @@ describe('AuthService', () => {
    }).compile();

    service = module.get<AuthService>(AuthService);
+  });

-    appTokenRepository = module.get<Repository<AppToken>>(
-      getRepositoryToken(AppToken, 'core'),
-    );
+  beforeEach(() => {
+    environmentServiceGetMock.mockReturnValue(false);
  });

  it('should be defined', async () => {
--- a/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts
@ -26,7 +26,6 @@ import {
 } from 'src/engine/core-modules/auth/auth.util';
 import { AuthorizeApp } from 'src/engine/core-modules/auth/dto/authorize-app.entity';
 import { AuthorizeAppInput } from 'src/engine/core-modules/auth/dto/authorize-app.input';
-import { AvailableWorkspaceOutput } from 'src/engine/core-modules/auth/dto/available-workspaces.output';
 import { ChallengeInput } from 'src/engine/core-modules/auth/dto/challenge.input';
 import { AuthTokens } from 'src/engine/core-modules/auth/dto/token.entity';
 import { UpdatePassword } from 'src/engine/core-modules/auth/dto/update-password.entity';
@ -157,6 +156,17 @@ export class AuthService {
      );
    }

+    const isEmailVerificationRequired = this.environmentService.get(
+      'IS_EMAIL_VERIFICATION_REQUIRED',
+    );
+
+    if (isEmailVerificationRequired && !user.isEmailVerified) {
+      throw new AuthException(
+        'Email is not verified',
+        AuthExceptionCode.EMAIL_NOT_VERIFIED,
+      );
+    }
+
    return user;
  }

@ -260,7 +270,9 @@ export class AuthService {
    if (userValidator.isDefined(user)) {
      return {
        exists: true,
-        availableWorkspaces: await this.findAvailableWorkspacesByEmail(email),
+        availableWorkspaces:
+          await this.userWorkspaceService.findAvailableWorkspacesByEmail(email),
+        isEmailVerified: user.isEmailVerified,
      };
    }

@ -463,48 +475,6 @@ export class AuthService {
    return url.toString();
  }

-  async findAvailableWorkspacesByEmail(email: string) {
-    const user = await this.userRepository.findOne({
-      where: {
-        email,
-      },
-      relations: [
-        'workspaces',
-        'workspaces.workspace',
-        'workspaces.workspace.workspaceSSOIdentityProviders',
-      ],
-    });
-
-    userValidator.assertIsDefinedOrThrow(
-      user,
-      new AuthException('User not found', AuthExceptionCode.USER_NOT_FOUND),
-    );
-
-    return user.workspaces.map<AvailableWorkspaceOutput>((userWorkspace) => ({
-      id: userWorkspace.workspaceId,
-      displayName: userWorkspace.workspace.displayName,
-      subdomain: userWorkspace.workspace.subdomain,
-      logo: userWorkspace.workspace.logo,
-      sso: userWorkspace.workspace.workspaceSSOIdentityProviders.reduce(
-        (acc, identityProvider) =>
-          acc.concat(
-            identityProvider.status === 'Inactive'
-              ? []
-              : [
-                  {
-                    id: identityProvider.id,
-                    name: identityProvider.name,
-                    issuer: identityProvider.issuer,
-                    type: identityProvider.type,
-                    status: identityProvider.status,
-                  },
-                ],
-          ),
-        [] as AvailableWorkspaceOutput['sso'],
-      ),
-    }));
-  }
-
  async findInvitationForSignInUp({
    currentWorkspace,
    workspacePersonalInviteToken,
--- a/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.spec.ts
@ -22,6 +22,7 @@ import {
  WorkspaceActivationStatus,
 } from 'src/engine/core-modules/workspace/workspace.entity';
 import { AppToken } from 'src/engine/core-modules/app-token/app-token.entity';
+import { UserService } from 'src/engine/core-modules/user/services/user.service';

 jest.mock('src/utils/image', () => {
  return {
@ -36,8 +37,6 @@ describe('SignInUpService', () => {
  let fileUploadService: FileUploadService;
  let workspaceInvitationService: WorkspaceInvitationService;
  let userWorkspaceService: UserWorkspaceService;
-  let onboardingService: OnboardingService;
-  let httpService: HttpService;
  let environmentService: EnvironmentService;
  let domainManagerService: DomainManagerService;

@ -98,6 +97,16 @@ describe('SignInUpService', () => {
            get: jest.fn(),
          },
        },
+        {
+          provide: UserService,
+          useValue: {
+            markEmailAsVerified: jest.fn().mockReturnValue({
+              id: 'test-user-id',
+              email: 'test@test.com',
+              isEmailVerified: true,
+            } as User),
+          },
+        },
        {
          provide: DomainManagerService,
          useValue: {
@ -116,8 +125,6 @@ describe('SignInUpService', () => {
    );
    userWorkspaceService =
      module.get<UserWorkspaceService>(UserWorkspaceService);
-    onboardingService = module.get<OnboardingService>(OnboardingService);
-    httpService = module.get<HttpService>(HttpService);
    environmentService = module.get<EnvironmentService>(EnvironmentService);
    domainManagerService =
      module.get<DomainManagerService>(DomainManagerService);
--- a/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.ts
@ -41,6 +41,7 @@ import {
  SignInUpBaseParams,
  SignInUpNewUserPayload,
 } from 'src/engine/core-modules/auth/types/signInUp.type';
+import { UserService } from 'src/engine/core-modules/user/services/user.service';

@Injectable()
 // eslint-disable-next-line @nx/workspace-inject-workspace-repository
@ -57,6 +58,7 @@ export class SignInUpService {
    private readonly httpService: HttpService,
    private readonly environmentService: EnvironmentService,
    private readonly domainManagerService: DomainManagerService,
+    private readonly userService: UserService,
  ) {}

  async computeParamsForNewUser(
@ -194,6 +196,8 @@ export class SignInUpService {
      email,
    );

+    await this.userService.markEmailAsVerified(updatedUser.id);
+
    return updatedUser;
  }

--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/email-verification-token.service.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/email-verification-token.service.spec.ts
@ -0,0 +1,187 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { getRepositoryToken } from '@nestjs/typeorm';
+
+import crypto from 'crypto';
+
+import { Repository } from 'typeorm';
+
+import {
+  AppToken,
+  AppTokenType,
+} from 'src/engine/core-modules/app-token/app-token.entity';
+import {
+  EmailVerificationException,
+  EmailVerificationExceptionCode,
+} from 'src/engine/core-modules/email-verification/email-verification.exception';
+import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
+
+import { EmailVerificationTokenService } from './email-verification-token.service';
+
+describe('EmailVerificationTokenService', () => {
+  let service: EmailVerificationTokenService;
+  let appTokenRepository: Repository<AppToken>;
+  let environmentService: EnvironmentService;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        EmailVerificationTokenService,
+        {
+          provide: getRepositoryToken(AppToken, 'core'),
+          useClass: Repository,
+        },
+        {
+          provide: EnvironmentService,
+          useValue: {
+            get: jest.fn(),
+          },
+        },
+      ],
+    }).compile();
+
+    service = module.get<EmailVerificationTokenService>(
+      EmailVerificationTokenService,
+    );
+    appTokenRepository = module.get<Repository<AppToken>>(
+      getRepositoryToken(AppToken, 'core'),
+    );
+    environmentService = module.get<EnvironmentService>(EnvironmentService);
+  });
+
+  describe('generateToken', () => {
+    it('should generate a verification token successfully', async () => {
+      const userId = 'test-user-id';
+      const email = 'test@example.com';
+      const mockExpiresIn = '24h';
+
+      jest.spyOn(environmentService, 'get').mockReturnValue(mockExpiresIn);
+      jest.spyOn(appTokenRepository, 'create').mockReturnValue({} as AppToken);
+      jest.spyOn(appTokenRepository, 'save').mockResolvedValue({} as AppToken);
+
+      const result = await service.generateToken(userId, email);
+
+      expect(result).toHaveProperty('token');
+      expect(result).toHaveProperty('expiresAt');
+      expect(result.token).toHaveLength(64); // 32 bytes in hex = 64 characters
+      expect(appTokenRepository.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          userId,
+          type: AppTokenType.EmailVerificationToken,
+          context: { email },
+        }),
+      );
+      expect(appTokenRepository.save).toHaveBeenCalled();
+    });
+  });
+
+  describe('validateEmailVerificationTokenOrThrow', () => {
+    it('should validate token successfully and return user', async () => {
+      const plainToken = 'plain-token';
+      const hashedToken = crypto
+        .createHash('sha256')
+        .update(plainToken)
+        .digest('hex');
+      const mockUser = { id: 'user-id', email: 'test@example.com' };
+      const mockAppToken = {
+        type: AppTokenType.EmailVerificationToken,
+        expiresAt: new Date(Date.now() + 86400000), // 24h from now
+        context: { email: 'test@example.com' },
+        user: mockUser,
+      };
+
+      jest
+        .spyOn(appTokenRepository, 'findOne')
+        .mockResolvedValue(mockAppToken as AppToken);
+      jest
+        .spyOn(appTokenRepository, 'remove')
+        .mockResolvedValue(mockAppToken as AppToken);
+
+      const result =
+        await service.validateEmailVerificationTokenOrThrow(plainToken);
+
+      expect(result).toEqual(mockUser);
+      expect(appTokenRepository.findOne).toHaveBeenCalledWith({
+        where: {
+          value: hashedToken,
+          type: AppTokenType.EmailVerificationToken,
+        },
+        relations: ['user'],
+      });
+      expect(appTokenRepository.remove).toHaveBeenCalledWith(mockAppToken);
+    });
+
+    it('should throw exception for invalid token', async () => {
+      jest.spyOn(appTokenRepository, 'findOne').mockResolvedValue(null);
+
+      await expect(
+        service.validateEmailVerificationTokenOrThrow('invalid-token'),
+      ).rejects.toThrow(
+        new EmailVerificationException(
+          'Invalid email verification token',
+          EmailVerificationExceptionCode.INVALID_TOKEN,
+        ),
+      );
+    });
+
+    it('should throw exception for wrong token type', async () => {
+      const mockAppToken = {
+        type: AppTokenType.PasswordResetToken,
+        expiresAt: new Date(Date.now() + 86400000),
+      };
+
+      jest
+        .spyOn(appTokenRepository, 'findOne')
+        .mockResolvedValue(mockAppToken as AppToken);
+
+      await expect(
+        service.validateEmailVerificationTokenOrThrow('wrong-type-token'),
+      ).rejects.toThrow(
+        new EmailVerificationException(
+          'Invalid email verification token type',
+          EmailVerificationExceptionCode.INVALID_APP_TOKEN_TYPE,
+        ),
+      );
+    });
+
+    it('should throw exception for expired token', async () => {
+      const mockAppToken = {
+        type: AppTokenType.EmailVerificationToken,
+        expiresAt: new Date(Date.now() - 86400000), // 24h ago
+      };
+
+      jest
+        .spyOn(appTokenRepository, 'findOne')
+        .mockResolvedValue(mockAppToken as AppToken);
+
+      await expect(
+        service.validateEmailVerificationTokenOrThrow('expired-token'),
+      ).rejects.toThrow(
+        new EmailVerificationException(
+          'Email verification token expired',
+          EmailVerificationExceptionCode.TOKEN_EXPIRED,
+        ),
+      );
+    });
+
+    it('should throw exception when email is missing in context', async () => {
+      const mockAppToken = {
+        type: AppTokenType.EmailVerificationToken,
+        expiresAt: new Date(Date.now() + 86400000),
+        context: {},
+      };
+
+      jest
+        .spyOn(appTokenRepository, 'findOne')
+        .mockResolvedValue(mockAppToken as AppToken);
+
+      await expect(
+        service.validateEmailVerificationTokenOrThrow('valid-token'),
+      ).rejects.toThrow(
+        new EmailVerificationException(
+          'Email missing in email verification token context',
+          EmailVerificationExceptionCode.EMAIL_MISSING,
+        ),
+      );
+    });
+  });
+});
--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/email-verification-token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/email-verification-token.service.ts
@ -0,0 +1,103 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+
+import crypto from 'crypto';
+
+import { addMilliseconds } from 'date-fns';
+import ms from 'ms';
+import { Repository } from 'typeorm';
+
+import {
+  AppToken,
+  AppTokenType,
+} from 'src/engine/core-modules/app-token/app-token.entity';
+import { AuthToken } from 'src/engine/core-modules/auth/dto/token.entity';
+import {
+  EmailVerificationException,
+  EmailVerificationExceptionCode,
+} from 'src/engine/core-modules/email-verification/email-verification.exception';
+import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
+
+@Injectable()
+export class EmailVerificationTokenService {
+  constructor(
+    @InjectRepository(AppToken, 'core')
+    private readonly appTokenRepository: Repository<AppToken>,
+    private readonly environmentService: EnvironmentService,
+  ) {}
+
+  async generateToken(userId: string, email: string): Promise<AuthToken> {
+    const expiresIn = this.environmentService.get(
+      'EMAIL_VERIFICATION_TOKEN_EXPIRES_IN',
+    );
+    const expiresAt = addMilliseconds(new Date().getTime(), ms(expiresIn));
+
+    const plainToken = crypto.randomBytes(32).toString('hex');
+    const hashedToken = crypto
+      .createHash('sha256')
+      .update(plainToken)
+      .digest('hex');
+
+    const verificationToken = this.appTokenRepository.create({
+      userId,
+      expiresAt,
+      type: AppTokenType.EmailVerificationToken,
+      value: hashedToken,
+      context: { email },
+    });
+
+    await this.appTokenRepository.save(verificationToken);
+
+    return {
+      token: plainToken,
+      expiresAt,
+    };
+  }
+
+  async validateEmailVerificationTokenOrThrow(emailVerificationToken: string) {
+    const hashedToken = crypto
+      .createHash('sha256')
+      .update(emailVerificationToken)
+      .digest('hex');
+
+    const appToken = await this.appTokenRepository.findOne({
+      where: {
+        value: hashedToken,
+        type: AppTokenType.EmailVerificationToken,
+      },
+      relations: ['user'],
+    });
+
+    if (!appToken) {
+      throw new EmailVerificationException(
+        'Invalid email verification token',
+        EmailVerificationExceptionCode.INVALID_TOKEN,
+      );
+    }
+
+    if (appToken.type !== AppTokenType.EmailVerificationToken) {
+      throw new EmailVerificationException(
+        'Invalid email verification token type',
+        EmailVerificationExceptionCode.INVALID_APP_TOKEN_TYPE,
+      );
+    }
+
+    if (new Date() > appToken.expiresAt) {
+      throw new EmailVerificationException(
+        'Email verification token expired',
+        EmailVerificationExceptionCode.TOKEN_EXPIRED,
+      );
+    }
+
+    if (!appToken.context?.email) {
+      throw new EmailVerificationException(
+        'Email missing in email verification token context',
+        EmailVerificationExceptionCode.EMAIL_MISSING,
+      );
+    }
+
+    await this.appTokenRepository.remove(appToken);
+
+    return appToken.user;
+  }
+}
--- a/packages/twenty-server/src/engine/core-modules/client-config/client-config.entity.ts
+++ b/packages/twenty-server/src/engine/core-modules/client-config/client-config.entity.ts
@ -65,6 +65,9 @@ export class ClientConfig {
  @Field(() => Boolean)
  isMultiWorkspaceEnabled: boolean;

+  @Field(() => Boolean)
+  isEmailVerificationRequired: boolean;
+
  @Field(() => String, { nullable: true })
  defaultSubdomain: string;

--- a/packages/twenty-server/src/engine/core-modules/client-config/client-config.resolver.ts
+++ b/packages/twenty-server/src/engine/core-modules/client-config/client-config.resolver.ts
@ -33,6 +33,9 @@ export class ClientConfigResolver {
      isMultiWorkspaceEnabled: this.environmentService.get(
        'IS_MULTIWORKSPACE_ENABLED',
      ),
+      isEmailVerificationRequired: this.environmentService.get(
+        'IS_EMAIL_VERIFICATION_REQUIRED',
+      ),
      defaultSubdomain: this.environmentService.get('DEFAULT_SUBDOMAIN'),
      frontDomain: this.domainManagerService.getFrontUrl().hostname,
      debugMode: this.environmentService.get('DEBUG_MODE'),
--- a/packages/twenty-server/src/engine/core-modules/domain-manager/service/domain-manager.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/domain-manager/service/domain-manager.service.ts
@ -59,6 +59,22 @@ export class DomainManagerService {
    return baseUrl;
  }

+  buildEmailVerificationURL({
+    emailVerificationToken,
+    email,
+    workspaceSubdomain,
+  }: {
+    emailVerificationToken: string;
+    email: string;
+    workspaceSubdomain?: string;
+  }) {
+    return this.buildWorkspaceURL({
+      subdomain: workspaceSubdomain,
+      pathname: 'verify-email',
+      searchParams: { emailVerificationToken, email },
+    });
+  }
+
  buildWorkspaceURL({
    subdomain,
    pathname,
--- a/packages/twenty-server/src/engine/core-modules/email-verification/dtos/resend-email-verification-token.input.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/dtos/resend-email-verification-token.input.ts
@ -0,0 +1,11 @@
+import { ArgsType, Field } from '@nestjs/graphql';
+
+import { IsEmail, IsNotEmpty } from 'class-validator';
+
+@ArgsType()
+export class ResendEmailVerificationTokenInput {
+  @Field(() => String)
+  @IsEmail()
+  @IsNotEmpty()
+  email: string;
+}
--- a/packages/twenty-server/src/engine/core-modules/email-verification/dtos/resend-email-verification-token.output.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/dtos/resend-email-verification-token.output.ts
@ -0,0 +1,10 @@
+import { Field, ObjectType } from '@nestjs/graphql';
+
+import { IsBoolean } from 'class-validator';
+
+@ObjectType()
+export class ResendEmailVerificationTokenOutput {
+  @IsBoolean()
+  @Field(() => Boolean)
+  success: boolean;
+}
--- a/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.exception.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.exception.ts
@ -0,0 +1,17 @@
+import { CustomException } from 'src/utils/custom-exception';
+
+export class EmailVerificationException extends CustomException {
+  constructor(message: string, code: EmailVerificationExceptionCode) {
+    super(message, code);
+  }
+}
+
+export enum EmailVerificationExceptionCode {
+  EMAIL_VERIFICATION_NOT_REQUIRED = 'EMAIL_VERIFICATION_NOT_REQUIRED',
+  INVALID_TOKEN = 'INVALID_TOKEN',
+  INVALID_APP_TOKEN_TYPE = 'INVALID_APP_TOKEN_TYPE',
+  TOKEN_EXPIRED = 'TOKEN_EXPIRED',
+  EMAIL_MISSING = 'EMAIL_MISSING',
+  EMAIL_ALREADY_VERIFIED = 'EMAIL_ALREADY_VERIFIED',
+  RATE_LIMIT_EXCEEDED = 'RATE_LIMIT_EXCEEDED',
+}
--- a/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.module.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.module.ts
@ -0,0 +1,30 @@
+import { Module } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+
+import { AppToken } from 'src/engine/core-modules/app-token/app-token.entity';
+import { EmailVerificationTokenService } from 'src/engine/core-modules/auth/token/services/email-verification-token.service';
+import { DomainManagerModule } from 'src/engine/core-modules/domain-manager/domain-manager.module';
+import { EmailVerificationResolver } from 'src/engine/core-modules/email-verification/email-verification.resolver';
+import { EmailVerificationService } from 'src/engine/core-modules/email-verification/services/email-verification.service';
+import { EmailModule } from 'src/engine/core-modules/email/email.module';
+import { EnvironmentModule } from 'src/engine/core-modules/environment/environment.module';
+import { UserWorkspaceModule } from 'src/engine/core-modules/user-workspace/user-workspace.module';
+import { UserModule } from 'src/engine/core-modules/user/user.module';
+
+@Module({
+  imports: [
+    TypeOrmModule.forFeature([AppToken], 'core'),
+    EmailModule,
+    EnvironmentModule,
+    DomainManagerModule,
+    UserModule,
+    UserWorkspaceModule,
+  ],
+  providers: [
+    EmailVerificationService,
+    EmailVerificationResolver,
+    EmailVerificationTokenService,
+  ],
+  exports: [EmailVerificationService, EmailVerificationTokenService],
+})
+export class EmailVerificationModule {}
--- a/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.resolver.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/email-verification.resolver.ts
@ -0,0 +1,35 @@
+import { Args, Mutation, Resolver } from '@nestjs/graphql';
+
+import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import { ResendEmailVerificationTokenInput } from 'src/engine/core-modules/email-verification/dtos/resend-email-verification-token.input';
+import { ResendEmailVerificationTokenOutput } from 'src/engine/core-modules/email-verification/dtos/resend-email-verification-token.output';
+import { EmailVerificationService } from 'src/engine/core-modules/email-verification/services/email-verification.service';
+import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
+import { OriginHeader } from 'src/engine/decorators/auth/origin-header.decorator';
+
+@Resolver()
+export class EmailVerificationResolver {
+  constructor(
+    private readonly emailVerificationService: EmailVerificationService,
+    private readonly domainManagerService: DomainManagerService,
+  ) {}
+
+  @Mutation(() => ResendEmailVerificationTokenOutput)
+  async resendEmailVerificationToken(
+    @Args()
+    resendEmailVerificationTokenInput: ResendEmailVerificationTokenInput,
+    @OriginHeader() origin: string,
+  ): Promise<ResendEmailVerificationTokenOutput> {
+    const workspace =
+      await this.domainManagerService.getWorkspaceByOriginOrDefaultWorkspace(
+        origin,
+      );
+
+    workspaceValidator.assertIsDefinedOrThrow(workspace);
+
+    return await this.emailVerificationService.resendEmailVerificationToken(
+      resendEmailVerificationTokenInput.email,
+      workspace.subdomain,
+    );
+  }
+}
--- a/packages/twenty-server/src/engine/core-modules/email-verification/services/email-verification.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/email-verification/services/email-verification.service.ts
@ -0,0 +1,131 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+
+import { render } from '@react-email/render';
+import { addMilliseconds, differenceInMilliseconds } from 'date-fns';
+import ms from 'ms';
+import { SendEmailVerificationLinkEmail } from 'twenty-emails';
+import { Repository } from 'typeorm';
+
+import {
+  AppToken,
+  AppTokenType,
+} from 'src/engine/core-modules/app-token/app-token.entity';
+import { EmailVerificationTokenService } from 'src/engine/core-modules/auth/token/services/email-verification-token.service';
+import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
+import {
+  EmailVerificationException,
+  EmailVerificationExceptionCode,
+} from 'src/engine/core-modules/email-verification/email-verification.exception';
+import { EmailService } from 'src/engine/core-modules/email/email.service';
+import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
+import { UserService } from 'src/engine/core-modules/user/services/user.service';
+
+@Injectable()
+// eslint-disable-next-line @nx/workspace-inject-workspace-repository
+export class EmailVerificationService {
+  constructor(
+    @InjectRepository(AppToken, 'core')
+    private readonly appTokenRepository: Repository<AppToken>,
+    private readonly domainManagerService: DomainManagerService,
+    private readonly emailService: EmailService,
+    private readonly environmentService: EnvironmentService,
+    private readonly userService: UserService,
+    private readonly emailVerificationTokenService: EmailVerificationTokenService,
+  ) {}
+
+  async sendVerificationEmail(
+    userId: string,
+    email: string,
+    workspaceSubdomain?: string,
+  ) {
+    if (!this.environmentService.get('IS_EMAIL_VERIFICATION_REQUIRED')) {
+      return { success: false };
+    }
+
+    const { token: emailVerificationToken } =
+      await this.emailVerificationTokenService.generateToken(userId, email);
+
+    const verificationLink =
+      this.domainManagerService.buildEmailVerificationURL({
+        emailVerificationToken,
+        email,
+        workspaceSubdomain,
+      });
+
+    const emailData = {
+      link: verificationLink.toString(),
+    };
+
+    const emailTemplate = SendEmailVerificationLinkEmail(emailData);
+
+    const html = render(emailTemplate, {
+      pretty: true,
+    });
+
+    const text = render(emailTemplate, {
+      plainText: true,
+    });
+
+    await this.emailService.send({
+      from: `${this.environmentService.get(
+        'EMAIL_FROM_NAME',
+      )} <${this.environmentService.get('EMAIL_FROM_ADDRESS')}>`,
+      to: email,
+      subject: 'Welcome to Twenty: Please Confirm Your Email',
+      text,
+      html,
+    });
+
+    return { success: true };
+  }
+
+  async resendEmailVerificationToken(
+    email: string,
+    workspaceSubdomain?: string,
+  ) {
+    if (!this.environmentService.get('IS_EMAIL_VERIFICATION_REQUIRED')) {
+      throw new EmailVerificationException(
+        'Email verification token cannot be sent because email verification is not required',
+        EmailVerificationExceptionCode.EMAIL_VERIFICATION_NOT_REQUIRED,
+      );
+    }
+
+    const user = await this.userService.getUserByEmail(email);
+
+    if (user.isEmailVerified) {
+      throw new EmailVerificationException(
+        'Email already verified',
+        EmailVerificationExceptionCode.EMAIL_ALREADY_VERIFIED,
+      );
+    }
+
+    const existingToken = await this.appTokenRepository.findOne({
+      where: {
+        userId: user.id,
+        type: AppTokenType.EmailVerificationToken,
+      },
+    });
+
+    if (existingToken) {
+      const cooldownDuration = ms('1m');
+      const timeToWaitMs = differenceInMilliseconds(
+        addMilliseconds(existingToken.createdAt, cooldownDuration),
+        new Date(),
+      );
+
+      if (timeToWaitMs > 0) {
+        throw new EmailVerificationException(
+          `Please wait ${ms(timeToWaitMs, { long: true })} before requesting another verification email`,
+          EmailVerificationExceptionCode.RATE_LIMIT_EXCEEDED,
+        );
+      }
+
+      await this.appTokenRepository.delete(existingToken.id);
+    }
+
+    await this.sendVerificationEmail(user.id, email, workspaceSubdomain);
+
+    return { success: true };
+  }
+}
--- a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
+++ b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
@ -413,6 +413,15 @@ export class EnvironmentVariables {

  MESSAGE_QUEUE_TYPE: string = MessageQueueDriverType.BullMQ;

+  @CastToBoolean()
+  @IsOptional()
+  @IsBoolean()
+  IS_EMAIL_VERIFICATION_REQUIRED = false;
+
+  @IsDuration()
+  @IsOptional()
+  EMAIL_VERIFICATION_TOKEN_EXPIRES_IN = '1h';
+
  EMAIL_FROM_ADDRESS = 'noreply@yourdomain.com';

  EMAIL_SYSTEM_ADDRESS = 'system@yourdomain.com';
--- a/packages/twenty-server/src/engine/core-modules/graphql/utils/graphql-errors.util.ts
+++ b/packages/twenty-server/src/engine/core-modules/graphql/utils/graphql-errors.util.ts
@ -24,6 +24,7 @@ export enum ErrorCode {
  PERSISTED_QUERY_NOT_SUPPORTED = 'PERSISTED_QUERY_NOT_SUPPORTED',
  BAD_USER_INPUT = 'BAD_USER_INPUT',
  NOT_FOUND = 'NOT_FOUND',
+  EMAIL_NOT_VERIFIED = 'EMAIL_NOT_VERIFIED',
  METHOD_NOT_ALLOWED = 'METHOD_NOT_ALLOWED',
  CONFLICT = 'CONFLICT',
  TIMEOUT = 'TIMEOUT',
@ -160,6 +161,14 @@ export class NotFoundError extends BaseGraphQLError {
  }
 }

+export class EmailNotVerifiedError extends BaseGraphQLError {
+  constructor(message: string) {
+    super(message, ErrorCode.EMAIL_NOT_VERIFIED);
+
+    Object.defineProperty(this, 'name', { value: 'EmailNotVerifiedError' });
+  }
+}
+
 export class MethodNotAllowedError extends BaseGraphQLError {
  constructor(message: string) {
    super(message, ErrorCode.METHOD_NOT_ALLOWED);
--- a/packages/twenty-server/src/engine/core-modules/user-workspace/user-workspace.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/user-workspace/user-workspace.service.ts
@ -7,8 +7,14 @@ import { Repository } from 'typeorm';
 import { TypeORMService } from 'src/database/typeorm/typeorm.service';
 import { DatabaseEventAction } from 'src/engine/api/graphql/graphql-query-runner/enums/database-event-action';
 import { USER_SIGNUP_EVENT_NAME } from 'src/engine/api/graphql/workspace-query-runner/constants/user-signup-event-name.constants';
+import {
+  AuthException,
+  AuthExceptionCode,
+} from 'src/engine/core-modules/auth/auth.exception';
+import { AvailableWorkspaceOutput } from 'src/engine/core-modules/auth/dto/available-workspaces.output';
 import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity';
 import { User } from 'src/engine/core-modules/user/user.entity';
+import { userValidator } from 'src/engine/core-modules/user/user.validate';
 import { WorkspaceInvitationService } from 'src/engine/core-modules/workspace-invitation/services/workspace-invitation.service';
 import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
 import { DataSourceService } from 'src/engine/metadata-modules/data-source/data-source.service';
@ -161,4 +167,46 @@ export class UserWorkspaceService extends TypeOrmQueryService<UserWorkspace> {
      },
    });
  }
+
+  async findAvailableWorkspacesByEmail(email: string) {
+    const user = await this.userRepository.findOne({
+      where: {
+        email,
+      },
+      relations: [
+        'workspaces',
+        'workspaces.workspace',
+        'workspaces.workspace.workspaceSSOIdentityProviders',
+      ],
+    });
+
+    userValidator.assertIsDefinedOrThrow(
+      user,
+      new AuthException('User not found', AuthExceptionCode.USER_NOT_FOUND),
+    );
+
+    return user.workspaces.map<AvailableWorkspaceOutput>((userWorkspace) => ({
+      id: userWorkspace.workspaceId,
+      displayName: userWorkspace.workspace.displayName,
+      subdomain: userWorkspace.workspace.subdomain,
+      logo: userWorkspace.workspace.logo,
+      sso: userWorkspace.workspace.workspaceSSOIdentityProviders.reduce(
+        (acc, identityProvider) =>
+          acc.concat(
+            identityProvider.status === 'Inactive'
+              ? []
+              : [
+                  {
+                    id: identityProvider.id,
+                    name: identityProvider.name,
+                    issuer: identityProvider.issuer,
+                    type: identityProvider.type,
+                    status: identityProvider.status,
+                  },
+                ],
+          ),
+        [] as AvailableWorkspaceOutput['sso'],
+      ),
+    }));
+  }
 }
--- a/packages/twenty-server/src/engine/core-modules/user/services/user.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/user/services/user.service.ts
@ -165,4 +165,30 @@ export class UserService extends TypeOrmQueryService<User> {
      ),
    );
  }
+
+  async getUserByEmail(email: string) {
+    const user = await this.userRepository.findOne({
+      where: {
+        email,
+      },
+    });
+
+    userValidator.assertIsDefinedOrThrow(user);
+
+    return user;
+  }
+
+  async markEmailAsVerified(userId: string) {
+    const user = await this.userRepository.findOne({
+      where: {
+        id: userId,
+      },
+    });
+
+    userValidator.assertIsDefinedOrThrow(user);
+
+    user.isEmailVerified = true;
+
+    return await this.userRepository.save(user);
+  }
 }
--- a/packages/twenty-server/src/engine/core-modules/user/user.entity.ts
+++ b/packages/twenty-server/src/engine/core-modules/user/user.entity.ts
@ -55,7 +55,7 @@ export class User {

  @Field()
  @Column({ default: false })
-  emailVerified: boolean;
+  isEmailVerified: boolean;

  @Field({ nullable: true })
  @Column({ default: false })
--- a/packages/twenty-server/src/engine/middlewares/graphql-hydrate-request-from-token.middleware.ts
+++ b/packages/twenty-server/src/engine/middlewares/graphql-hydrate-request-from-token.middleware.ts
@ -48,6 +48,8 @@ export class GraphQLHydrateRequestFromTokenMiddleware
      'CheckUserExists',
      'Challenge',
      'Verify',
+      'GetLoginTokenFromEmailVerificationToken',
+      'ResendEmailVerificationToken',
      'SignUp',
      'RenewToken',
      'EmailPasswordResetLink',
--- a/packages/twenty-website/src/content/developers/self-hosting/setup.mdx
+++ b/packages/twenty-website/src/content/developers/self-hosting/setup.mdx
@ -185,6 +185,8 @@ yarn command:prod cron:calendar:ongoing-stale
 ### Email

 <ArticleTable options={[
+    ['IS_EMAIL_VERIFICATION_REQUIRED', 'false', 'If enabled, users must verify their email address before signing in. When true, users will receive a verification email after registration'],
+    ['EMAIL_VERIFICATION_TOKEN_EXPIRES_IN', '1h', 'How long email verification tokens remain valid before requiring a new verification email'],
    ['EMAIL_FROM_ADDRESS', 'contact@yourdomain.com', 'Global email From: header used to send emails'],
    ['EMAIL_FROM_NAME', 'John from YourDomain', 'Global name From: header used to send emails'],
    ['EMAIL_SYSTEM_ADDRESS', 'system@yourdomain.com', 'Email address used as a destination to send internal system notification'],
@ -212,24 +214,24 @@ yarn command:prod cron:calendar:ongoing-stale

  <ArticleTab>

-    Keep in mind that if you have 2FA enabled, you will need to provision an [App Password](https://support.microsoft.com/en-us/account-billing/manage-app-passwords-for-two-step-verification-d6dc8c6d-4bf7-4851-ad95-6d07799387e9).
-    - EMAIL_DRIVER=smtp
-    - EMAIL_SMTP_HOST=smtp.office365.com
-    - EMAIL_SMTP_PORT=587
-    - EMAIL_SMTP_USER=office365_email_address
+  Keep in mind that if you have 2FA enabled, you will need to provision an [App Password](https://support.microsoft.com/en-us/account-billing/manage-app-passwords-for-two-step-verification-d6dc8c6d-4bf7-4851-ad95-6d07799387e9).
+  - EMAIL_DRIVER=smtp
+  - EMAIL_SMTP_HOST=smtp.office365.com
+  - EMAIL_SMTP_PORT=587
+  - EMAIL_SMTP_USER=office365_email_address
    - EMAIL_SMTP_PASSWORD='office365_password'

  </ArticleTab>

  <ArticleTab>

-    **smtp4dev** is a fake SMTP email server for development and testing.
-    - Run the smtp4dev image: `docker run --rm -it -p 8090:80 -p 2525:25 rnwood/smtp4dev`
-    - Access the smtp4dev ui here: [http://localhost:8090](http://localhost:8090)
-    - Set the following env variables:
-      - EMAIL_DRIVER=smtp
-      - EMAIL_SMTP_HOST=localhost
-      - EMAIL_SMTP_PORT=2525
+  **smtp4dev** is a fake SMTP email server for development and testing.
+  - Run the smtp4dev image: `docker run --rm -it -p 8090:80 -p 2525:25 rnwood/smtp4dev`
+  - Access the smtp4dev ui here: [http://localhost:8090](http://localhost:8090)
+  - Set the following env variables:
+    - EMAIL_DRIVER=smtp
+    - EMAIL_SMTP_HOST=localhost
+    - EMAIL_SMTP_PORT=2525

  </ArticleTab>