v2.7+ The Verifalia API provides the ability to manage the users of your Verifalia account, as well as their security and configuration settings. Each user has unique login credentials and can submit, view, and manage their own private email-verification jobs, while sharing the same account balance: this makes it easy to separate activities for team members, clients (in case you are reselling our email verification service), or other API consumers (such as apps and websites running our email verification widget).
Each user can be one of these user types:
Administrator: has complete, unrestricted access to the Verifalia account;
Standard user: has flexible, granular permissions, ideal for coworkers or API access;
Browser app: designed for public-facing web applications and our embeddable widget; uses passwordless authentication and has fixed, limited permissions restricted to email verification only.
Where applicable, the API also allows configuring specific settings settings for each user, including authentication methods and secondary authentication factors, permissions, firewall rules, CAPTCHA / bot detection settings, throttling rules, data retention settings and trusted origins.
Listing users
An API consumer can list the users of their account by issuing an HTTP GET request against this sub-resource:
/users
Verifalia replies back with an HTTP 200 (OK) status code along with a JSON object with an array of the overviews of the users. If the listing does not succeed, the API returns one of the supported HTTP error status codes and, where applicable, the details of the problem.
Verifalia returns listings of users through a JSON object which derives from the common paginated results structure, where each data item represents an overview of a specific user and has the following structure.
// This feature is not yet supported by the Verifalia .NET SDK.
// This feature is not yet supported by the Verifalia Java SDK.
// This feature is not yet supported by the Verifalia JavaScript SDK.
// This feature is not yet supported by the Verifalia PHP SDK.
// This feature is not yet supported by the Verifalia Go SDK.
# This feature is not yet supported by the Verifalia Ruby SDK.
User overview structure
This JSON structure represents an overview of a specific user and has the following fields:
Field
Type
Description
displayName
string
Specifies a custom label given to the user for display purposes.
etag
string
Contains an hash that changes when the user's settings change, allowing for efficient caching and optimistic concurrency control.
id
string
Uniquely identifies the user.
isActive
boolean
Indicates whether the user is active: inactive users cannot access Verifalia but still count toward the account’s maximum user limit.
isDeleted
boolean
Shows whether the user has been permanently deleted or not; this field is omitted if its value is false.
type
string
Defines the user's type; can be one of these values: - Administrator for administrator users; - Standard: for standard users; - BrowserApp: for browser apps.
Filtering and Sorting
By default, the Verifalia API returns only non-deleted users within an account, sorted by creation date from oldest to newest; API consumers can customize this behavior by passing the following query string parameters:
Field
Type
Description
includeDeleted
boolean
If set to true, the API will also return deleted users.
type
string
Specifies the type of users to retrieve; possible values include: - Administrator (for administrators) - Standard (for standard users) - BrowserApp (for browser apps)
sort
string
Defines the sorting order; possible values are: - createdOn: Sorts users by creation date, oldest to newest (default). - -createdOn: Sorts users by creation date, newest to oldest. - displayName: Sorts users by display name in ascending order. - -displayName: Sorts users by display name in descending order.
Example usage
Language:
# Lists only standard users, sorted by display name
curl -u username:password \
--compressed \
'https://api.verifalia.com/v2.7/users?type=Standard&sort=displayName'
// This feature is not yet supported by the Verifalia .NET SDK.
// This feature is not yet supported by the Verifalia Java SDK.
// This feature is not yet supported by the Verifalia JavaScript SDK.
// This feature is not yet supported by the Verifalia PHP SDK.
// This feature is not yet supported by the Verifalia Go SDK.
# This feature is not yet supported by the Verifalia Ruby SDK.
Retrieving user details
API consumers can retrieve details for a specific user by sending an HTTP GET request to the following endpoint:
/users/{user-id}
Here, {user-id} is the unique identifier assigned by Verifalia when the user was created, also included when listing users.
If the request is successful, Verifalia returns an HTTP 200 (OK) status along with the user's data according to the structure described below, in JSON format. If the request fails, it responds with an appropriate HTTP error status code and, when applicable, details about the issue.
// This feature is not yet supported by the Verifalia .NET SDK.
// This feature is not yet supported by the Verifalia Java SDK.
// This feature is not yet supported by the Verifalia JavaScript SDK.
// This feature is not yet supported by the Verifalia PHP SDK.
// This feature is not yet supported by the Verifalia Go SDK.
# This feature is not yet supported by the Verifalia Ruby SDK.
User detail structure
The user detail structure is returned as a JSON object containing the following fields:
Field
Type
Description
authentication
object
Lists the authentication methods available to the user. See details.
authorization
object
Includes the authorization settings for the user. See details.
captcha
object
Contains settings related to CAPTCHA enforcement for email verification requests made by the user. See details.
defaults
object
Contains default configuration settings for the user. See details.
displayName
string
Contains the user’s display name, typically their full name.
firewall
object
Contains settings related to API request firewall rules. See details.
isActive
boolean
A flag that indicates whether the user is currently active; inactive users cannot access Verifalia but still count toward the account’s user limit.
preferredContactMethod
string
Contains the ID of the user’s preferred contact method. If omitted, it means the user has no available contact methods; once the user adds their first contact method, the system automatically sets it as the preferred one.
throttling
object
Contains rate-limiting settings for email verification jobs. See details.
trustedOrigin
object
Includes settings for trusted HTTP origins enforcement; applies only to browser apps. See details.
type
string
Specifies the type of user. Accepted values are: - Administrator for account administrators. - Standard for standard users. - BrowserApp for browser apps.
authentication object
Field
Type
Description
certificate
object
Represents the settings related to X.509 client certificate authentication; applies only to standard users. See details.
password
object
Contains the settings related to username-password authentication. See details.
recoveryContactMethod
string
The ID of the contact method to be used for password recovery. If this field is omitted, the user does not have a configured recovery contact method and password recovery is unavailable.
authentication.certificate object
Field
Type
Description
isEnabled
boolean
A flag that controls whether the user can authenticate using their X.509 client certificates.
authentication.password object
Field
Type
Description
isEnabled
boolean
When set to true, the user can authenticate using a username and password. Passwordless authentication is treated as username-password authentication with an empty password.
isMfaRequired
boolean
A flag that controls whether multi-factor authentication (MFA) is required when using username-password authentication.
username
string
Represents the user's username; for browser apps, this is the publishable browser app key. If username-password authentication is not enabled, this field may be omitted.
authorization object
Field
Type
Description
rules
array
An array of strings, each representing a specific authorization rule applied to the user.
Each authorization rule is represented by a string which follows this format:
[{effect}]resource[:operation[:scope]]
where:
effect can be either an empty string (which grants permission) or a dash - (which denies permission);
resource[:operation[:scope]] is one of the permissions the API supports;
if the scope is not specified, it's assumed to apply account-wide;
similarly, if the operation is not specified, all operations are assumed.
Note
You can use the * wildcard to match any value within a segment.
For example: email-verifications:*:own means the user is granted all operations on the email-verifications resource, but only within their own scope.
captcha object
Field
Type
Description
isEnabled
boolean
A flag which, when set to true, enforces that all email verifications for this user require a valid CAPTCHA response.
providers
object
Contains CAPTCHA provider settings, omitted if there are no configured CAPTCHA providers. See details.
captcha.providers object
Field
Type
Description
hCaptcha
object
Contains settings for integrating hCaptcha, omitted if hCaptcha is not configured. See details.
reCaptchaV2
object
Contains settings for integrating Google reCAPTCHA v2, omitted if Google reCAPTCHA v2 is not configured. See details.
reCaptchaV3
object
Contains settings for integrating Google reCAPTCHA v3, omitted if Google reCAPTCHA v3 is not configured. See details.
turnstile
object
Contains settings for integrating Cloudflare Turnstile, omitted if Cloudflare Turnstile is not configured. See details.
captcha.providers.hCaptcha object
Field
Type
Description
secretKey
string
Represents the secret key which authorizes communication between Verifalia and hCaptcha.
siteKey
string
Represents the site key that restricts token redemption.
Represents the secret key which authorizes communication between Verifalia and Google.
minScore
number
A value between 0 and 1 that sets the minimum acceptable score; lower scores indicate a higher likelihood of bot-like behavior. If not specified, Verifalia defaults to the Google-recommended minimum score of 0.5.
Contains the default data retention period to observe for email verifications, expressed in the format dd.hh:mm:ss (where dd: days, hh: hours, mm: minutes, ss: seconds); the initial dd. part is added only for periods of more than 24 hours. The value has a minimum of 5 minutes (0:5:0) and a maximum of 30 days (30.0:0:0).
Note
Verifalia automatically deletes email verification data after the specified retention period, starting from the time the job is completed. If defaults.retention is set, its value overrides the default data retention period configured at the account level. You can also override both settings when submitting an individual verification job, if needed. Additionally, verification jobs can always be manually deleted before their retention period expires.
firewall object
Field
Type
Description
isEnabled
boolean
A flag that, when set to true, enforces firewall rule checks on all API requests made by the user.
rules
array
An array of objects representing firewall rules. See details.
firewall.rules[] object
Field
Type
Description
addressFamily
string
Specifies the address family, either IPv4 or IPv6.
displayName
string
Represents a label for the rule.
endIP
string
Specifies the ending IP address of the range affected by the rule.
startIP
string
Specifies the starting IP address of the range affected by the rule.
throttling object
Field
Type
Description
maxEntriesPerJob
number
Specifies the maximum number of entries (email addresses) allowed per email verification submission; if omitted, there is no limit.
rules
array
An array of objects representing throttling rules. See details.
throttling.rules[] object
Field
Type
Description
limit
number
Represents the maximum number of jobs allowed during the specified period.
period
string
Indicates the time window for the limit. Accepted values are Minute, Hour, or Day.
scope
string
Defines the rule’s scope. Accepted values are Global or IPAddress.
trustedOrigin object
Field
Type
Description
isEnabled
boolean
A flag that, when true, causes the API to validate the HTTP origin of each request based on the defined expressions.
expressions
array
An array of wildcard expressions (strings) that define the allowed HTTP origins.
Verifalia supports the following wildcards:
* matches any sequence of characters, including none;
? matches any single character.
Creating Users
To create a new user, API consumers must send an HTTP POST request to the following endpoint:
/users
Include a JSON payload in the request body that describes the user to be created. If the request is successful, Verifalia responds with an HTTP 200 OK status code along with a JSON object summarizing the newly created user and a Location header containing a URL where you can retrieve the full details of the user. Also, the API returns an ETag header that identifies the version of the user object, which can be used for caching and optimistic concurrency control.
If the request fails, the API responds with an appropriate HTTP error status code and, when applicable, additional details about the error.
Note
For security reasons, only administrators are allowed to create other administrators.
Request Body
The request body must be a JSON object (with the Content-Type header set to application/json) and should follow the same structure as the user detail structure described above. The only additional field allowed is the user's password for authentication (not applicable to browser apps, which use passwordless authentication):
// This feature is not yet supported by the Verifalia .NET SDK.
// This feature is not yet supported by the Verifalia Java SDK.
// This feature is not yet supported by the Verifalia JavaScript SDK.
// This feature is not yet supported by the Verifalia PHP SDK.
// This feature is not yet supported by the Verifalia Go SDK.
# This feature is not yet supported by the Verifalia Ruby SDK.
Updating users
To update an existing user, API clients should send an HTTP PATCH request to the following sub-resource:
/users/{user-id}
Here, {user-id} is the unique identifier assigned by Verifalia when the user is created, which is also included when listing or retrieving users. The request must include a payload that describes the changes to be applied.
If the update is successful, Verifalia responds with an HTTP 200 (OK) status code. If there's an error, the API returns an appropriate HTTP error status code, along with problem details when applicable.
Note
For security reasons, only administrators are allowed to update other administrators.
The request body must be a JSON Patch document (as defined by RFC 6902), with the Content-Type header set to application/json-patch+json: each operation's path should target a field in the original user detail structure described above. For example, the following payload updates the user's display name:
// This feature is not yet supported by the Verifalia .NET SDK.
// This feature is not yet supported by the Verifalia Java SDK.
// This feature is not yet supported by the Verifalia JavaScript SDK.
// This feature is not yet supported by the Verifalia PHP SDK.
// This feature is not yet supported by the Verifalia Go SDK.
# This feature is not yet supported by the Verifalia Ruby SDK.
Deleting users
To delete a user, API clients should send an HTTP DELETE request to the following sub-resource:
/users/{user-id}
Here, {user-id} is the unique identifier assigned by Verifalia when the user was created, also included when listing or retrieving users.
If the deletion is successful, Verifalia returns an HTTP 200 (OK) status code. If the operation fails, the API responds with an appropriate HTTP error status code and, when applicable, details about the issue.
Note
For security reasons, only administrators are allowed to delete other administrators.