
Ask HN: Would you see value in a “verify email” API? - alexchardin
I have an app in the Windows Store (haha, I know). It uses some 3rd party APIs but does not have a server-side backend of its own (technically it does, but for the purpose of this question let&#x27;s say it doesn&#x27;t).<p>In the app, the user enters their email address and payment information. Before processing their payment, I would like to verify that the user actually owns the email address that they entered.<p>Of course the popular way of doing this is to send the user an email with a link that they have to click. To continue the trend of not maintaining my own backend, it would be nice to have an API that does this for me.<p>The basic functionality would be as follows. For simplicity, I&#x27;ll refer to this hypothetical thing as &quot;the API.&quot;<p>1. App sends an email address to the API.
2. The API sends an email to the email address. 
3. User clicks a link in the email, taking them to a simple &quot;thank you&quot;-style page at the API.
4. The API marks that email as verified.
5. App makes another call to the API and sees that the email is verified. Done.<p>Same could apply for SMS, I suppose. There seems to be a wealth of email verification services that focus on bulk validation of MX records and things like that. But I don&#x27;t see anything like this.<p>Would this be valuable? Too niche? Already exists and I can&#x27;t find it?<p>Would love your thoughts. Thanks!
======
raisedadead
How about a simple one time key? I am assuming that your app is not going to
store anything and has no backend at all.

So Let's say your app pings the API with the email and a special loooooooong
human readable string of a random words:

"A horse is an grass, it feeds on animal!"

Note the phrase (key) should not make sense or be correct grammatically, it
could be just a bunch of words jumbled together.

The API sends this to the user, the user enters the same on your page with
grammatically correct one.

"A horse is an animal, it feeds on grass!"

Boom, you have a very high entropy, a secure paraphrase that's probably
reliably secure and can be enhanced to timeout against brute force attacks.
It's really up to you to what you want to do with the API and your app.

Looks complex, but should be a good starting point to build something.
Goodluck!

------
jrm2k6
I was checking about that today, to see if it was actually something I would
be interested in working on. I found that service doing something similar:
[http://docs.kickbox.io/](http://docs.kickbox.io/)

Is that what you meant?

EDIT: ok, you don't want any backend so webhooks won't work.

~~~
alexchardin
Well, aside from webhooks or anything, Kickbox and its competitors seem to
focus on checking if an email address exists based on DNS and SMTP pings.

This is valuable, but I want to be able to know for sure that 1. the email is
"real" and 2. the person using the email address actually has access to it and
can receive emails on it. Thus the process of actually sending an email to the
provided address and making them click a link.

I've still not seen anything that provides this functionality.

~~~
jrm2k6
Just seeing your reply now, sorry, not used to get answers on HN :D

Yes, I see what you mean. Maybe I should give it a shot. :)

------
jjoe
It could be useful but the entity behind this service would need to be
reputable with a proven track record. Because what this amounts to--from an
end user perspective--is a breach of privacy.

As for the technical part, I think you're better off passing a callback URL to
the service so it posts to it when the user verifies the email. The callback
URL could be an AWS lambda.

~~~
alexchardin
Understood on the privacy concerns. Good point.

Agreed that the Callback URL is definitely preferable, if the consuming
application has a backend (Lambda or more substantial). Thanks!

------
zhte415
When does 5 happen? Continuous pinging until timeout of verified?

On 3 I could see the api just redirecting back to the app. And 4 is retained
for future backup?

Just to share how this is made smoother somewhere else in the world: App
displays QR code on screen either on webpage or in-store POS, user scans QR
code, payment is made and funds transfered instantly.

~~~
alexchardin
Thanks for the reply.

I was thinking either pinging or some sort of a "check" button that the user
would click/tap (e.g. Cloudflare's button to check the status of NS
transfers). Not the smoothest part of the idea. This decision would ultimately
be left to the consumer of the API. Also, in thinking this through a little
more I think it is also applicable to applications that _do_ have their own
backend, in which case they could provide a callback.

I like your idea on 3/4\. That could maybe be a configurable option

------
patrickgordon
In regards to your proposed workflow, I would prefer to have "the API" use a
webhook to let the App know that the email has been verified.

This way I can update a user record and make a nicer experience the next time
the user comes back rather than having to make a call to the API to check they
are verified.

~~~
chatmasta
OP's question is about avoiding backend completely, so a webhook wouldn't help
much. At that point you may as well implement your own email verification as
well.

