Register users as unconfirmed by default / confirmed consequences

System Information
  • Strapi Version: 4.1.9
  • Operating System: windows11
  • Database: sqlite
  • Node Version: node v14.17.6)
  • NPM Version:

The default behavior after registration (with “email confirmation” turned off) is that the user is now authorized and confirmed.
I want to confirm users manually, but there is no option nowhere to toggle this beahvior.
Googling, there’s one obscure hack to make this happen that involves going into npm modules and changing “params.confirmed = false”.
This doesn’t work for almost any deployment (as the packages are installed during deployment, to state the obvious).

Furthermore I tested whether it even made any difference if a user was unconfirmed, lest I continue a pointless crusade. It turns out there isn’t.
You can reproduce by:

  1. registering a user
  2. hitting up the /me endpoint (or another endpoint you have set up for authenticated users only)
  3. if you get a positive response (status 200 + data) go to strapi dashboard
  4. now set the “confirmed” attribute of that user as “false” and save
  5. hit up the /me endpoint (it returns 200 + user data including “confirmed: false” which is correct
  6. hit up another authenticated-users-only endpoint
  7. expected response: 401 unathourized. actual behavior: 200 + data
  8. maybe this jwt token is magically stored as “confirmed” somewhere, lets “login” again to get a different jwt and use that one
  9. hit up the endpoint in point 6. again
  10. expected response: 401 unathourized. actual behavior: 200 + data

So please, can someone help me:

  1. Register users as “unconfirmed” by default
  2. Prevent them from getting content when they are unconfirmed (without writing lifecycles for every single content-type controller lol)


npm modules solutions

1 Like

Hi @dasfacc , did you find any answer to your questions? I’m interested in implementing the same kind of functionality…

1 Like

Hi @ptas and @dasfacc I am facing the exact same issue and am confused.
“confirmed” status does not do anything, no?
Am I correct with my guess:
“Confirmed” just means the user did validate that the email address is owned by him?
But strapi itself does not do anything with this information?
If I want to use this information to protect routes f.e. I need to create custom guards and logic to do so?

Best, Nico

Hey Nico,

Haven’t tested this in a while but most likely the behavior has remained the same (confirmed status doesn’t influence permissions)

The field “blocked” though does block user requests if set to true

The solution I found to my problem was setting the default role after registration to be “public”, meaning that registered users don’t automatically become authorized

If they do need different permissions from regular “public” users one can reproduce this solution by making a “pending” role and setting that as the default after registration

Hope You found this helpful