is there a setting that will prevent a user from getting a valid access token until they verify their email? I'm hoping to not have to write any code if there's a setting in the Ory Cloud-hosted UI. Thanks!

Hello @ripe-lawyer-41924 I believe you are looking for this: https://console.ory.sh/projects/current/verification

Require Verified Address for Login

If enabled, users are not able to sign in unless their account is verified.

got it thanks! are they automatically verified if they use GMail?

You mean if you they use a "Login with Google"? In that case yes you can carry over the verified status when they register using a mapping like this:

local claims = {
  email_verified: false,
} + std.extVar('claims');

{
  identity: {
    traits: {
      [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
    },
    verified_addresses: std.prune([
      // Carry over verified status from Social Sign-In provider.
      if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email },
    ]),
  },
}

cool thanks

Hello @ripe-lawyer-41924 (hope i ping the right one 🙈 ) You either add this here through the Ory Console UI (see screenshot) or base64 encode it and add it when updating through the Ory CLI (ory update)