Based on the knowledge sources provided, I can answer your question about the possible values for

verifiable_addresses[0].status

and their meanings in the context of Ory's identity management system. The

verifiable_addresses[0].status

field can have the following values: 1. "pending" 2. "sent" 3. "completed" These status values represent different stages in the email verification process: 1. "pending": This likely indicates that the verification process has not yet started for the email address. 2. "sent": This status means that a verification email has been sent to the address but has not yet been confirmed by the user. 3. "completed": This status indicates that the email address has been successfully verified. This information can be inferred from examples in the knowledge sources, particularly in the [Ory Network GitHub issue](https://github.com/ory/network/issues/290) and the [Ory documentation on importing verified addresses](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#importing-verified-addresses). It's important to note that when importing or creating identities with verified email addresses, the status should be set to "completed" to indicate that the address is already verified. For example:

json {   "value": "<mailto:foo@example.com|foo@example.com>",   "verified": true,   "via": "email",   "status": "completed" }

Keep in mind that the verification status can change based on user actions or system processes, such as when a new email address is added and needs verification.

I understand your concern about users with unverified email addresses being able to access your system despite configuring it to disallow login for unverified users. This situation indeed seems unexpected, so let's explore the possible reasons based on the information provided in the knowledge sources. There are a few important points to consider: 1. Configuration of verified address requirement: According to the [Ory documentation](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email), you need to enable the "Require Verified Address for Login" feature in the Ory Console under Authentication → Email verification. Make sure this setting is correctly enabled for your project. 2. Potential issue with OIDC identities: There was a reported bug in the [Ory Network GitHub issue](https://github.com/ory/network/issues/246) where OIDC (OpenID Connect) identities could still log in even if they had not verified their email address. This issue was reported as fixed, but it's worth checking if your users are using OIDC for authentication. 3. Race condition or implementation issue: The same GitHub issue mentions a potential race condition or implementation issue that could allow unverified users to log in. While this was investigated and not confirmed, it's possible that a similar issue could be affecting your system. 4. First sign-in without verification: The [Ory documentation](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email) mentions that "If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result." This could explain why some users with "sent" status are still able to access the system. 5. Configuration of hooks: Make sure that you have properly configured the

require_verified_address

hook for all authentication methods (password, OIDC, webauthn) as described in the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). To resolve this issue, I recommend the following steps: 1. Double-check your configuration in the Ory Console to ensure "Require Verified Address for Login" is enabled. 2. Verify that the

require_verified_address

hook is properly configured for all authentication methods. 3. Check if the affected users are using OIDC for authentication, and if so, investigate if the OIDC-related bug has resurfaced. 4. Review your implementation to ensure that you're correctly handling the verification status and enforcing the login restrictions.

I understand your concern about users with unverified email addresses being able to access your system despite configuring it to disallow login for unverified users. This situation indeed seems unexpected, so let's explore the possible reasons based on the information provided in the knowledge sources. There are a few important points to consider: 1. Configuration of verified address requirement: According to the [Ory documentation](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email), you need to enable the "Require Verified Address for Login" feature in the Ory Console under Authentication → Email verification. Make sure this setting is correctly enabled for your project. 2. Potential issue with OIDC identities: There was a reported bug in the [Ory Network GitHub issue](https://github.com/ory/network/issues/246) where OIDC (OpenID Connect) identities could still log in even if they had not verified their email address. This issue was reported as fixed, but it's worth checking if your users are using OIDC for authentication. 3. Race condition or implementation issue: The same GitHub issue mentions a potential race condition or implementation issue that could allow unverified users to log in. While this was investigated and not confirmed, it's possible that a similar issue could be affecting your system. 4. First sign-in without verification: The [Ory documentation](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email) mentions that "If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result." This could explain why some users with "sent" status are still able to access the system. 5. Configuration of hooks: Make sure that you have properly configured the

require_verified_address

hook for all authentication methods (password, OIDC, webauthn) as described in the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). To resolve this issue, I recommend the following steps: 1. Double-check your configuration in the Ory Console to ensure "Require Verified Address for Login" is enabled. 2. Verify that the

require_verified_address

hook is properly configured for all authentication methods. 3. Check if the affected users are using OIDC for authentication, and if so, investigate if the OIDC-related bug has resurfaced. 4. Review your implementation to ensure that you're correctly handling the verification status and enforcing the login restrictions. If the issue persists after these checks, I recommend reaching out to Ory support or posting on the [Ory Community Slack](https://slack.ory.sh/) for further assistance, as this behavior seems to contradict the expected functionality of the verified address requirement.