There is no official Firebase method to verify an email without creating a Firebase user because emailVerified is a property of a FirebaseUser.
However, if your use case is phone-first authentication and you want to verify email as a secondary identity factor, here's a workaround using the Firebase Admin SDK:
Steps:
Create an anonymous Firebase user from your backend (or client).
Set the user's email address using Admin SDK.
Send the verification link using generateEmailVerificationLink(email).
Email will contain a verification link — user clicks it to confirm.
java
CopyEdit
// 1. Create an anonymous userUserRecord user = FirebaseAuth.getInstance().createUser(new CreateRequest());
//2. Set the email FirebaseAuth.getInstance().updateUser( new UpdateRequest(user.getUid()) .setEmail("[email protected]") );
// 3. Generate the email verification link String link = FirebaseAuth.getInstance().generateEmailVerificationLink("[email protected]"); // Send this link to the user securely or you can copy form log adn click it make user verified
This API allows any backend to generate the verification link and mark an email as verified — even if the user never received the email.
This has been reported as a security concern, as it violates the principle of user consent in identity verification. (Soon may be deprecated )
💥 If misused:
Backend systems can verify any email address (even fake ones).
Apps relying on emailVerified == true may falsely assume trust.
This could enable impersonation or privilege escalation in sensitive platforms (like dating, finance, or legal services).
Always ensure the verification link is only sent to and clicked by the actual user.
Never auto-click or expose the link from backend logs.
Consider adding a manual confirmation step in your app before accepting verified status.
Yes, you can send a verification link without full email/password sign-up, using backend tricks like setting email on an anonymous user — but use this responsibly and securely. Firebase does not enforce inbox ownership — you must.