> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# email_not_verified

> HTTP 403 — the JWT user has not verified their email address.

|                 |                                     |
| --------------- | ----------------------------------- |
| **HTTP status** | `403 Forbidden`                     |
| **Code**        | `email_not_verified`                |
| **Retry?**      | No — verify your email, then retry. |

## When this happens

A JWT-authenticated user (i.e. the dashboard, or a tool reusing
dashboard JWTs) has not yet completed Auth0 email verification. The
API requires verified email before allowing protected operations.

API key authentication is **not** affected — keys belong to a tenant,
not a user, so there is no email to verify.

## Example response

```json theme={null}
{
  "detail": {
    "code": "email_not_verified",
    "message": "Email address must be verified before accessing the API."
  },
  "code": "email_not_verified",
  "request_id": "5b3f6c7e-7d24-4d40-9b12-3a59c01c6e91",
  "doc_url": "https://docs.lasscyber.com/errors/email_not_verified"
}
```

## How to fix

1. Open the verification email Auth0 sent at sign-up. Click the link.
2. If you cannot find it, sign in to
   [`agnes.lasscyber.com`](https://agnes.lasscyber.com) — the gate
   page surfaces a **Resend email** button.
3. After verifying, sign out and back in to refresh your JWT.

## SDK behaviour

| SDK        | Exception                                                     |
| ---------- | ------------------------------------------------------------- |
| Python     | `agnes.PermissionError` (with `code == "email_not_verified"`) |
| TypeScript | `PermissionError` (with `code === "email_not_verified"`)      |

This is rare in SDK code paths — SDKs typically authenticate with API
keys, not JWTs. If you see it from an SDK, you are either using a
JWT-based extension or a custom integration that mints JWTs.

## Related

* [`forbidden`](/errors/forbidden) — the parent generic 403 case.
* [Authentication](/get-started/authentication) — API keys vs JWTs.
