What is the best way to implement the following scenario: New users can register and then have to validate the email address. If validation is successful, an admin can activate the account (and assign a group if necessary).

hey @derbernd You can use our email verification recipe to force users to validate their email. Furthermore, you can have a boolean in the user metadata recipe to keep track of if the user has been manually validated by the admin or not. On sign up, you can set this boolean to false. Then when the admin validates the user, you can change the boolean to true. You want to also replicate the same boolean in the session's access token payload. Lastly, you want to augment the session verification function to also check if this boolean is true in the access token payload, and if not, then send back a 401.

Thank you. I have add user permissions to control the status of the user. I trie your recommendations and compare these methods.