I noticed the

​/{apiBasePath}​/user​/email​/verify​/token

endpoint expects that the front end calls this, and a second email was still sent if the user didn't verify on the first. I assume Its up to the consumer of your packages to ensure that there is either rate limiting or captch to prevent email spam/abuse