As I discussed, the issue is it appears expire_old_email_tokens on line 838 of the user model is running on and password_hash_changed? && !id_changed? is returning true, so the token is marked as expired before it can be activated.
I’m assuming this is because the I’m setting the password with the api call, and it’s going from non existent to being set as something.
Theoretically, you could create an account with a fake email address, deactivate, update the email address to the real email, then activate the account.
Unfortunately, this is too much of a workaround for the project we are working on. We have decided to settle with sending our users 2 emails. Not an ideal workflow.
Would love to see this addressed in the future. @codinghorror