diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index 3b56f59d1b..e2598b1806 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -173,11 +173,14 @@ func isIgnoreCaptchaRoute(req *http.Request) bool {
 
 var emailLabelPattern = regexp.MustCompile("[+][^@]+@")
 
+// we don't need to enforce the check on these endpoints since they don't send emails
+var containsNonEmailSendingPath = regexp.MustCompile(`^/(admin|token|verify)`)
+
 func (a *API) isValidAuthorizedEmail(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	ctx := req.Context()
 
 	// skip checking for authorized email addresses if it's an admin request
-	if strings.HasPrefix(req.URL.Path, "/admin") || req.Method == http.MethodGet || req.Method == http.MethodDelete {
+	if containsNonEmailSendingPath.MatchString(req.URL.Path) || req.Method == http.MethodGet || req.Method == http.MethodDelete {
 		return ctx, nil
 	}
 
diff --git a/internal/api/middleware_test.go b/internal/api/middleware_test.go
index 7056d91ddb..77065e5b34 100644
--- a/internal/api/middleware_test.go
+++ b/internal/api/middleware_test.go
@@ -531,6 +531,20 @@ func (ts *MiddlewareTestSuite) TestIsValidAuthorizedEmail() {
 				"email": "test@example.com",
 			},
 		},
+		{
+			desc:    "bypass check for token endpoint",
+			reqPath: "/token",
+			body: map[string]interface{}{
+				"email": "valid@example.com",
+			},
+		},
+		{
+			desc:    "bypass check for verify endpoint",
+			reqPath: "/token",
+			body: map[string]interface{}{
+				"email": "valid@example.com",
+			},
+		},
 		{
 			desc:    "bypass check if no email in request body",
 			reqPath: "/signup",