anonymous voting
Anyone can vote on a public board without signing up. The vote is real once their email is verified.
the flow
Section titled “the flow”- Visitor clicks vote on a public post.
- Spirby asks for an email and runs a captcha if hcaptcha is configured for the environment.
- Visitor receives a “confirm your vote” email with a single-use link.
- Clicking the link confirms the vote and sets a cookie tying that browser to the email hash for future votes.
The confirm token is valid for 30 minutes. Once they confirm once, subsequent votes from the same browser go through without another email, the cookie carries the proof.
rate limits
Section titled “rate limits”Spirby limits abuse without blocking legitimate use:
- per ip: 100 vote requests / hour
- per email hash: 5 vote requests / hour
- comment creation, post submission, and changelog subscription are limited separately
If a visitor hits a limit, spirby returns a rate-limit error and a Retry-After header pointing at the next hourly boundary.
how to disable email-verified anonymous voting
Section titled “how to disable email-verified anonymous voting”You cannot. Email verification is the dedupe mechanism. Removing it would mean accepting unbounded duplicate votes, which defeats the point of the count.
If the friction matters more to you than the integrity of the count, consider hiding the public board behind a sign-in wall via your own front-end and not advertising the public urls, but spirby’s pricing and design assume open boards.