diff --git a/authority/server/db.js b/authority/server/db.js
index 0bb20f4d808efbe9155c985cf8a82bdb26365a10..d476fcfda924e378852c0e6baea1404bf785c935 100644
--- a/authority/server/db.js
+++ b/authority/server/db.js
@@ -3,14 +3,11 @@ var g_emails = {
 };
 
 // half created user accounts (pending email verification)
-var g_stagedUsers = {
-};
-
+// OR
 // half added emails (pending verification)
-var g_stagedEmails = {
+var g_staged = {
 };
 
-
 exports.haveEmail = function(email) {
   return g_emails.hasOwnProperty(email);
 };
@@ -28,10 +25,24 @@ function generateSecret() {
 exports.stageUser = function(obj) {
   var secret = generateSecret();
   // overwrite previously staged users
-  g_stagedUsers[obj.email] = {
-    secret: secret,
+  g_staged[secret] = {
+    email: obj.email,
     pubkey: obj.pubkey,
     pass: obj.pass
   };
   return secret;
 };
+
+/* invoked when a user clicks on a verification URL in their email */ 
+exports.gotVerificationSecret = function(secret) {
+  if (!g_staged.hasOwnProperty(secret)) return false;
+
+  // simply move from staged over to the emails "database"
+  var o = g_staged[secret];
+  delete g_staged[secret];
+  g_emails[o.email] = {
+    pass: o.pass,
+    pubkey: o.pubkey
+  };
+  return true;
+};
diff --git a/authority/server/email.js b/authority/server/email.js
index fb704dabaa9ddda898ddcccbc0a087e98e15063d..b56746d4b304ec4209ef39eabc24b19ed5e3876f 100644
--- a/authority/server/email.js
+++ b/authority/server/email.js
@@ -1,3 +1,9 @@
-exports.sendVerificationEmail = function(email, hash) {
+exports.sendVerificationEmail = function(email, secret) {
   console.log("fakely sending a verification email for " + email);
+  // XXX: what we would really do here is send out an email, instead
+  // we'll just wait 5 seconds and manually feed the secret back into the
+  // system, as if a user had clicked a link
+  setTiemout(function() {
+    db.gotVerificationSecret(secret);
+  }, 5000);
 };
\ No newline at end of file