resolve the immediate 'token is invalid' issue

	#[NoCSRFRequired]

	public function verifyRecoveryEmail(string $token, string $userId): TemplateResponse {

		try {

			//decrypt email

			$email = $this->recoveryEmailService->getUnverifiedRecoveryEmail($userId);

			$ref = substr(hash('sha256', $email), 0, 8);

			// Validate token parameter

			if (empty($token)) {

				$this->logger->error("Empty token provided for verification", ['userId' => $userId]);

				$errorParams = [

					'errors' => [['error' => $this->l->t('Could not verify recovery email because the token is invalid')]],

				];

				return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

			}

			// Validate userId parameter

			if (empty($userId)) {

				$this->logger->error("Empty userId provided for token verification");

				$errorParams = [

					'errors' => [['error' => $this->l->t('Could not verify recovery email because the token is invalid')]],

				];

				return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

			}

			// Get user first to validate userId

			$user = $this->userManager->get($userId);

			if ($user === null) {

				$this->logger->error("User not found for token verification: {userId}", ['userId' => $userId]);

				$errorParams = [

					'errors' => [['error' => $this->l->t('Could not verify recovery email because the token is invalid')]],

				];

				return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

			}

			// Get unverified recovery email

			$email = $this->recoveryEmailService->getUnverifiedRecoveryEmail($userId);

			// Validate that unverified recovery email exists

			if (empty($email)) {

				$this->logger->error("No unverified recovery email found for user {userId} during token verification. This may happen if the email was already verified or the verification link is from an old request.", ['userId' => $userId]);

				$errorParams = [

					'errors' => [['error' => $this->l->t('Could not verify recovery email because the token is invalid')]],

				];

				return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

			}

			$ref = substr(hash('sha256', $email), 0, 8);

			$verificationKey = 'verifyRecoveryMail' . $ref;

			$this->logger->debug("Verifying token for user {userId} with email {email} and ref {ref}", [

				'userId' => $userId,

				'email' => $email,

				'ref' => $ref

			]);

			$this->recoveryEmailService->verifyToken($token, $user, $verificationKey, $email);

			$this->recoveryEmailService->makeRecoveryEmailVerified($userId);

			return new TemplateResponse('core', 'success', $responseParams, TemplateResponse::RENDER_AS_GUEST);

		} catch (InvalidTokenException $e) {

			$this->logger->error("Token verification failed for user {userId}: {message} (code: {code})", [

				'userId' => $userId,

				'message' => $e->getMessage(),

				'code' => $e->getCode()

			]);

			$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED

				? $this->l->t('Could not verify recovery email because the token is expired')

				: $this->l->t('Could not verify recovery email because the token is invalid');

				'errors' => [['error' => $error]],

			];

			return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

		} catch (\Exception $e) {

			$this->logger->error("Unexpected error during token verification for user {userId}: {message}", [

				'userId' => $userId,

				'message' => $e->getMessage()

			]);

			$errorParams = [

				'errors' => [['error' => $this->l->t('Could not verify recovery email because the token is invalid')]],

			];

			return new TemplateResponse('core', 'error', $errorParams, TemplateResponse::RENDER_AS_GUEST);

		}

	}