diff --git a/main.py b/main.py
index ec8fe93..dc65574 100644
--- a/main.py
+++ b/main.py
@@ -33,7 +33,7 @@ async def lifespan(app: FastAPI):
     # Optional shutdown logic
 
 
-app = FastAPI(lifespan=lifespan)
+app: FastAPI = FastAPI(lifespan=lifespan)
 
 # Mount static files (e.g., CSS, JS)
 app.mount("/static", StaticFiles(directory="static"), name="static")
@@ -169,10 +169,12 @@ async def read_home(
 
 @app.get("/login")
 async def read_login(
-    params: dict = Depends(common_unauthenticated_parameters)
+    params: dict = Depends(common_unauthenticated_parameters),
+    email_updated: Optional[str] = "false"
 ):
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
+    params["email_updated"] = email_updated
     return templates.TemplateResponse(params["request"], "authentication/login.html", params)
 
 
@@ -256,14 +258,18 @@ async def read_dashboard(
 
 @app.get("/profile")
 async def read_profile(
-    params: dict = Depends(common_authenticated_parameters)
+    params: dict = Depends(common_authenticated_parameters),
+    email_update_requested: Optional[str] = "false",
+    email_updated: Optional[str] = "false"
 ):
     # Add image constraints to the template context
     params.update({
         "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),  # Convert bytes to MB
         "min_dimension": MIN_DIMENSION,
         "max_dimension": MAX_DIMENSION,
-        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys())
+        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
+        "email_update_requested": email_update_requested,
+        "email_updated": email_updated
     })
     return templates.TemplateResponse(params["request"], "users/profile.html", params)
 
diff --git a/routers/authentication.py b/routers/authentication.py
index 7583ec1..3b3d544 100644
--- a/routers/authentication.py
+++ b/routers/authentication.py
@@ -6,7 +6,7 @@
 from fastapi.responses import RedirectResponse
 from pydantic import BaseModel, EmailStr, ConfigDict
 from sqlmodel import Session, select
-from utils.models import User, UserPassword
+from utils.models import User, UserPassword, DataIntegrityError
 from utils.auth import (
     get_session,
     get_user_from_reset_token,
@@ -18,13 +18,50 @@
     create_access_token,
     create_refresh_token,
     validate_token,
-    send_reset_email
+    send_reset_email,
+    send_email_update_confirmation,
+    get_user_from_email_update_token,
+    get_authenticated_user
 )
 
 logger = getLogger("uvicorn.error")
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
+# --- Custom Exceptions ---
+
+
+class EmailAlreadyRegisteredError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=409,
+            detail="This email is already registered"
+        )
+
+
+class InvalidCredentialsError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid credentials"
+        )
+
+
+class InvalidResetTokenError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid or expired password reset token; please request a new one"
+        )
+
+
+class InvalidEmailUpdateTokenError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid or expired email update token; please request a new one"
+        )
+
 
 # --- Server Request and Response Models ---
 
@@ -102,6 +139,17 @@ async def as_form(
                    new_password=new_password, confirm_new_password=confirm_new_password)
 
 
+class UpdateEmail(BaseModel):
+    new_email: EmailStr
+
+    @classmethod
+    async def as_form(
+        cls,
+        new_email: EmailStr = Form(...)
+    ):
+        return cls(new_email=new_email)
+
+
 # --- DB Request and Response Models ---
 
 
@@ -130,7 +178,7 @@ async def register(
         User.email == user.email)).first()
 
     if db_user:
-        raise HTTPException(status_code=400, detail="Email already registered")
+        raise EmailAlreadyRegisteredError()
 
     # Hash the password
     hashed_password = get_password_hash(user.password)
@@ -147,9 +195,20 @@ async def register(
     refresh_token = create_refresh_token(data={"sub": db_user.email})
     # Set cookie
     response = RedirectResponse(url="/", status_code=303)
-    response.set_cookie(key="access_token", value=access_token, httponly=True)
-    response.set_cookie(key="refresh_token",
-                        value=refresh_token, httponly=True)
+    response.set_cookie(
+        key="access_token",
+        value=access_token,
+        httponly=True,
+        secure=True,
+        samesite="strict"
+    )
+    response.set_cookie(
+        key="refresh_token",
+        value=refresh_token,
+        httponly=True,
+        secure=True,
+        samesite="strict"
+    )
 
     return response
 
@@ -164,7 +223,7 @@ async def login(
         User.email == user.email)).first()
 
     if not db_user or not db_user.password or not verify_password(user.password, db_user.password.hashed_password):
-        raise HTTPException(status_code=400, detail="Invalid credentials")
+        raise InvalidCredentialsError()
 
     # Create access token
     access_token = create_access_token(
@@ -262,7 +321,7 @@ async def reset_password(
         user.email, user.token, session)
 
     if not authorized_user or not reset_token:
-        raise HTTPException(status_code=400, detail="Invalid or expired token")
+        raise InvalidResetTokenError()
 
     # Update password and mark token as used
     if authorized_user.password:
@@ -289,3 +348,81 @@ def logout():
     response.delete_cookie("access_token")
     response.delete_cookie("refresh_token")
     return response
+
+
+@router.post("/update_email")
+async def request_email_update(
+    update: UpdateEmail = Depends(UpdateEmail.as_form),
+    user: User = Depends(get_authenticated_user),
+    session: Session = Depends(get_session)
+):
+    # Check if the new email is already registered
+    existing_user = session.exec(
+        select(User).where(User.email == update.new_email)
+    ).first()
+
+    if existing_user:
+        raise EmailAlreadyRegisteredError()
+
+    if not user.id:
+        raise DataIntegrityError(resource="User id")
+
+    # Send confirmation email
+    send_email_update_confirmation(
+        current_email=user.email,
+        new_email=update.new_email,
+        user_id=user.id,
+        session=session
+    )
+
+    return RedirectResponse(
+        url="/profile?email_update_requested=true",
+        status_code=303
+    )
+
+
+@router.get("/confirm_email_update")
+async def confirm_email_update(
+    user_id: int,
+    token: str,
+    new_email: str,
+    session: Session = Depends(get_session)
+):
+    user, update_token = get_user_from_email_update_token(
+        user_id, token, session
+    )
+
+    if not user or not update_token:
+        raise InvalidResetTokenError()
+
+    # Update email and mark token as used
+    user.email = new_email
+    update_token.used = True
+    session.commit()
+
+    # Create new tokens with the updated email
+    access_token = create_access_token(data={"sub": new_email, "fresh": True})
+    refresh_token = create_refresh_token(data={"sub": new_email})
+
+    # Set cookies before redirecting
+    response = RedirectResponse(
+        url="/profile?email_updated=true",
+        status_code=303
+    )
+
+    # Add secure cookie attributes
+    response.set_cookie(
+        key="access_token",
+        value=access_token,
+        httponly=True,
+        secure=True,
+        samesite="lax"
+    )
+    response.set_cookie(
+        key="refresh_token",
+        value=refresh_token,
+        httponly=True,
+        secure=True,
+        samesite="lax"
+    )
+    return response
diff --git a/routers/organization.py b/routers/organization.py
index c937ae3..afa6e5f 100644
--- a/routers/organization.py
+++ b/routers/organization.py
@@ -10,6 +10,8 @@
 
 logger = getLogger("uvicorn.error")
 
+router = APIRouter(prefix="/organizations", tags=["organizations"])
+
 # --- Custom Exceptions ---
 
 
@@ -37,9 +39,6 @@ def __init__(self):
         )
 
 
-router = APIRouter(prefix="/organizations", tags=["organizations"])
-
-
 # --- Server Request and Response Models ---
 
 
diff --git a/routers/user.py b/routers/user.py
index 1baf82a..135f355 100644
--- a/routers/user.py
+++ b/routers/user.py
@@ -16,7 +16,6 @@
 class UpdateProfile(BaseModel):
     """Request model for updating user profile information"""
     name: str
-    email: EmailStr
     avatar_file: Optional[bytes] = None
     avatar_content_type: Optional[str] = None
 
@@ -24,7 +23,6 @@ class UpdateProfile(BaseModel):
     async def as_form(
         cls,
         name: str = Form(...),
-        email: EmailStr = Form(...),
         avatar_file: Optional[UploadFile] = File(None),
     ):
         avatar_data = None
@@ -36,7 +34,6 @@ async def as_form(
 
         return cls(
             name=name,
-            email=email,
             avatar_file=avatar_data,
             avatar_content_type=avatar_content_type
         )
@@ -73,7 +70,6 @@ async def update_profile(
 
     # Update user details
     user.name = user_profile.name
-    user.email = user_profile.email
     
     if user_profile.avatar_file:
         user.avatar_data = user_profile.avatar_file
diff --git a/templates/components/header.html b/templates/components/header.html
index d24bff6..6f8d04c 100644
--- a/templates/components/header.html
+++ b/templates/components/header.html
@@ -24,7 +24,11 @@
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                         <button class="profile-button btn p-0 border-0 bg-transparent">
-                            {{ render_silhouette() }}
+                            {% if user.avatar_data %}
+                                <img src="{{ url_for('get_avatar') }}" alt="User Avatar" class="d-inline-block align-top" width="30" height="30" style="border-radius: 50%;">
+                            {% else %}
+                                {{ render_silhouette() }}
+                            {% endif %}
                         </button>
                     </a>
                     <ul class="dropdown-menu dropdown-menu-end" aria-labelledby="navbarDropdown">
diff --git a/templates/emails/update_email_email.html b/templates/emails/update_email_email.html
new file mode 100644
index 0000000..5bc8b9d
--- /dev/null
+++ b/templates/emails/update_email_email.html
@@ -0,0 +1,12 @@
+{% extends "emails/base_email.html" %}
+
+{% block email_title %}Email Update Request{% endblock %}
+
+{% block email_content %}
+    <h1>Confirm Your New Email Address</h1>
+    <p>You have requested to change your email address from {{ current_email }} to {{ new_email }}.</p>
+    <p>Click the link below to confirm this change:</p>
+    <p><a href="{{ confirmation_url }}">Confirm Email Update</a></p>
+    <p>If you did not request this change, please ignore this email.</p>
+    <p>This link will expire in 1 hour.</p>
+{% endblock %}
\ No newline at end of file
diff --git a/templates/users/organization.html b/templates/users/organization.html
index 913598b..f6e7976 100644
--- a/templates/users/organization.html
+++ b/templates/users/organization.html
@@ -63,7 +63,11 @@ <h1 class="mb-4">{{ organization.name }}</h1>
                             {% for user in role.users %}
                             <tr>
                                 <td class="text-center" style="width: 50px;">
-                                    {{ render_silhouette(width=40, height=40) }}
+                                    {% if user.avatar_data %}
+                                        <img src="{{ url_for('get_avatar') }}" alt="User Avatar" class="d-inline-block align-top" width="40" height="40" style="border-radius: 50%;">
+                                    {% else %}
+                                        {{ render_silhouette(width=40, height=40) }}
+                                    {% endif %}
                                 </td>
                                 <td>{{ user.name }}</td>
                                 <td>{{ user.email }}</td>
diff --git a/templates/users/profile.html b/templates/users/profile.html
index c101db5..f2c163d 100644
--- a/templates/users/profile.html
+++ b/templates/users/profile.html
@@ -8,6 +8,18 @@
 <div class="container mt-5">
     <h1 class="mb-4">User Profile</h1>
     
+    {% if email_update_requested == "true" %}
+    <div class="alert alert-info" role="alert">
+        Please check your current email address for a confirmation link to complete the email update.
+    </div>
+    {% endif %}
+
+    {% if email_updated == "true" %}
+    <div class="alert alert-success" role="alert">
+        Your email address has been successfully updated.
+    </div>
+    {% endif %}
+
     <!-- Basic Information -->
     <div class="card mb-4" id="basic-info">
         <div class="card-header">
@@ -40,10 +52,6 @@ <h1 class="mb-4">User Profile</h1>
                     <label for="name" class="form-label">Name</label>
                     <input type="text" class="form-control" id="name" name="name" value="{{ user.name }}">
                 </div>
-                <div class="mb-3">
-                    <label for="email" class="form-label">Email</label>
-                    <input type="email" class="form-control" id="email" name="email" value="{{ user.email }}">
-                </div>
                 <div class="mb-3">
                     <label for="avatar_file" class="form-label">Avatar</label>
                     <input type="file" class="form-control" id="avatar_file" name="avatar_file" accept="image/*">
@@ -62,13 +70,29 @@ <h1 class="mb-4">User Profile</h1>
         </div>
     </div>
 
+    <!-- New Email Update Section -->
+    <div class="card mb-4">
+        <div class="card-header">
+            Update Email
+        </div>
+        <div class="card-body">
+            <form action="{{ url_for('request_email_update') }}" method="post">
+                <div class="mb-3">
+                    <label for="new_email" class="form-label">New Email Address</label>
+                    <input type="email" class="form-control" id="new_email" name="new_email" value="{{ user.email }}">
+                </div>
+                <p class="form-text">A confirmation link will be sent to your new email address to verify the change.</p>
+                <button type="submit" class="btn btn-primary">Update Email</button>
+            </form>
+        </div>
+    </div>
+
     <!-- Change Password -->
     <div class="card mb-4">
         <div class="card-header">
             Change Password
         </div>
         <div class="card-body">
-            <!-- TODO: Trigger password reset via email confirmation -->
             <form action="{{ url_for('forgot_password') }}" method="post">
                 <input type="hidden" name="email" value="{{ user.email }}">
                 <p>To change your password, please confirm your email. A password reset link will be sent to your email address.</p>
@@ -90,7 +114,7 @@ <h1 class="mb-4">User Profile</h1>
                 <p class="text-danger">This action cannot be undone. Please confirm your password to delete your account.</p>
                 <div class="mb-3">
                     <label for="confirm_delete_password" class="form-label">Password</label>
-                    <input type="password" class="form-control" id="confirm_delete_password" name="confirm_delete_password">
+                    <input type="password" class="form-control" id="confirm_delete_password" name="confirm_delete_password" autocomplete="off">
                 </div>
                 <button type="submit" class="btn btn-danger">Delete Account</button>
             </form>
diff --git a/tests/test_auth.py b/tests/test_auth.py
index d3334e9..862f772 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -1,7 +1,7 @@
 import re
 import string
 import random
-from datetime import timedelta
+from datetime import timedelta, UTC, datetime
 from urllib.parse import urlparse, parse_qs
 from starlette.datastructures import URLPath
 from main import app
@@ -13,11 +13,16 @@
     validate_token,
     generate_password_reset_url,
     COMPILED_PASSWORD_PATTERN,
-    convert_python_regex_to_html
+    convert_python_regex_to_html,
+    generate_email_update_url,
+    send_email_update_confirmation,
+    get_user_from_email_update_token
 )
+from unittest.mock import patch, MagicMock
+from utils.models import User, EmailUpdateToken
 
 
-def test_convert_python_regex_to_html():
+def test_convert_python_regex_to_html() -> None:
     PYTHON_SPECIAL_CHARS = r"(?=.*[\[\]\\@$!%*?&{}<>.,'#\-_=+\(\):;|~/\^])"
     HTML_EQUIVALENT = r"(?=.*[\[\]\\@$!%*?&\{\}\<\>\.\,\\'#\-_=\+\(\):;\|~\/\^])"
 
@@ -26,14 +31,14 @@ def test_convert_python_regex_to_html():
     assert PYTHON_SPECIAL_CHARS == HTML_EQUIVALENT
 
 
-def test_password_hashing():
+def test_password_hashing() -> None:
     password = "Test123!@#"
     hashed = get_password_hash(password)
     assert verify_password(password, hashed)
     assert not verify_password("wrong_password", hashed)
 
 
-def test_token_creation_and_validation():
+def test_token_creation_and_validation() -> None:
     data = {"sub": "test@example.com"}
 
     # Test access token
@@ -51,7 +56,7 @@ def test_token_creation_and_validation():
     assert decoded["type"] == "refresh"
 
 
-def test_expired_token():
+def test_expired_token() -> None:
     data = {"sub": "test@example.com"}
     expired_delta = timedelta(minutes=-10)
     expired_token = create_access_token(data, expired_delta)
@@ -59,13 +64,13 @@ def test_expired_token():
     assert decoded is None
 
 
-def test_invalid_token_type():
+def test_invalid_token_type() -> None:
     data = {"sub": "test@example.com"}
     access_token = create_access_token(data)
     decoded = validate_token(access_token, "refresh")
     assert decoded is None
 
-def test_password_reset_url_generation():
+def test_password_reset_url_generation() -> None:
     """
     Tests that the password reset URL is correctly formatted and contains
     the required query parameters.
@@ -91,7 +96,7 @@ def test_password_reset_url_generation():
     assert query_params["email"][0] == test_email
     assert query_params["token"][0] == test_token
 
-def test_password_pattern():
+def test_password_pattern() -> None:
     """
     Tests that the password pattern is correctly defined. to require at least
     one uppercase letter, one lowercase letter, one digit, and one special
@@ -146,3 +151,100 @@ def test_password_pattern():
     # No special character
     password = "aA1" * 3
     assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
+
+def test_email_update_url_generation() -> None:
+    """
+    Tests that the email update confirmation URL is correctly formatted and contains
+    the required query parameters.
+    """
+    test_user_id = 123
+    test_token = "abc123"
+    test_new_email = "new@example.com"
+
+    url = generate_email_update_url(test_user_id, test_token, test_new_email)
+
+    # Parse the URL
+    parsed = urlparse(url)
+    query_params = parse_qs(parsed.query)
+
+    # Get the actual path from the FastAPI app
+    confirm_email_path: URLPath = app.url_path_for("confirm_email_update")
+
+    # Verify URL path
+    assert parsed.path == str(confirm_email_path)
+
+    # Verify query parameters
+    assert "user_id" in query_params
+    assert "token" in query_params
+    assert "new_email" in query_params
+    assert query_params["user_id"][0] == str(test_user_id)
+    assert query_params["token"][0] == test_token
+    assert query_params["new_email"][0] == test_new_email
+
+@patch('resend.Emails.send')
+def test_send_email_update_confirmation(mock_send: MagicMock) -> None:
+    """
+    Tests the email update confirmation sending functionality.
+    """
+    # Mock session and dependencies
+    session = MagicMock()
+    session.exec.return_value.first.return_value = None  # No existing token
+    
+    current_email = "current@example.com"
+    new_email = "new@example.com"
+    user_id = 123
+
+    # Mock successful email send
+    mock_send.return_value = {"id": "test_email_id"}
+
+    # Test successful email sending
+    send_email_update_confirmation(current_email, new_email, user_id, session)
+
+    # Verify session interactions
+    assert session.add.called
+    assert session.commit.called
+    
+    # Verify email was sent with correct parameters
+    mock_send.assert_called_once()
+    call_args = mock_send.call_args[0][0]
+    assert call_args["to"] == [current_email]
+    assert call_args["subject"] == "Confirm Email Update"
+    assert "from" in call_args
+    assert "html" in call_args
+
+    # Test existing token case
+    session.reset_mock()
+    session.exec.return_value.first.return_value = EmailUpdateToken()  # Existing token
+
+    send_email_update_confirmation(current_email, new_email, user_id, session)
+
+    # Verify no new token was created or email sent
+    assert not session.add.called
+    assert not session.commit.called
+    assert mock_send.call_count == 1  # Still just one call from before
+
+def test_get_user_from_email_update_token() -> None:
+    """
+    Tests retrieving a user using an email update token.
+    """
+    session = MagicMock()
+
+    # Test valid token
+    mock_user = User(id=1, email="test@example.com")
+    mock_token = EmailUpdateToken(
+        user_id=1,
+        token="valid_token",
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        used=False
+    )
+    session.exec.return_value.first.return_value = (mock_user, mock_token)
+
+    user, token = get_user_from_email_update_token(1, "valid_token", session)
+    assert user == mock_user
+    assert token == mock_token
+
+    # Test invalid token
+    session.exec.return_value.first.return_value = None
+    user, token = get_user_from_email_update_token(1, "invalid_token", session)
+    assert user is None
+    assert token is None
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
index 4207186..c12b2a9 100644
--- a/tests/test_authentication.py
+++ b/tests/test_authentication.py
@@ -9,11 +9,12 @@
 from html import unescape
 
 from main import app
-from utils.models import User, PasswordResetToken
+from utils.models import User, PasswordResetToken, UserPassword, EmailUpdateToken
 from utils.auth import (
     create_access_token,
     verify_password,
     validate_token,
+    get_password_hash
 )
 from .conftest import SetupError
 
@@ -199,7 +200,7 @@ def test_register_with_existing_email(unauth_client: TestClient, test_user: User
             "confirm_password": "Test123!@#"
         }
     )
-    assert response.status_code == 400
+    assert response.status_code == 409
 
 
 def test_login_with_invalid_credentials(unauth_client: TestClient, test_user: User):
@@ -210,7 +211,7 @@ def test_login_with_invalid_credentials(unauth_client: TestClient, test_user: Us
             "password": "WrongPass123!@#"
         }
     )
-    assert response.status_code == 400
+    assert response.status_code == 401
 
 
 def test_password_reset_with_invalid_token(unauth_client: TestClient, test_user: User):
@@ -223,7 +224,7 @@ def test_password_reset_with_invalid_token(unauth_client: TestClient, test_user:
             "confirm_new_password": "NewPass123!@#"
         }
     )
-    assert response.status_code == 400
+    assert response.status_code == 401
 
 
 def test_password_reset_email_url(unauth_client: TestClient, session: Session, test_user: User, mock_resend_send):
@@ -264,3 +265,144 @@ def test_password_reset_email_url(unauth_client: TestClient, session: Session, t
     assert parsed.path == str(reset_password_path)
     assert query_params["email"][0] == test_user.email
     assert query_params["token"][0] == reset_token.token
+
+
+def test_request_email_update_success(auth_client: TestClient, test_user: User, mock_resend_send):
+    """Test successful email update request"""
+    new_email = "newemail@example.com"
+    
+    response = auth_client.post(
+        app.url_path_for("request_email_update"),
+        data={"new_email": new_email},
+        follow_redirects=False
+    )
+    
+    assert response.status_code == 303
+    assert "profile?email_update_requested=true" in response.headers["location"]
+    
+    # Verify email was "sent"
+    mock_resend_send.assert_called_once()
+    call_args = mock_resend_send.call_args[0][0]
+    
+    # Verify email content
+    assert call_args["to"] == [test_user.email]
+    assert call_args["from"] == "noreply@promptlytechnologies.com"
+    assert "Confirm Email Update" in call_args["subject"]
+    assert "confirm_email_update" in call_args["html"]
+    assert new_email in call_args["html"]
+
+
+def test_request_email_update_already_registered(auth_client: TestClient, session: Session, test_user: User):
+    """Test email update request with already registered email"""
+    # Create another user with the target email
+    existing_email = "existing@example.com"
+    existing_user = User(
+        name="Existing User",
+        email=existing_email,
+        password=UserPassword(hashed_password=get_password_hash("Test123!@#"))
+    )
+    session.add(existing_user)
+    session.commit()
+    
+    response = auth_client.post(
+        app.url_path_for("request_email_update"),
+        data={"new_email": existing_email}
+    )
+    
+    assert response.status_code == 409
+    assert "already registered" in response.text
+
+
+def test_request_email_update_unauthenticated(unauth_client: TestClient):
+    """Test email update request without authentication"""
+    response = unauth_client.post(
+        app.url_path_for("request_email_update"),
+        data={"new_email": "new@example.com"},
+        follow_redirects=False
+    )
+    
+    assert response.status_code == 303  # Redirect to login
+
+
+def test_confirm_email_update_success(unauth_client: TestClient, session: Session, test_user: User):
+    """Test successful email update confirmation"""
+    new_email = "updated@example.com"
+    
+    # Create an email update token
+    update_token = EmailUpdateToken(user_id=test_user.id)
+    session.add(update_token)
+    session.commit()
+    
+    response = unauth_client.get(
+        app.url_path_for("confirm_email_update"),
+        params={
+            "user_id": test_user.id,
+            "token": update_token.token,
+            "new_email": new_email
+        },
+        follow_redirects=False
+    )
+    
+    assert response.status_code == 303
+    assert "profile?email_updated=true" in response.headers["location"]
+    
+    # Verify email was updated
+    session.refresh(test_user)
+    assert test_user.email == new_email
+    
+    # Verify token was marked as used
+    session.refresh(update_token)
+    assert update_token.used
+    
+    # Verify new auth cookies were set
+    cookies = response.cookies
+    assert "access_token" in cookies
+    assert "refresh_token" in cookies
+
+
+def test_confirm_email_update_invalid_token(unauth_client: TestClient, session: Session, test_user: User):
+    """Test email update confirmation with invalid token"""
+    response = unauth_client.get(
+        app.url_path_for("confirm_email_update"),
+        params={
+            "user_id": test_user.id,
+            "token": "invalid_token",
+            "new_email": "new@example.com"
+        }
+    )
+    
+    assert response.status_code == 401
+    assert "Invalid or expired" in response.text
+    
+    # Verify email was not updated
+    session.refresh(test_user)
+    assert test_user.email == "test@example.com"
+
+
+def test_confirm_email_update_used_token(unauth_client: TestClient, session: Session, test_user: User):
+    """Test email update confirmation with already used token"""
+    # Create an already used token
+    used_token = PasswordResetToken(
+        user_id=test_user.id,
+        token="test_used_token",
+        used=True,
+        token_type="email_update"
+    )
+    session.add(used_token)
+    session.commit()
+    
+    response = unauth_client.get(
+        app.url_path_for("confirm_email_update"),
+        params={
+            "user_id": test_user.id,
+            "token": used_token.token,
+            "new_email": "new@example.com"
+        }
+    )
+    
+    assert response.status_code == 401
+    assert "Invalid or expired" in response.text
+    
+    # Verify email was not updated
+    session.refresh(test_user)
+    assert test_user.email == "test@example.com"
diff --git a/tests/test_user.py b/tests/test_user.py
index 47fb9fe..30696d6 100644
--- a/tests/test_user.py
+++ b/tests/test_user.py
@@ -17,8 +17,7 @@ def test_update_profile_unauthorized(unauth_client: TestClient):
     response: Response = unauth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "New Name",
-            "email": "new@example.com",
+            "name": "New Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -40,8 +39,7 @@ def test_update_profile_authorized(mock_validate, auth_client: TestClient, test_
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "updated@example.com",
+            "name": "Updated Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -54,7 +52,6 @@ def test_update_profile_authorized(mock_validate, auth_client: TestClient, test_
     # Verify changes in database
     session.refresh(test_user)
     assert test_user.name == "Updated Name"
-    assert test_user.email == "updated@example.com"
     assert test_user.avatar_data == MOCK_IMAGE_DATA
     assert test_user.avatar_content_type == MOCK_CONTENT_TYPE
 
@@ -67,8 +64,7 @@ def test_update_profile_without_avatar(auth_client: TestClient, test_user: User,
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "updated@example.com",
+            "name": "Updated Name"
         },
         follow_redirects=False
     )
@@ -78,7 +74,6 @@ def test_update_profile_without_avatar(auth_client: TestClient, test_user: User,
     # Verify changes in database
     session.refresh(test_user)
     assert test_user.name == "Updated Name"
-    assert test_user.email == "updated@example.com"
 
 
 def test_delete_account_unauthorized(unauth_client: TestClient):
@@ -130,8 +125,7 @@ def test_get_avatar_authorized(mock_validate, auth_client: TestClient, test_user
     auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": test_user.name,
-            "email": test_user.email,
+            "name": test_user.name
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -167,8 +161,7 @@ def test_update_profile_invalid_image(mock_validate, auth_client: TestClient):
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "updated@example.com",
+            "name": "Updated Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"invalid image data", "image/jpeg")
diff --git a/utils/auth.py b/utils/auth.py
index d809fc7..fd4badf 100644
--- a/utils/auth.py
+++ b/utils/auth.py
@@ -16,7 +16,7 @@
 from fastapi.templating import Jinja2Templates
 from fastapi import Depends, Cookie, HTTPException, status
 from utils.db import get_session
-from utils.models import User, Role, PasswordResetToken
+from utils.models import User, Role, PasswordResetToken, EmailUpdateToken
 
 load_dotenv()
 resend.api_key = os.environ["RESEND_API_KEY"]
@@ -87,6 +87,13 @@ def replacer(match: re.Match) -> str:
 # --- Custom Exceptions ---
 
 
+class NeedsNewTokens(Exception):
+    def __init__(self, user: User, access_token: str, refresh_token: str):
+        self.user = user
+        self.access_token = access_token
+        self.refresh_token = refresh_token
+
+
 class AuthenticationError(HTTPException):
     def __init__(self):
         super().__init__(
@@ -324,13 +331,6 @@ def get_optional_user(
     return None
 
 
-class NeedsNewTokens(Exception):
-    def __init__(self, user: User, access_token: str, refresh_token: str):
-        self.user = user
-        self.access_token = access_token
-        self.refresh_token = refresh_token
-
-
 def generate_password_reset_url(email: str, token: str) -> str:
     """
     Generates the password reset URL with proper query parameters.
@@ -434,3 +434,86 @@ def get_user_with_relations(
     ).one()
 
     return eager_user
+
+
+def generate_email_update_url(user_id: int, token: str, new_email: str) -> str:
+    """
+    Generates the email update confirmation URL with proper query parameters.
+    """
+    base_url = os.getenv('BASE_URL')
+    return f"{base_url}/auth/confirm_email_update?user_id={user_id}&token={token}&new_email={new_email}"
+
+
+def send_email_update_confirmation(
+    current_email: str,
+    new_email: str,
+    user_id: int,
+    session: Session
+) -> None:
+    # Check for an existing unexpired token
+    existing_token = session.exec(
+        select(EmailUpdateToken)
+        .where(
+            EmailUpdateToken.user_id == user_id,
+            EmailUpdateToken.expires_at > datetime.now(UTC),
+            EmailUpdateToken.used == False
+        )
+    ).first()
+
+    if existing_token:
+        logger.debug("An unexpired email update token already exists for this user.")
+        return
+
+    # Generate a new token
+    token = EmailUpdateToken(user_id=user_id)
+    session.add(token)
+
+    try:
+        confirmation_url = generate_email_update_url(
+            user_id, token.token, new_email)
+
+        # Render the email template
+        template = templates.get_template("emails/update_email_email.html")
+        html_content = template.render({
+            "confirmation_url": confirmation_url,
+            "current_email": current_email,
+            "new_email": new_email
+        })
+
+        params: resend.Emails.SendParams = {
+            "from": "noreply@promptlytechnologies.com",
+            "to": [current_email],
+            "subject": "Confirm Email Update",
+            "html": html_content,
+        }
+
+        sent_email: resend.Email = resend.Emails.send(params)
+        logger.debug(f"Email update confirmation sent: {sent_email.get('id')}")
+
+        session.commit()
+    except Exception as e:
+        logger.error(f"Failed to send email update confirmation: {e}")
+        session.rollback()
+
+
+def get_user_from_email_update_token(
+    user_id: int,
+    token: str,
+    session: Session
+) -> tuple[Optional[User], Optional[EmailUpdateToken]]:
+    result = session.exec(
+        select(User, EmailUpdateToken)
+        .where(
+            User.id == user_id,
+            EmailUpdateToken.token == token,
+            EmailUpdateToken.expires_at > datetime.now(UTC),
+            EmailUpdateToken.used == False,
+            EmailUpdateToken.user_id == User.id
+        )
+    ).first()
+
+    if not result:
+        return None, None
+
+    user, update_token = result
+    return user, update_token
diff --git a/utils/models.py b/utils/models.py
index 29e468e..be07c8f 100644
--- a/utils/models.py
+++ b/utils/models.py
@@ -161,6 +161,25 @@ def is_expired(self) -> bool:
         return datetime.now(UTC) > self.expires_at.replace(tzinfo=UTC)
 
 
+class EmailUpdateToken(SQLModel, table=True):
+    id: Optional[int] = Field(default=None, primary_key=True)
+    user_id: Optional[int] = Field(foreign_key="user.id")
+    token: str = Field(default_factory=lambda: str(
+        uuid4()), index=True, unique=True)
+    expires_at: datetime = Field(
+        default_factory=lambda: datetime.now(UTC) + timedelta(hours=1))
+    used: bool = Field(default=False)
+
+    user: Mapped[Optional["User"]] = Relationship(
+        back_populates="email_update_tokens")
+
+    def is_expired(self) -> bool:
+        """
+        Check if the token has expired
+        """
+        return datetime.now(UTC) > self.expires_at.replace(tzinfo=UTC)
+
+
 class UserPassword(SQLModel, table=True):
     id: Optional[int] = Field(default=None, primary_key=True)
     user_id: Optional[int] = Field(foreign_key="user.id", unique=True)
@@ -196,6 +215,12 @@ class User(SQLModel, table=True):
             "cascade": "all, delete-orphan"
         }
     )
+    email_update_tokens: Mapped[List["EmailUpdateToken"]] = Relationship(
+        back_populates="user",
+        sa_relationship_kwargs={
+            "cascade": "all, delete-orphan"
+        }
+    )
     password: Mapped[Optional[UserPassword]] = Relationship(
         back_populates="user"
     )