I'm planning to create an API using express that I would send an http request from the client-side to send emails. I want to send these emails to verify my customer's emails. I'm not sure if that would be secure because someone could possibly modify the code on the client-side and use that to get around the verification. I don't know if that could be done.
You can protect your API so that it only accepts requests from an authorized client, Web or Mobile. In this way you are mitigating that calls from unauthorized sources violate your API. To give you an idea, I leave here some reference articles. https://auth0.com/blog/node-js-and-express-tutorial-building-and-securing-restful-apis/