A magic link is a sign-in mechanism where the user receives an email with a one-time URL. Clicking the link authenticates them, no password required.
The flow
- User enters their email
- You generate a random, short-lived token
- You email them a link like
https://yourapp.com/magic/<token> - They click, you verify the token, create a session, and redirect to the app
Why use them
- Fewer credentials to manage — no password storage, no password reset flow
- Lower support burden — “forgot password” tickets become rare
- Better UX for monthly-active users — no password to remember
Tradeoffs
- Dependent on email deliverability — a mailbox in the spam folder means no sign-in
- Higher friction for daily users — checking email every day is annoying
- Bearer property — anyone with read access to the mailbox can sign in
Security rules
- Expire tokens in 10-15 minutes. Longer than that, the risk of email mailbox exposure is too high.
- Mark tokens as single-use; invalidate on first click.
- Generate at least 32 bytes of randomness.
- Rate-limit token requests to prevent inbox flooding.
Magic links pair well with passkeys for a password-free experience.
See the full auth glossary for related terms.