Magic links feature¶
For provider setup and the constructor, see Magic links provider. This page covers configuration knobs and security notes.
Endpoints¶
| Method | Path | Auth | Request | Response |
|---|---|---|---|---|
| POST | /auth/magic-links/login |
— | {email} |
{message: "Magic link sent — check your email"} |
| GET | /auth/magic-links/callback |
— | ?token=... |
cookie: MessageResponse; json: TokenResponse |
TTLs¶
- Request token TTL —
MagicLinksProvider(max_age=...)controls how long the request token is valid (default 900s = 15 min). Stored undertoken_type="magic_link_login_request". - Refresh token TTL after sign-in — defaults to
jwt.refresh_token_ttl(30 days).
Combining with credentials¶
The canonical pattern is to offer both credentials and magic links so users who can't reach their password manager still have a path in:
Users created via magic links have hashed_password=None. If they later set a password (via your own UI + adapter.set_hashed_password, or a "set password" flow you build), they can sign in either way.
Security notes¶
- Tokens are hashed. The raw token in the URL is never stored. The DB stores
sha256(raw). - One-time use.
consume_tokenis atomic — replaying a clicked link is rejected. - Auto-registration opens account creation to any email that controls the inbox. Gate if needed (see provider page).
allow_signingates the callback. Credentials login does not call this hook.on_signinJSON-mode-only caveat. See Hooks. Audit accordingly.
Cookie delivery¶
When token_delivery="cookie", the magic-link callback sets access, refresh, and csrf cookies and returns {"message": "Authentication successful"} instead of a token pair. This pairs well with a browser flow where the user clicks the link directly.
Common mistakes¶
- No email arrives —
email_transportisNone(silent). UseConsoleTransportin dev. base_urlleft at default — the link points atlocalhost:8000. Setbase_urlto your public origin.ConfigError: token_adapter is required for magic links—MagicLinksProvider.send_login_requestraises on the first login attempt iftoken_adapterisNone.