Magic Link Authentication
Overview
Section titled “Overview”Magic link authentication sends a one-time login link to the user’s email. No password required — possession of the email inbox proves identity.
-
User enters email on the auth service login page
-
Auth service sends email with a verification link containing a one-time token
-
User clicks link in their email
-
Auth service verifies token, creates user if needed, issues authorization code
-
Redirect back to the client app with the code
Endpoints
Section titled “Endpoints”Send Magic Link
Section titled “Send Magic Link”POST https://auth.beshoy.ai/auth/magic-link/sendContent-Type: application/json| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | User’s email address |
project_id | string | Yes | Target project |
redirect_uri | string | Yes | Where to redirect after auth |
code_challenge | string | Yes | PKCE S256 challenge |
state | string | Yes | Opaque state to return |
Verify Magic Link
Section titled “Verify Magic Link”GET https://auth.beshoy.ai/auth/magic-link/verify?token=xxxThis is the link the user clicks in their email. The auth service:
- Retrieves the token data from KV
- Verifies it hasn’t expired (15-minute TTL)
- Creates the user if they don’t exist (unless registration is closed)
- Adds the user to the project if not already a member
- Marks the user’s email as verified
- Issues an authorization code
- Redirects to the client with
codeandstate
Email Delivery
Section titled “Email Delivery”Magic links are sent via the Resend email API. The email contains:
- A branded template matching the project’s branding
- A single call-to-action button with the verification URL
- 15-minute expiry notice
Rate Limiting
Section titled “Rate Limiting”- 3 magic link sends per hour per email address
- Prevents email bombing / spam
Auto-Registration
Section titled “Auto-Registration”Unlike password auth, magic links can create new users automatically:
- If
registration = "open"→ user created on first magic link verification - If
registration = "invite_only"→ user must already exist or have an invitation - If
registration = "closed"→ user must already exist
New users created via magic link have email_verified = 1 (since they proved inbox access).
Token Storage
Section titled “Token Storage”Magic link tokens are stored in KV with:
- Key:
magic:{random_token} - Value:
{ email, project_id, redirect_uri, code_challenge, state } - TTL: 900 seconds (15 minutes)
Tokens are deleted after use (one-time).
Error Responses
Section titled “Error Responses”| Error | Cause |
|---|---|
Rate limited | 3+ sends in the last hour for this email |
Invalid or expired token | Token not in KV (expired or already used) |
Registration closed | New user + project registration is closed |